I'm trying to test how our app handles when the Docker registry becomes unavailable for it to pull Docker images, and want to mimic the situation.
I don't have any control over the firewall rule of the network or DNS of the servers. The only changes I can make are on the VM I'm using, like VM configurations and Docker configurations. Wondering what I can do to make it as if Dockerhub is down?
You can use the iptables to filter the output on your VM and dropping packet
For example :
# iptables -A OUTPUT -d 192.168.12.34 -j DROP
or
# iptables -A OUTPUT -p tcp -d 192.168.12.34 --dport 80,443 -j DROP
Related
I am using RHEL8 and want to change the context port. Does anyone know how to do it?
Thanks
You'll want to use semanage assuming your custom type for port 2658 exists, and you're deploying to a vanilla RHEL server.
semanage port -a -t <custom_type_here> -p <protocol> <port_here>
Assuming protocol is tcp based:
semanage port -a -t my_2658_t -p tcp 2658
More complicated deployments should probably customize corenetwork.te directly.
I am running a docker image of Linux and trying to achieve following:
Run a docker
Create a user test
Stop the user test from internet access
1 and 2 work but I am stuck at #3.
What I tried?
Run iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 501 -j DROP. This command failed with error message "getsockopt failed strangely: Operation not permitted". I was unable to find the root cause
Change the sudoer file and add an entry test ALL=!/bin/ping. This was to see if I am able to stop user test from running ping command. However, this change in sudoer file had no affect and user test was able to run ping command. Assuming this would work, my intent was to play around with sudoer to achieve my goal
Is there a recommendation or suggestion to solve this problem?
To block all internet access for a certain users using iptables command.
sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
If you want this command to run when the system starts up, you should add it to the end of your /etc/rc.local file.
command to reverse above:
sudo iptables -D OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
or you can reboot. Unless you've added the line to /etc/rc.local, it's not persistent, and if you have, then you can just remove that line.
you can read more
I'm trying to make a Docker container accessible on e.g. 1.2.3.4:9999:99 from the Internet (so from outside the container) to be seen as the same IP from inside so when I'm inside the container and doing curl http://bot.whatismyipaddress.com/ I would get 1.2.3.4. I'm struggling with it for hours and no progress.
I'm running the container with docker run --name public254 -d -p 123.456.789.254:22:22 some-image:latest and it's accessible through 123.456.789.254 indeed. When inside it's seen as the main IP of the host as it's supposed to.
Now I want to modify this. What should I do next?
Well. I did it.
Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Find out container's internal IP
docker inspect -f '{{ .NetworkSettings.IPAddress }}' some_container
Route it correctly
iptables -t nat -I POSTROUTING -p all -s <container internal IP> -j SNAT --to-source <container external IP>
I have an embedded Linux firmware running on a home router. When I run the following commands one by one from the terminal as root, it works without any errors and serves my purpose. I know this is not a secure policy. This is only to test something.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
However, when this is run in a bash script as root as below,
#!/bin/bash
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
it gives the following error:
iptables: Bad policy name. Run `dmesg' for more information.
iptables: Bad policy name. Run `dmesg' for more information.
iptables: Bad policy name. Run `dmesg' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
I have confirmed that the last line of bash script executes without errors and the entry can be seen in iptables. However, all the other lines throw an error. What am I doing wrong? Surprisingly, the same batch script works fine on my Ubuntu machine.
Did you create the script in Windows, or in some other way that gave it Windows line endings (CRLF) where the router is expecting Unix line endings (LF)?
That would lead to the interpreter reading an extra unprintable character on the end of each of the commands, which would give the errors shown.
You can check by running cat -v myScript.sh. Incorrect Windows line endings will show as:
iptables -P INPUT ACCEPT^M
iptables -P FORWARD ACCEPT^M
iptables -P OUTPUT ACCEPT^M
iptables -F^M
iptables -X^M
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
I got the task of converting some iptables rules into puppet firewall. I am currently stuck on this:
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP -m comment --comment "drop new not syn"
I can't find a method to use neither --match or --ctstate in Puppet Firewall. How can I do this?
The git repository now contains the ctstate option.
You have to either use git version or wait for a new release on the puppet forge.
Hope this helps.