Google dialogflow IP addresses - dialog

I am building a Google Home application with DialogFlow.
Fulfillment is done via Webhook that points to my virtual machine
In the VM the 443 port is open and certificates are configured.
However now I would like to change the VM firewall to allow only the google server IP addresses/ subnets
Does anyone know where to find this list?
I´ve found the equivalent list for Alexa in: http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
(ip-ranges.json file)
Thanks in advance
Ester

Credit to this reddit old post I found : https://www.reddit.com/r/starcitizen/comments/3lce2k/list_of_google_cloud_ip_addresses_for_firewall/
With this command you can get the list of google IPs and update the firewall accordingly
dig #8.8.8.8 +short txt _cloud-netblocks.googleusercontent.com | sed 's/"//g; s/ip4://g; s/ip6://g;' | tr ' ' '\n' | grep include | cut -d ':' -f2 | xargs dig #8.8.8.8 +short txt | sed 's/"//g; s/ip4://g; s/ip6://g;' | tr ' ' '\n' | grep '/'

For anyone that get's here in 2020, Google publishes their IP Addresses in the documentation.
Google publishes the complete list of IP ranges that it announces to the internet in goog.json.
Google also publishes a list of Google Cloud customer-usable global and regional external IP addresses ranges in cloud.json.
The IP addresses used by the default domains for Google APIs and services fit within the list of ranges computed by taking away all ranges in cloud.json from those in goog.json
Reference: https://cloud.google.com/vpc/docs/configure-private-google-access#ip-addr-defaults

This isn't a Google home question. Read the docs on your firewall whitelisting feature.

Related

Using the Google Domains Dynamic DNS API, How Can I Create Both A and AAAA Records (IPv4 and IPv6)?

Google Domains exposes an API to change Dynamic DNS synthetic records. By sending a POST (or GET) request to a specific URL with the scheme https://username:password#domains.google.com/nic/update?hostname=subdomain.yourdomain.com&myip=1.2.3.4, Google will theoretically add an A record or AAAA record with the specified IP address... but not both at the same time.
I seem to be unable to create both an A record (for IPv4 traffic) and an AAAA record (for IPv6 traffic); I just switch from one to the other, like so:
roger#computer:~$ curl -6 -X POST -d "hostname=<subdomain>&myip=<ipv4 address>" https://<username>:<password>#domains.google.com/nic/update
good <ipv4 address>
roger#computer:~$ curl -6 -X POST -d "hostname=<subdomain>&myip=<ipv6 address>" https://<username>:<password>#domains.google.com/nic/update
good <ipv6 address>
roger#computer:~$ curl -4 -X POST -d "hostname=<subdomain>&myip=<ipv6 address>" https://<username>:<password>#domains.google.com/nic/update
nochg <ipv6 address>
roger#computer:~$ curl -4 -X POST -d "hostname=<subdomain>&myip=<ipv4 address>" https://<username>:<password>#domains.google.com/nic/update
good <ipv4 address>
After all these, the record that remains is an A record for my IPv4 address, with no AAAA record.
Is there a way to create both records for a dual-stack machine?
https://support.google.com/domains/answer/6147083
Google has already said that:
Important: Dynamic DNS works with IPv4 and IPv6 addresses, but not at the same time.
Doesn't seem you can. Not documented but whichever of A or AAAA (or the latest of one of the other) is posted will be recorded. Once one exists however, you can create a standard record for the other though that will of course not be dynamic. You cannot create a standard record until a dynamic record has actually be set.

PowerDNS-Recursor transmits the client’s IP (and not its)

I am writing to you because I built an infrastructure with a Bind server and a PowerDNS recursor that transmits the requests to the Bind server. What I wanted to do was that the recursor transmits the ip of the client and not its., so I tried to do that using EDNS(0).
Here is a diagram that summarizes what I want to do:
Client : 10.0.0.1/24
|
| “test.com”
|
Server with PDNS-RECURSOR : 192.168.1.1/24
|
| “test.com” with ip_source=10.0.0.1/24
|
Server with BIND : 192.168.1.2/24
And the different configurations files :
• BIND Conf : 3 views
View recursor {} #Return specific IP for the recursor machine
View localhost {} #Return specific IP for the localhost machine.
View external {} #Return specific IP for the external machines.
• Pdns-Recursor Conf (4.1):
edns-outgoing-bufsize=1680
edns-subnet-whitelist=0.0.0.0/0.
forward-zones=192.168.1.2
use-incoming-edns-subnet=yes
Unfortunately, it always returns the view of the recursor, do you have a solution?
Thank you in advance !
You can not transmit the IP but you can transmit a subnet. This needs an EDNS option called Client-Subnet, described in RFC7871
For PowerDNS this is controlled in configuration by various options starting with ecs-, see https://doc.powerdns.com/recursor/settings.html#ecs-add-for
You may try ecs-ipv4-bits: 32 to try sending the whole IP (the option was more about sending a subnet, for privacy issues).
Bind configuration regarding this option is described at https://www.isc.org/wp-content/uploads/2017/04/ecs.pages.pdf
You should sniff out the traffic between the two to make sure PowerDNS sends correctly the information to bind.
You can also try with dig querying directly bind with the appropriate client subnet option (+subnet=) to make sure bind does what you need.

Profiling an IP using tcpdump. Ingoring requests that are not of interest

I have been toying with monitoring POST requests from a specific IP on an application. I suspect the IP of abusing/finding a bug, however, it is not easy to find the suspect piece of code in the codebase so i'm trying to take a Sys admin approach to the solution.
What I want to do is profile the IP for the next few days/weeks or so. Ignoring anything I know as being dis-interesting. So far I have this but i'm not sure where to take it next.
tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' |grep -i -b10 -a10 'X-Forwarded-For: 127.0.0.1*'
Obviously not the correct IP, but you get the drift.
Any help would be great.

How to assign an external ip to linux server at gcloud?

Last several days I'm struggling with a problem.
I have two instances(ubuntu server) on gcloud and I want to assign them their external IP.
And I can ping and ssh to my instances but when I try to do telnet it is not performed.
On gcloud all instances have one internal ip and one external IP.
And they does not know their ip. I get it from gcloud console.
How could I assign it to them?
Also I've tried sudo ifconfig eth0:0 130.211.95.1 up
You can do something like this to add the external IP to a local interface:
ip addr add 130.211.95.1/32 dev eth0 label eth0:shortlabel
Replace 'add' with 'del' to remove it once you are done with it.
shortlabel can be any string up to a certain (short) length.
Update: also see this GCE support issue for related information.
A feature request for this is already filed on GCE public issue tracker, however it is not yet implemented. You can star it to get notification if any update posted on the thread.
May you also mention what's your use case? so I can probably provide you with a workaround.

Detecting a change of IP address in Linux

Does anyone know a way to detect a change of IP address in Linux. Say I have dhcpcd running, and it assigns a new IP address, is there a way I can get a notification when it changes? I can't use D-Bus, because this is an embedded ucLinux build that doesn't have it.
inotify on something in /proc/net/ ?
This is an old question, but I will answer for those who will arrive by Google (such as myself). After struggling for a while, I found out that you don't necessarily need to poll or hack a C solution for this. For my case, I wanted to update my home server's (dynamic dns) domain when the IP changes.
If you are running dhcpcd, you are in luck. dhcpcd will run hook scripts when anything happens. See man dhcpcd-run-hooks (online here). Basically you will want to modify or create your own dhcpcd.enter-hook or dhcpcd.exit-hook depending on what you want to do with the data provided by the event.
The command
ip monitor
will show you this kind of thing happening. It uses some the netlink API which is rather tricky and not documented well (at least for humans to understand). However, it is able to get notified by the kernel of various events, such as changes of assigned IPs, routing tables and link status (e.g. someone unplugged the network)
Since DHCP activity is sent to syslogd you could create a named pipe, direct syslog traffic to it and watch the stream for IP address updates. See 'man syslogd' and 'man syslog.conf'.
Edit: Another approach would be to use inotify to monitor the DHCP leases file for the interface. Under Ubuntu 9.10 that is in the /var/lib/dhcp3 directory.
What I thought of was running this script from cron every 10 or so minutes, depending on your link.
If I wrote this right, it only nsupdates when there is an IP change, so no undue load is creater on the zone's master server.
#!/bin/bash
OLD_IP=`cat ip.txt`
NEW_IP=`/sbin/ifconfig | awk -F "[: ]+'{ print $4}'` #adapted from something I got from the internets.
if [ $NEW_IP != OLD_IP ]; then
nsupdate <commands> #it seems like the keys need to be in the same directory from where nsupdate was called
fi
echo $NEW_IP > ip.txt
exit 0 #not sure if this is necessary
Not tested!
This is an older thread but in case someone finds it like I did, I wrote something that does network change detection/notification in Linux awhile back (mostly targeted at helping VPN users), and thanks to some pushy friends I put it up for others to use. It's a pet project now and I'm actively maintaining it, so feature requests and feedback are welcome.
http://code.google.com/p/ipcheck/source/browse/ipcheck.sh
I think you can use dbus to do this on modern Linux distributions. If your distribution uses NetworkManager, see this document for information about its dbus interface:
http://people.redhat.com/dcbw/NetworkManager/NetworkManager%20DBUS%20API.txt
If you have a router running DD-WRT and have the status page in use when going to the router, you can, with a script... wget the status page, cat for the ip address and write it to a file for comparison, have an email send when the latest wget ip address has changed from what is in the comparison file.
I'm running dd-wrt on a linksys wrt54g router and use this script:
It wgets the router status page from 192.168.3.1, uses cat on the page (index.html) and greps for the wan ip address, then writes it to a file (gotip.txt).
A comparison is made between the captured ip (gotip.txt) and the current working ip (workingip.txt). If the ip addresses are different, I get an email sent by send mail of the new ip, and the new working ip is written into the workingip.txt file.
Cron run this every 5 min or so and I have the cron output silenced to /dev/null
#!/bin/bash
getip=$(wget http://192.168.3.1/)
cat index.html | grep "wan_ipaddr" > gotip.txt
gotip=$(cat gotip.txt)
compare=$(cat workingip.txt)
if [[ "$compare" != "$gotip" ]]
then
EMAIL="youremail#foo.net"
EMAILMESSAGE="/home/pi/ipmessage.txt"
echo "ip address is now $gotip" >> $EMAILMESSAGE
/usr/sbin/sendmail -t "$EMAIL" < $EMAILMESSAGE
rm ipmessage.txt
cp gotip.txt workingip.txt
rm index.html
else
echo "done"
rm index.html
fi

Resources