I'm using my apache server for running TCP and UDP traffic using iperf3.
I manually execute a command on my server to listen to a port.
~# iperf3 -i 5 -s -p 7759
-----------------------------------------------------------
Server listening on 7759
-----------------------------------------------------------
I'm wondering if there is a way to configure my apache server to have few ports (say 7760,7761,7762,...7770) permanently open on my apache server for iperf traffic so that I don't have to manually execute the aforementioned command to open the port for iperf traffic
The answer depends on the definition of permanently open.
If ports remaining open after you log out from your webserver is sufficiently good approximation of permanently open. Then all you need is start iperf with nohup command.
nohup iperf3 -s -p 7759 >/tmp/log 2>&1
See this question for more details on keeping backround processes after the shell that spawned them terminates. In particular, check out the answers that suggest using the screen command.
If you need iperf server to keep the ports open between reboots you need to configure the init process to spawn iperf3 at boot up time. For this you need root access to your webserver.
As root you could add the following lines to /etc/rc.local file
iperf3 -s -p 7759 > /tmp/iperf-7759.log 2>&1 &
iperf3 -s -p 7760 > /tmp/iperf-7760.log 2>&1 &
...
iperf3 -s -p 7760 > /tmp/iperf-7770.log 2>&1 &
See also this question on how to ensure a command is run every time the machine starts.
Related
Written program in python, which chooses random port available for TCP and UDP communication. If I enable Linux firewall(ufw) by running sudo ufw enable. where we can allow any port by giving
sudo ufw allow port_number. As the program can take any random port on run, so can not tell ufw to allow any particular port. Is there any way to tell ufw to allow prog to access any random port by supplying program name to ufw like in windows. In windows firewall, we can supply the following command to allow access to all port for myprog
netsh advfirewall firewall add rule name=rule_name_udp dir=in action=allow protocol=UDP localport=any program=path/myprog.exe
is there any way to allow ufw for my custom program to access for udp/tcp communication with ufw enable?
Thanks to all in advance.
You can wrap your app into systemd service and use post-start hook to call extra bash script which punches holes in firewall.
/path/to/python/app/assistant-ufw-hole-puncher
#!/bin/bash
#extra sleep for prespawn script
sleep 2
#punch holes for TCP ports
ports=`sudo netstat -ntlp 2>&1 |grep yourapp | sed -r 's/(.*:)([0-9]*)(\s.*)/\2/'|sort|uniq`
for port in $ports ; do
sudo ufw allow $port
done
#punch holes for UDP ports
ports=`sudo netstat -nulp 2>&1 |grep yourapp | sed -r 's/(.*:)([0-9]*)(\s.*)/\2/'|sort|uniq`
for port in $ports ; do
sudo ufw allow $port
done
Also you could spawn this script before starting your script but you would need to add extra sleep to wait for python script to start.
#!/bin/bash
/path/to/python/app/assistant-ufw-hole-puncher &
python ./your-app.py
Some background first, I am running Ubuntu 64-bit server on a machine running ESXi. I have just installed this VM today specifically for this task. This task is to run a tModLoader server with as little outside interference as possible.
I set up firewalld with a service for terraria that looks like this:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Terraria</short>
<description>Open TCP port 7777 for incoming Terraria client connections.</description>
<port protocol="tcp" port="7777"/>
</service>
I set up UFW to allow only ssh and port 7777/tcp.
I added a rule for iptables with this command:
sudo iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
I created a user called "terraria" with options -r -m -d
I set up the server files in /opt/terraria with the exception of the ModLoader files which are installed in two locations because they are dependent on the user that starts the process. The location of those are ~/.local/share/Terraria/ModLoader
I created a service for terraria in /etc/systemd/system/terraria.service that looks like this:
[Unit]
Description=server daemon for terraria
[Service]
Type=forking
User=terraria
KillMode=none
ExecStart=/usr/bin/screen -dmS terraria /bin/bash -c "/opt/terraria/tModLoaderServer -config /opt/terraria/serverconfig.txt"
ExecStop=/usr/local/bin/terrariad exit
[Install]
WantedBy=multi-user.target
I made a script that allows me to easily access the screen session the service starts in:
#!/usr/bin/env bash
send="`printf \"$*\r\"`"
attach='script /dev/null -qc "screen -r terraria"'
inject="screen -S terraria -X stuff $send"
if [ "$1" = "attach" ] ; then cmd="$attach" ; else cmd="$inject" ; fi
if [ "`stat -c '%u' /var/run/screen/S-terraria/`" = "$UID" ]
then
$cmd
else
su - terraria -c "$cmd"
fi
With all of that out of the way, the issue I am running into is that the service starts, and I can attach to the screen session while the service is running, however the screen session terminates after a few seconds while the server is starting up. I have no idea why that happens. Starting the server as my own user seems to work properly, but I need it to be able to run as a service with a system user so that the server will automatically run upon boot.
As a side note the config file doesn't work oddly.
Any ideas and help on this issue would be greatly appreciated.
I am new to writing script and not sure whether I am correct in writing such script for tcpdump to collect pcap info.
tcpdump -s 0 port ftp or ssh or http or https -i eth0 -w mycap.pcap
#run the tcpdump and store all the info in mycap.pcap
sudo kill -2 #for exit purpose
This enables me to run tcpdump which is good, however, I wish to stop this (due to the space for mycap.pcap meet the max capacity of 3GB per file) automatically via the same script and run again but this time round, I will store it in another file (eg. mycap1.pcap)
Then the cycle goes again until I stop the process by pressing crtl+c
Can this be done?
You don't need to write a script for that.
tcpdump -C <filesize> -s 0 port ftp or ssh or http or https -i eth0 -w mycap.pcap
Have a look at the man-page for tcpdump.
I am using netcat utility on linux to receive outputs from a program on a windows machine. My problem being that the program on the windows machine does not always give an output.
How can i check that either a connection has been made to netcat ?
What i am doing till now is "nc -l -v 9103 > output" then i check the size of output, the problem this poses is that netcat only write to a file after a certain buffer size has been reached or a new line char is encountered, so some cases evne though a connection has been made the file size is detected as zero.
How can i check if someone has made a connection with netcat.
I tried using
nc -l -v -e someprog.exe 9103 > output
but my netcat doesnt seem to support this
below are the options i have
$ nc -h
usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]
[-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version]
[-x proxy_address[:port]] [hostname] [port[s]]
Command Summary:
-4 Use IPv4
-6 Use IPv6
-D Enable the debug socket option
-d Detach from stdin
-h This help text
-i secs Delay interval for lines sent, ports scanned
-k Keep inbound sockets open for multiple connects
-l Listen mode, for inbound connects
-n Suppress name/port resolutions
-p port Specify local port for remote connects
-r Randomize remote ports
-s addr Local source address
-T ToS Set IP Type of Service
-C Send CRLF as line-ending
-t Answer TELNET negotiation
-U Use UNIX domain socket
-u UDP mode
-v Verbose
-w secs Timeout for connects and final net reads
-X proto Proxy protocol: "4", "5" (SOCKS) or "connect"
-x addr[:port] Specify proxy address and port
-z Zero-I/O mode [used for scanning]
Port numbers can be individual or ranges: lo-hi [inclusive]
verbose mode will write connectivity to stderr, and you can redirect stderr to a file, the verbose log has something like
connect to [xxx] from [xxxx]
try
nc -l -v -p 9103 -k 1> output 2>connect.log
and monitor connect.log for connectivity
if you don't use -k , netcat quits after 1st connection.
If you can upgrade your copy of netcat: the modern versions (1.10, for one) have an option to execute a program (or a shell command) upon connect. Otherwise, you can make the netcat think it runs in a terminal (to disable buffering of stdout), by using for example script (it just saves everything on stdin/stdout/stderr in the given file). Or use logging features of screen and tmux.
I would like to run node with a low privileges user, is it possible? I need to use the framework Express.js
Yes. There are many solutions available to do this, depending on your exact needs.
If you want to run node on port 80, you can use nginx (doesn't work with WebSockets yet) or haproxy. But perhaps the quickest and dirtiest is to use iptables to redirect port 80 to the port of your choice:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8003
sudo iptables -t nat -L
When you’re happy, then save the config and make sure iptables comes on at boot
sudo service iptables save
sudo chkconfig iptables on
To automatically start your nodejs service as non-root, and restart it if it fails, you can utilize upstart with a script like this:
#!upstart
description "nodeapp"
author "you"
start on started mountall
stop on shutdown
# Automatically Respawn:
respawn
respawn limit 99 5
script
export HOME="/home/user/"
exec sudo -u user /usr/local/bin/node /home/user/app.js 2>&1 >> /home/user/app.log
end script
If you're on an Amazon EC2 installation, or you get an error that says sudo: sorry, you must have a tty to run sudo, then you can replace your exec command with this:
#!upstart
description "nodeapp"
author "you"
start on started mountall
stop on shutdown
# Automatically Respawn:
respawn
respawn limit 99 5
script
export HOME="/home/user/"
#amazon EC2 doesn’t allow sudo from script! so use su --session-command
exec su --session-command="/usr/local/bin/node /home/user/app.js 2>&1 >> /home/user/app.log" user &
end script
And, you didn't ask this question, but to keep it running forever, check out monit! Here is a useful guide to setting up node.js with upstart and monit.