here's my scenario:
I have IP camera behind the company firewall that I want to stream publicly, and for that, I've created two Azure VMs (Ubuntu 19.04) - let's call them vm1 and vm2
In case it's important, my VM SKU is Standard B1s (1 vcpus, 1 GiB memory)
I SSH to my camera and from there, I do a remote port forwarding for RTSP like this:
ssh -R 554:localhost:554 root#<vm1-ip>
And, I guess I need to enable root SSH because it's a "well-known" port.
I log in to vm1, and I see it's listening on the port: sudo netstat -tlnp gives me this:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:554 0.0.0.0:* LISTEN 108748/sshd: root#p
tcp6 0 0 ::1:554 :::* LISTEN 108748/sshd: root#p
But, when I use nmap from from vm2, the port is shown as closed:
nmap <vm1-ip> -p 554
PORT STATE SERVICE
554/tcp closed rtsp
When I use vlc to connect to the stream, it doesn't work either: the URL I use in vlc is: rtsp://<vm1-ip>/...
I thought this might be an issue with the NSG (network security group) associated with vm1, so I tried allowing all inbound traffic:
and, needless to say that it doesn't solve the issue
Any thoughts on this?
Thank you
Related
Background
First time working with Azure. I'm deploying a database server (ClickHouse) onto a VM hosted in Azure, and have it started up fine. The VM is running Ubuntu. The database server's default ports are localhost port 9000 for TCP (used by the command line client) and 8123 for HTTP (used by application clients).
Issue
The db server should be listening on the server's default http port (8123). However, when I try to connect, it just hangs. Based on the below steps, I don't think the network request is making it to the server.
Steps I've tried
Started the containerized version on my local machine and used the exact same curl command to run a simple SELECT 1 query against it (http://localhost:8123). This succeeds and proves to me that the request is not malformed.
Verified that the server is responsive via the local client on the VM (while SSH'ed in)
Added my IP address and the port in the VNET's "inbound port rules". I've been able to access my public IP via SSH after adding a similar rule for that.
my ip is valid irl
$ telnet my.public.ip.address 8123 <- obviously with the actual ip in there. this hangs as well
While SSH'ed in, I've run $ ss -atn | grep 8123 and see:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 4096 127.0.0.1:8123 0.0.0.0:*
LISTEN 0 4096 [::1]:8123 [::]:*
I'm not an expert at the network component of this. I think this means the server is listening to 8123 on localhost as well as all other addresses. I take that latter part to mean that it should be exposed publicly. I also believe LISTEN means it is ready to accept connections, but no connections are currently open.
Any ideas?
LISTEN 0 4096 127.0.0.1:8123
0.0.0.0:*
expected:
LISTEN 0 4096 *:8123 *:*
Your Clickhouse listens localhost only
solution:
cat /etc/clickhouse-server/config.d/port.xml
<?xml version="1.0"?>
<yandex>
<listen_host>::</listen_host>
</yandex>
and restart CH.
I have a server that has a rule like so when I check netstat -tulpn:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
This has been all well and good as the mysql database we've use has only needed local access, but now I want to remote connect to it too. I need my netstat -tulpn to read like so:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
How do I update this? I've been looking through nc but everything seems to only talk about setting up listening for the first time. Whenever I try to assign a new rule I get a message like this:
(base) ct#do-not-touch:/$ sudo nc -l 0.0.0.0 3306
nc: Address already in use
How do update the 127.0.0.1:3306 rule to be for 0.0.0.0:3306? Am I somehow totally off base here?
You can't* have two processes listening on the same IP and port. Since 0.0.0.0 means listen on all IPs, you can't bind to it if there's anything bound to any IP on that port. Stop the existing process listening on 127.0.0.1:3306, and then you'll be able to start one listening on 0.0.0.0:3306.
*: Technically, a flag called SO_REUSEPORT does exist, and forking after binding lets you do it as well, but neither is useful in your situation.
Ok so if you run into this in the future, you have kill the process that is using whatever port but first you must know that port.
sudo lsof -t -i:3306
Then kill whatever id.
I have an Ubuntu16.04 VM on Azure, and am trying to run a node server on it. When I bind the port to 80, I am able to access it from my browser (http://a.b.c.d:80). However, if I try to instead bind the server to a different port, such as 3300 or 8080, the browser times out when trying to connect to it. (http://a.b.c.d:3300)
I have ensured that:
There exists an inbound security rule for port 3300 in the NSG
The windows firewall of the machine of the browser allows port 3300 (I have even tried temporarily turning it completely off but to no avail)
I am not using an azure load balancer
I am starting node with root privileges
Node is bound to (port, "0.0.0.0")
I am listening on the correct port (I think?)
netstat -ant | grep 3300 gives
tcp6 0 0 :::3300 :::* LISTEN
I have spent a few hours now researching on the internet how to get it to work and tried everything I could find, but to no avail. If anyone has any input i'd be happy to try it out.
Jason was correct, it was a ufw issue. If anyone comes across this question in the future, I solved it with the command
sudo ufw allow proto tcp from any to any port 3300
I am trying to change the SSH port from 22 on an Ubuntu box hosted on Azure. According this this answer How to change SSH ports in Microsoft Azure properly? you can just change the 'public' port while keeping the 'private' ssh port at 22.
However the answer is a bit outdated as there is no mention of public/private ports on Azure as far as I can tell. In the Network Scurity Group settings there are only 'Source port range' and 'Destination port range'.
Using the default settings
Source port range: *
Destination port range: 22
I can login via shell OK ie
ssh -i my_key me#azure_ip
When I changed the Source port range to a specific port I want to use as the 'public' ssh port
Source port range: new_ip
Destination port range: 22
then try
ssh -i my_key me#azure_ip -p new_ip
then the connection just times out and I cant connect.
Then I tried changing the Port in the sshd_config on the server, leaving the Source port range as * and changed the Destination port range to the new ip but got a 'public key' error
Any ideas? (I am happy to either change the public port and or the private port)
For now, in ARM module, we can't use NSG to NAT one port to another port.
As a workaround, we can change sshd_config port settings, here are the steps:
1. SSH to this VM, change sshd_config settings like this, change port 22 to port 33320:
root#jasonvm:~# vi /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 33320
2. restart ssh service:
root#jasonvm:~# service ssh restart
root#jasonvm:~# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:33320 0.0.0.0:* LISTEN
tcp 0 0 10.0.0.4:33188 52.240.48.24:443 TIME_WAIT
tcp 0 0 10.0.0.4:44470 168.63.129.16:80 TIME_WAIT
tcp 0 0 10.0.0.4:33320 114.224.98.58:58180 ESTABLISHED
tcp 0 0 10.0.0.4:33186 52.240.48.24:443 TIME_WAIT
tcp 0 0 10.0.0.4:22 114.224.98.58:58088 ESTABLISHED
tcp 0 0 10.0.0.4:33182 52.240.48.24:443 TIME_WAIT
tcp 0 0 10.0.0.4:44464 168.63.129.16:80 TIME_WAIT
tcp 0 0 10.0.0.4:33180 52.240.48.24:443 TIME_WAIT
tcp6 0 0 :::33320 :::* LISTEN
3. Add inbound rule to NSG:
After that completed, we can use new port and public IP address to ssh this VM:
ssh user#xxx.xxx.xxx.xxx 33320
I set my linux as an access point, and then run simple web-server that print "hello world" at port 3000.
and connect it with my smart phone successfully.
in linux terminal, http://localhost:3000 works well.
But in smart phone,
If I access to http://172.24.1.105:3000, can't connect to it. (172.24... is ap's ip)
the chrome's error message is
This site can't be reached. 172.24.1.105 refused to connect
I searched Google (https://serverfault.com/questions/725262/what-causes-the-connection-refused-message) and I suspicious linux's firewall.
pi#raspberrypi:~/prj/ap_server $ sudo tcpdump -n icmp
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
... when I access to port 3000,
15:07:13.102750 IP 192.168.0.3 > 168.126.63.2: ICMP 192.168.0.3 udp port 42531 unreachable, length 386
the log is above. so I couldn't reach ap's webserver.
so I wonder two things...
1. How can I disable to its port block?
2. in tcpdump log, I access to port 3000 actually, why the log print port 42531?
Plus)
even I type sudo service iptables stop, the problem is not solved
sudo netstat -ntlp | grep 3000 logs:
**tcp6 0 0 :::3000 :::* LISTEN 1999/nodejs**
+I followed this tutorial-> https://frillip.com/using-your-raspberry-pi-3-as-a-wifi-access-point-with-hostapd/ .
and there is ipv4 setting.
If you want to run it on your mobile it will work on Live IP (externel) address
if it is working fine on local address (localhost) and not on live IP then
enable routing from your router
and allow that specific port it will work fine.
I found the issue.
my dhcp set was
interface=wlan0 # Use interface wlan0
listen-address=172.24.1.1 # Explicitly specify the address to listen on
bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere
server=8.8.8.8 # Forward DNS requests to Google DNS
domain-needed # Don't forward short names
bogus-priv # Never forward addresses in the non-routed address spaces.
dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time
like above.
I tried to connect the external ip(172.24.1.105) that I can see on mobile continuously but got failed. but when I tried with 172.24.1.1, then success.
I don't know why. maybe there is accurate ip address and something in mobile is temporal.
See similar topic at Node JS not listening to port 1337 on server
Your web server is not listening remote address.