Machine: CentOS 6.2
I've had a Perl script which I've been using for ages, which has previously had no problem (and still doesn't) fetching data using LWP from port 80 locations. However, attempting to fetch from https locations, on port 443, always fails.
To simplify the diagnostics, I figured I'd try the same idea from the command line using cURL and wget, but these also fail with https, while they also both work fetching regular http data.
Figuring that the same problem affects all three methods, I'm trying to ascertain exactly what it is that might be wrong, and how to fix it. It's a dedicated server, and I have root access so I can pretty much do what I want to.
I've tried forcing cURL to use ipv4, and a bunch of other flags that looked interesting, but I always end up with the requests failing with "curl: (7) couldn't connect to host".
$ cat debugdump.txt
== Info: About to connect() to www.xyz.com port 443 (#0)
== Info: Trying 194.xxx.xxx.xx... == Info: Connection timed out
== Info: couldn't connect to host
== Info: Closing connection #0
... and similar connection time-outs with wget as well.
If I try fetching the same data with http, and with the -L flag (to follow redirects) then it will similarly fail on the secure portion of it.
So, basically I want to be able to retrieve remote data served via https, but am currently unable to do so. I know I definitely should be able to. I've spent ages trying to resolve this, but so far to no avail. Any useful information to help solve the problem would be much appreciated. Thanks!
Edit
Additional info: I'm not really too familiar with firewalls, but FYI, the entries in /etc/sysconfig/iptables relating to port 443 are:
-A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid2676X....
-A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j Cid2676X...
However, I'm not sure why/if I'd need to open port 443 (if it's not already open) anyway; I mean, I'm fetching from port 443 on another server, not listening for traffic on my 443; surely I'm using some other random port on my own machine to fetch with?
Edit 2
Figured out that if I temporarily disable the iptables then the problem goes away. Of course, I need to have the iptables active, so I need to know what it is about the iptables that is preventing me fetching from secure sites. Suggestions welcome.
Related
I'm trying to set up a Perforce Server using a Droplet from DigitalOcean and connect to it via P4V.
I was following this tutorial https://allarsblog.com/2014/09/25/setup-perforce-digital/ which I was originally led to by an Unreal Engine official YouTube tutorial. When I got to the part where I was supposed to connect via P4V I got the following error:
Connect to server failed; check $P4PORT.
TCP connect to [Droplet IP Address]:1666 failed.
connect: [Droplet IP Address]:1666: WSAECONNREFUSED
I posted on the DigitalOcean forum and they suggested I try to set the P4PORT then verify it with p4 info, but the p4 info command only yields the following:
Perforce client error:
Connect to server failed; check $P4PORT.
TCP connect to devel:1666 failed.
No such host is known.
Since it said no such host is known, I tried using the direct IP Address in the place of devel, and that only returned the same result but it also said connect: [IP Address]:1666: WSAECONNREFUSED.
I can ping the IP Address just fine. Connecting via puTTY (port 22) does not seem to be an issue. I'm using Windows 10, I heard Firewalls could produce this problem but even if I disable my Firewall I get the same errors.
This is my first time doing this, so I may have made a beginners mistake. Any help would be appreciated.
Found my answer in another Forum: Fire up PuTTY and log in as “root” Type “p4d” from the command line (If you don’t see it, it should be located in “/usr/local/bin”)
I had a similar issue.
To clear the " WSAECONREFUSED " error we put Server:[DigitalOcean ServerIP]:1666 and clicked the "New" button for user.
We were prompted with a new error -> WSAETIMEDOUT
to solve this we had to open the 1666 port on the server so we opened the up and down 1666 using these commands.
iptables -I INPUT -p tcp --dport 1666 --syn -j ACCEPT
&
iptables -I INPUT -p udp --dport 1666 -j ACCEPT
I use docker-compose on ubuntu 18 on remote server.
How, with iptables, can i block access from the internet to the docker port and only allow access to it from the localhost of this server?
For instance, i want to block 4150 port for internet. Trying this:
iptables -A DOCKER-USER -p tcp --dport 4150 -j DROP does not block the port - still can access to it from the internet (not from server machine).
How can i block access from internet to all ports that are on the server, but allow only 22,80 ? And keep that ports available from localhost of the server (eg from the server itself) ?
Not the IPTables based solution you're looking for, but a much simpler solution is to only publish to a specific interface, instead of all interfaces. And when that interface is the loopback interface, e.g. 127.0.0.1, you'll only be able to access the port locally. To do this, add the interface to the beginning of the publish spec:
docker run -p 127.0.0.1:4150:4150 ...
Or a similar syntax in the compose file:
...
ports:
- 127.0.0.1:4150:4150
...
As for why the command you tried using didn't work, this needs conntrack to get the original port rather than the docker mapped port:
iptables -I DOCKER-USER -p tcp -m contrack --ctorigdstport 4150 -j DROP
This also changed from -A (append) to -I (insert) because there's a default rule to accept everything in that list.
For testing purposes I want to build a server that listens for TCP connections to every port (or at least on most of the ports) on a certain interface (e.g., eth0). The server is accessed via SSH to eth1, so no problem there. (I do not care about UDP or other protocols)
I want to do a special kind of middlebox detection/analysis, therefore I need to be able to fully establish a connection. Having an HTTP connection would be the best, because the "client" could be implemented as JS in the Browser.
I started with a simple jetty server, but had to realize that jetty needs to spawn at least on thread per port it is listening to. This leads to problems when I want to listen to several thousand ports. Or is there a way around that?
My next try was to use iptables:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -j DNAT --to-destination 127.0.0.1:8080`
It seemed to work. It allows to connect on every port and the traffic gets routed to the local port 8080 where jetty listens. But now I no longer know which port was used by the client. Because jetty thinks the connection was established via port 8080. Is there a way to determine the real incomming port from jetty? I could send the port as part of the HTTP request, but if the client tries to contact port 1234 .. and a middlebox redirects this to port 5678 .. I am unable to know what port was used.
I also tried userland solutions like socat. The problem was even worse than before. Because now jetty also saw the remote IP as being 127.0.0.1.
Or, is there another way to achieve this?
Oh and btw: I have full control of the machine. So I could change the kernel or whatever is needed. Right now I use Ubuntu 14.04 LTS, but if a solution needs something else I could go with that.
NB: This is a Python solution, because I know Python, but you can accomplish the same thing in any language the exposes the underlying C library getsockopt call.
If you replace your DNAT rule with a REDIRECT rule, you can then
use getsockopt with the SO_ORIGINAL_DST option to retrieve the
original address of a REDIRECT-ed connection.
Consider the following code:
#!/usr/bin/python
import socket
import struct
SO_ORIGINAL_DST = 80
s = socket.socket()
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('0.0.0.0', 2000))
s.listen(10)
while True:
csock, caddr = s.accept()
orig_dst = csock.getsockopt(socket.SOL_IP, SO_ORIGINAL_DST, 16)
orig_port = struct.unpack('>H', orig_dst[2:4])
orig_addr = socket.inet_ntoa(orig_dst[4:8])
print 'connection from', caddr
print 'connection to', (orig_addr, orig_port)
print
If I have an iptables rule that looks like:
# iptables -t nat -A PREROUTING -p tcp --dport 1500:1600 \
-j REDIRECT --to-port 2000
And while the above Python code is running I connect from another
host to my_ip_address:1500, I see:
connection from ('192.168.1.20', 35790)
connection to ('192.168.1.75', (1500,))
And if I connect to port 1550 I see:
connection from ('192.168.1.20', 42054)
connection to ('192.168.1.75', (1550,))
Which I think is exactly what you were asking for. Note that to my knowledge this will only work for TCP connections; there are other solutions (possibly involving the TPROXY iptables target) that may work with UDP connections as well.
I'm running a linux based (centos 6.5) VPS. I had no problem since yesterday that everything was fine . I was editing Iptables rules , trying to reject and allow some services and ports but suddenly I got disconnected from VPS and could not connect anymore. I Googled a lot and read many topics regarding this problem but none of them helped me.
I tried:
Reinstalling sshserver and client
Flushing Iptables, saving it and then restarting it
Changing the port for ssh using from /etc/ssh/sshd_config file to sth
else and then allowing this new port from iptables
but I still have the problem.
any help would be appreciated.
As we commented :
Put this rule : iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Is it possible to redirect outgoing connection back to localhost using iptables?
For example, if php script requests someonlinesite.com/bla.php then it would redirect to 127.0.0.1/bla.php
OS: Debian 7
The question does not really make much sense the way it currently is asked.
Most likely you are trying to redirect a http request? Then you should take a closer look at your systems name resolution, since that is the step that translates the host name someonlinesite.com to an ip address. So that is where you want to manipulate.
You might also want to consider using a proxy as an alternative. But a pure iptables based solution is questionable, since in typical setups the local http server will not react to incoming requests to a remote ip address...
try with:
iptables -t nat -A OUTPUT -d 0/0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:80
Thank you for replies, i managed to do it with hosts file.
/etc/hosts
127.0.0.1 domain.com
Now it redirects always to localhost when script tryes to reach domain.com