I'am making a CloudFlare Zero Trust connection as cloudflared in Debian 11 linux server.
Everything is working, where firewall is disabled.
When user go to xx.yyy.com is redirecting to log in with CloudFlare Access, then (when access is granted) user can see log in option of Portainer.
Portainer is in the docker container, and Portainer ports are on loopback interface.
"127.0.0.2:8000->8000/tcp"
"127.0.0.2:9443->9443/tcp"
I have a problem when I'm turning on the iptables firewall with INPUT, FORWARD and OUTPUT rules for DROP, even if I have:
iptables -A INPUT -i lo -j ACCEPT
The error is:
"error="Unable to reach the origin service."
Of course, common iptables rules are used and CloudFlare IP addresses (and zero trust addresses) are white-listed.
Could anybody help me, please? :D
Have a wonderful day!
Related
We are trying to implement something like bump in the wire sceario with the kubernetes pod running as bump.
so basically we have traffic for a paticular destination we intercept the traffic in kubernetes pod and throw it again towards destination .
To run this scenario we started of with squid proxy which would redirect the outgoing traffic to kubernetes pod(bump) and once inside pod we would run iptables rule to redirect the processed packets again to destination ip.
The iptables rule used : iptables -t nat -A PREROUTING -p tcp --dport 3124 -j DNAT --to-destination 1.1.1.1
however this iptable rule does not work(also i need the returning traffic to be redirected to original destination ie after getting processed in pod)
so say destination is 172.172.172.172(some ip outside the cluster) squid has been setup to redirect this destination traffic to service which has node port enabled(hence new destination is minionip:nodeport). when the traffic reaches the pod.. after processing the data outgoing traffic has to be set to original destination(172.172.172.172) instead of going back
I cant seem to find a way. is there any iptable rule to do so taking in consideration of kubertes setup iptables rules.
also is there any other elegant way to do so.
please help.
There is a docker container running in bridge network mode. Inside the container, it creates a connection to, say, 10.123.123.1:6666. I'd like to block this connection on host through IPTABLES, something like sudo iptables -I OUTPUT -p tcp -d 10.123.123.1 -j DROP, but it doesn't work. Could anyone help me on this please?
I can't even see this connection on host by command netstat -an, but I can see it inside the container.
I don't have to use IPTABLES, but I can't change the configuration of the docker running.
These packets are going through INPUT & OUTPUT chains in the container's network namespace, and not in the host's network namespace.
All your host network namespace does is forward these packets so you need to alter the FORWARD chain with a rule similar to iptables -I FORWARD -p tcp -d 10.123.123.1 -j DROP. Bear in mind that Docker alters iptables rules which may punch holes in the firewall.
I configured access point with hostapd and dnsmasq with this tutorial:
access point on linux tutorial
It works for me. NAT works but I would also like to have communication between clients. Client hosts don't see each other.
How can I enable communication between clients?
Solved. I had to add iptables rule:
iptables -A FORWARD -s network_address/mask -j ACCEPT
I have purchased a VPS(centos 6) and I installed tuleap in it. After I install the web application as per guidelines given here: http://tuleap-documentation.readthedocs.org/en/latest/installation-guide/full-installation.html
it says that the project can be accessed using http://tuleap.example.com
But I didn't set up a domain name yet to my VPS IP address. I know that some changes need to be made either of the following. But I am not aware of the modifications. Please guide me so that I can access using just the IP address alone.
/etc/httpd/conf/httpd.conf
/etc/codendi/conf/local.inc
Thanks in advance!
Try to open your port on the firewall.
If you are using Centos 6:
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo service iptables save
This link might help you:
http://ask.xmodulo.com/open-port-firewall-centos-rhel.html
You should just have to put you ip adress instead of a domain name wherever it is required in the two files you indicated. Then service httpd restart and it should be working.
I have created a debian wheezy virtual machine in google compute engine but I am unable to connect to it with vnc.
Here is what I have done
Installed gnome and the rebooted the VM
install tightvncserver and started it
I have tried to connect using the static ip that I've attached to the VM but I'm getting the error: "the connection was refused by the host computer".
I thought it was the firewall that was the issue so I disabled iptable using the following commands
$ sudo iptables-save > /root/firewall.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
and I have created rules in google firewall to allow ports 0-65535 for tcp and udp but it still does not work.
Anyone knows how to do it?
Thanks in advance
By default, all incoming traffic from outside a network is blocked and no packet is allowed into an instance without an appropriate firewall rule. To allow incoming network traffic, you need to set up firewall rules to permit these connections:
start the VNC service
look at VNC server settings or netstat -nap to find out the listening port of vnc server
under Google Developer console -> Compute Engine -> Networks -> default -> Firewall rules
create a new rule and open appropriate ports for incoming vnc connections.
VNC uses by default port 5901. In the 'VNC server' field, specify the ip address and the port 5901.
Example: VNC ***Server: 123.123.123.123:5901
Encryption: let VNC Server choose***
Be aware that the free edition of VNC doesn't support encryption, it only encrypts your user name and password. One thing also to configure is /etc/sysconfig/vncservers file where you have to specify the user and the port that VNC server should listen to, and make sure it's not commented
Example:
VNCSERVERS="1:USERNAME"
VNCSERVERAR0GS[1]="-geometry 800x600 -listen tcp -5901"