General information:
IP: 1.2.3.4
Server: Raspian Stretch (Debian 9)
On the server is running apache2 with 2 website.
mosquitto user: user
moquittto password: psw
I've installed mosquitto on my server and set a user and a password.
When I use it in localhost I've no problem:
mosquitto_pub -h localhost -p 1883 -t topic -u "user" -P "psw" -m "new message"
mosquitto_sub -h localhost -p 1883 -t topic -u "user" -P "psw"
I receive new message without any problems
Unfortunately if I use my public ip it doesn't work anymore:
mosquitto_pub -h 1.2.3.4 -p 1883 -t topic -u "user" -P "psw" -m "new message"
mosquitto_sub -h 1.2.3.4 -p 1883 -t topic -u "user" -P "psw"
After few seconds both the subscriber and the publisher print this error: Error: Connection timed out
I can imagine is something like a closed port but I don't know how to unlock it.
I tried this but didn't change anything: sudo iptables -A INPUT -p tcp -m tcp --dport 1883 -j ACCEPT
These are my configuration file:
/etc/mosquitto/conf.d/default.conf
allow_anonymous false
password_file /etc/mosquitto/passwd
listener 1883
/etc/mosquitto/mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
I presume that the IP you're using is not actually 1.2.3.4 - if you don't own it and it's not listed as a private / internal IP, don't use it internally.
Equally, if you don't own it, don't try to use it externally / on the internet.
If you are behind a consumer NAT'ing router, and using the router's external IP address, then there are a couple of potential issues:
Most consumer routers do not support hairpin NAT - i.e: you cannot access services (even if you've setup port forwarding correctly) by using your external IP from behind the router.
To test this out, try connecting from a friend's house or via another internet connection (e.g: your phone).
The solution is to just connect to your internal server directly. If you're lucky your router can be configured to handle hairpinning, or you could upgrade your router.
You might need to setup port forwarding on the router so that incoming connections on port 1883 are forwarded to your server internally.
Related
I want to connect to my server via limited ip adresses. I thought that may be I can connect to my server via OPENVPN that is installed on my server. I have modified hosts.allow and hosts.deny files in /etc
/etc/hosts.allow file :
sshd : x.x.x.x (server ip )
/etc/hosts.deny file :
sshd : ALL
But I cant connect to my server via OpenVPN at the moment. OpenVPN has different ip adress like 10.8.0.x.
How I can set SSH connection to my server via OpenVpn?
You can use the ListenAddress directive in /etc/ssh/sshd_config to force SSHD to only listen on a specific IP address, namely the OpenVPN private address of your server, e.g.:
ListenAddress 10.8.0.1
This prevents sshd from listening on any other interfaces, including the public ones (by default sshd listens on all the available interfaces). Just make sure you restart sshd after updating the configuration.
After that to connect to SSH you will need to first establish the OpenVPN connection and then ssh into 10.8.0.1.
i suggest using iptables to limit IP addresses
iptables -A INPUT -s x.x.x.x -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
Operating system : ubuntu 16.04 LTS ,here's my problem.
Recently I'm building a application rely on a Redis(Docker) offered data service. A customary way of creating new Redis service is kind of like this:
docker pull redis:latest
docker run -d --name redis -p 6379:6379 redis:latest
Assuming my WAN IP is 201.201.201.201 ,then it should just fine to access Redis via address:201.201.201.201:6379.
However this approach exposes a redis server's port to public network ,even though you can give a supper long password ,potential safety hazard remains.
Since docker do not support port mapping changing within a running container ,I need to shut down the whole docker service ,that takes a long time ,nearly impossible.
Then I'm trying to use IP table mapping instead of creating a docker map ,due to iptables 's flexibility ,theoretically it allows benefits from both sides -- uoload files from wherever else in the world(out side zz) ,but can also close this
iptables -t nat -A PREROUTING -d 172.245.210.199 -p tcp --dport 6379 -j DNAT --to-destination 172.17.0.5:6379
iptables -t nat -A POSTROUTING -d 172.17.0.5 -p tcp --dport 6379 -j SNAT --to 172.17.0.1
But it do not work ,I can't ping container 17.17.0.162
Does anyone knows resolution ,or could propose some other ways to implement this port mapping (such as nginx or caddy?)
Thanks!
What I suggest is to use an assistant container, in this container add port forward for your service container which did not do port mapping:
docker run -idt --link redis -p 6379:6379 alpine/socat TCP4-LISTEN:6379,fork,reuseaddr TCP4:redis:6379
Above container will use --link redis so it can resolve the name of your redis container, and when receive the traffic from host's 6379, it will first forward to assistant container's 6379, then will use socat to forward the traffic to the redis container's 6379, so it works although your service container did not port mapping 6379.
As --link was deprecated, you can also customize your network, as you like:
docker network create my_network
docker network connect my_network redis
docker run -idt --network my_network -p 6379:6379 alpine/socat TCP4-LISTEN:6379,fork,reuseaddr TCP4:redis:6379
I use docker-compose on ubuntu 18 on remote server.
How, with iptables, can i block access from the internet to the docker port and only allow access to it from the localhost of this server?
For instance, i want to block 4150 port for internet. Trying this:
iptables -A DOCKER-USER -p tcp --dport 4150 -j DROP does not block the port - still can access to it from the internet (not from server machine).
How can i block access from internet to all ports that are on the server, but allow only 22,80 ? And keep that ports available from localhost of the server (eg from the server itself) ?
Not the IPTables based solution you're looking for, but a much simpler solution is to only publish to a specific interface, instead of all interfaces. And when that interface is the loopback interface, e.g. 127.0.0.1, you'll only be able to access the port locally. To do this, add the interface to the beginning of the publish spec:
docker run -p 127.0.0.1:4150:4150 ...
Or a similar syntax in the compose file:
...
ports:
- 127.0.0.1:4150:4150
...
As for why the command you tried using didn't work, this needs conntrack to get the original port rather than the docker mapped port:
iptables -I DOCKER-USER -p tcp -m contrack --ctorigdstport 4150 -j DROP
This also changed from -A (append) to -I (insert) because there's a default rule to accept everything in that list.
I have created a debian wheezy virtual machine in google compute engine but I am unable to connect to it with vnc.
Here is what I have done
Installed gnome and the rebooted the VM
install tightvncserver and started it
I have tried to connect using the static ip that I've attached to the VM but I'm getting the error: "the connection was refused by the host computer".
I thought it was the firewall that was the issue so I disabled iptable using the following commands
$ sudo iptables-save > /root/firewall.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
and I have created rules in google firewall to allow ports 0-65535 for tcp and udp but it still does not work.
Anyone knows how to do it?
Thanks in advance
By default, all incoming traffic from outside a network is blocked and no packet is allowed into an instance without an appropriate firewall rule. To allow incoming network traffic, you need to set up firewall rules to permit these connections:
start the VNC service
look at VNC server settings or netstat -nap to find out the listening port of vnc server
under Google Developer console -> Compute Engine -> Networks -> default -> Firewall rules
create a new rule and open appropriate ports for incoming vnc connections.
VNC uses by default port 5901. In the 'VNC server' field, specify the ip address and the port 5901.
Example: VNC ***Server: 123.123.123.123:5901
Encryption: let VNC Server choose***
Be aware that the free edition of VNC doesn't support encryption, it only encrypts your user name and password. One thing also to configure is /etc/sysconfig/vncservers file where you have to specify the user and the port that VNC server should listen to, and make sure it's not commented
Example:
VNCSERVERS="1:USERNAME"
VNCSERVERAR0GS[1]="-geometry 800x600 -listen tcp -5901"
Has anyone installed OpenFire on Windows Azure before?
Is it easy to create another instance with the OpenFire in it?
Thanks!
Yes, I've installed openFire on both EC2 (Linux) and Azure. It is a painless as you could imagine.
get a VM
install java
install openfire
install openfire db to SQL azure (connection string syntax below)
jdbc:jtds:sqlserver://SQLAzInstance.database.windows.net:1433/OpenFireSqlDBName;ssl=require
be sure to allow proper ports through the endpoints tab of the virtual machine in the new azure management portal
TCP 5222/5223 (std/SSL client connectivity)
TCP 5269 (server-to-server)
TCP 9090 (default openfire web ui port, you could change this)
Log into your Windows Azure account.
Create a Machine running Ubuntu 14 LTS
Then go to your SSH client (for Mac and Linux users, you can use the terminal by typing
ssh username#servername e.g. ssh joel#chatserver.cloudapp.net ) and for Windows users, you can install PuTTy SSH client which comes with BitVise.
log in as an admin by typing
sudo su
then update the sever by typing
apt-get update
then check for any new releases by typing
apt-get upgrade
Then check if java is installed (it is usually not installed anyway) by typing
java -version
if it is not installed, install it by typing
apt-get install default-jre
accept it to install by typing y to mean yes
wait for it to install
then install openfire by first downloading it. You use the wget command to download it directly to your server as below. (at the time of writing, openfire 3.9.3 is the latest version)
wget -O openfire.deb http://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_3.9.3_all.deb
Then after it has finished downloading, install it by typing
dpkg --install openfire.deb
Before you go to the browser, go to your Windows Azure dashboard
Click on the Virtual Machine you have created
Then click on Endpoints
Add the following end points, they are all of TCP type
Public Port 5222, Private Port 5223 and this is for SSL connectivity
Public Port 5269 and Private port 5269 and this is for server to server connectivity
Public Port 9090 and private port 9090 and this is for openfire web UI
After all this, you are good to go,
Go to your browser and type in your server url and at the end put 9090 e.g.
chatserver.cloudapp.net:9090
Hope that helped and happy chatting!!
To user default port such as 80 and 443 (replace 5222 and 5223 with 80 and 443 ) use following commands to redirect traffic on linux machine.
iptables -A INPUT -i eth0 -p tcp --dport 5222 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 5222
iptables -A INPUT -i eth0 -p tcp --dport 5223 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 5223