Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
For example.
Lets say we have the following linux server:
host-server: 54.215.128.59
This servers will only accept connections from the following ip : 159.65.32.123
If a hacker only knows this information.
Could he be able to trick the host-server that the conection is coming from 159.65.32.123?
This way he would be jumping any firewall established.
It isn't very likely. Nothing is stopping you from defining you own IP address to whatever you want. In linux you can do it with (assuming you network interface is eth0):
sudo ifconfig eth0 159.65.32.123/24
If you are behind a NAT then you'll have to change its address and not yours. However, ISPs should have anti-spoofing measures in place that block packets with an IP address they didn't assign you.
There is also the problem of the return path. When the server will want to send something to this address, the packet will be routed according to the routing rules of all the nodes in the way, which are unlikely to point to the hacker's ISP.
If you are on a LAN with the server then it should be more possible, though you will likely need to handle the collision of IP addresses, and the problem of spoofing IP addresses on a different subnet. One option is to use ARP poisoning and do a MitM between the server and the router.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I have an OpenVPN server running on my Linux box and it's working fine. The server has a lot of IP addresses but it only uses one for all the clients (of course).
Is it possible to use multiple IP addresses (public) on the same server?
If you post this question on ServerFault, this post will get more eyeballs.
OpenVPN can listen on multiple IP addresses. The directive local sets the IP address(s) it listens on. Here is an excerpt from OpenVPN man page.
--local host
Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.
Watch out if you have multiple public IP addresses on multiple interfaces. You may have to resort to some sort of port forwarding. Probably you should make OpenVPN listen on a single interface, preferably local interface and port forward traffic coming from various public IP's to this Interface.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I am struggling with some problem, probably because there is simply not enough information on the web regarding some specifics I am trying to setup.
I have bought OpenVPN service via tun (routing).
I connect to the OpenVPN server through Raspberry PI (serving me as router), which has two interfaces - eth0 for handling Internet connection and wlan0 for my internal LAN.
My goal is to setup firewall in such way, that I can filter tun-ned income traffic and be able to reach web from LAN behind wlan0. Also - everything should go via VPN.
From the architectural point of view I think it should look like this:
INPUT, FORWARD - dropped,
OUTPUT - allowed,
eth0 allows to flow only packets via default OpenVPN service port,
tun adapter should have all INPUT-related policies applied and should be NAT-ted.
What you think - is this correct thinking? I have managed so far to be able to ping from SSH-ed Raspberry PI into web, but yet no DNS - do I understand correctly that I should have own DNS forwarder? DHCP server is set on Raspberry PI.
Thanks!
I have already solved the issue. For those which are interested - incoming packets from LAN are processed by openvpn client (tun/tap), then passed over internet-facing interface. So it was a mater of setting correct forwarding between interfaces. /etc/resolv.conf just had to been overwritten with global (like Google) DNSes to solve ping-related problem.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I am trying to setup openvpn on a server so that I have 2 different tap interfaces (tap0 and tap1) and then a bridge connecting those interfaces. The idea is that a client on tap0 will be able to talk to a client on tap1 and vice-versa.
There is no physical NIC involved in the bridge and the Bridge interface is setup with no ip/netmask/broadcast.
I am able to ping between the 2 when they are both connected however I see no traffic when trying to tcpdump the bridge interface.
I am a bit confused on some things:
Do I need to have an ip configured on the bridge interface at all? I don't quite see the reason for it as all it will do is to make to virtual interfaces talk to each other
Is the fact that the bridge interface does not have an assigned ip/netmask/broadcast the reason I am not able to see the ping traffic on the bridge interface when tcpdumping that interface?
If the answer to number 2 is Yes, I assume that it is not either possible to use iptables to block/allow traffic on that interface, correct? If so is there any other way to accomplish what one would do with iptables on an interface like that?
I guess this wasn't the proper place to put this question but I thought I'd put an update anyway to close the issue.
Turns out that you do not need an assigned ip address on the bridge and it is possible to tcpdump. I happened to be working in containers which made the traffic go outside the vpn when pinging.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I would like to know how to make my Linux Server accesible for anyone around the world. I currectly can access it via 192.168.1.22 locally on my network. I would like it to be accesible through and IP or a domain name.
If you are wanting all ports to be accessible then you can make the box a DMZ on your router and set a static IP, then you are done. If you want it to be accessible through SSH which is what I am going to assume, then you need to set a static IP for the box forward the internal IP address and port in your router and then optionally set up DDNS settings if available. At that point you will be able to access the box from any public network. If you need help let me know.
Either get a static IP address from your Internet Service Provider, or use Dynamic DNS to map a domain name to a dynamic IP address.
One well known Dynamic DNS provider is NoIP
http://www.noip.com/free/
In any case, you probably have a NAT "firewall" that blocks all incoming traffic, so you'll need to configure the firewall to allow ports through that you want to server. Typical Linksys / Netgear NAT firewalls / Wifi routers allow you to port forward to a single private IP address.
Finally, you should make sure your ISP allows running a server. Though most of them dont mind, because the upload speed is throttled by design, you still want to check the terms of service.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I work with embedded Linux systems that sometimes want to get their IP address from a DHCP server. The DHCP Client client we use (dhcpcd) has limited retry logic. If our device starts up without any DHCP server available and times out, dhcpcd will exit and the device will never get an IP address until it's rebooted with a DHCP server visible/connected. I can't be the only one that has this problem. The problem doesn't even seem to be specific to embedded systems (though it's worse there). How do you handle this? Is there a more robust client available?
The reference dhclient from the ISC should run forever in the default configuration, and it should acquire a lease later if it doesn't get one at startup.
I am using the out of the box dhcp client on FreeBSD, which is derived from OpenBSD's and based on the ISC's dhclient, and this is the out of the box behavior.
See http://www.isc.org/index.pl?/sw/dhcp/
You have several options:
While you don't have an IP address, restart dhcpcd to get more retries.
Have a backup static IP address. This was quite successful in the embedded devices I've made.
Use auto-IP as a backup. Windows does this.
Add to rc.local a check to see if an IP has been obtained. If no setup an 'at' job in the near future to attempt again. Continue scheduling 'at' jobs until an IP is obtained.