I've installed soap-ui software on my laptop [A] [ip: 172.30.X.X] and I'm trying to connect to a Webservice which is provided on a server [C] [ip: 10.10.X.X]. the problem is that I dont have a direct access/permission to connect directly to that server. however there is a Linux box in the network [B] [ip: 172.43.X.X] which has access to that server and it is also accessible from my laptop.
So, actually I'm looking for a way to redirect to my soap request to the server [C] by using the linux box [B]
A -> B -> C
My first try was to setup iptables on [B], but with no luck:
iptables -t nat -A PREROUTING -p tcp -d 172.43.X.X --dport 9003 -j DNAT --to 10.10.X.X:8088
The easiest way I know is to use SSH Port Forwarding, per the linked manual page -
Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell.
...
For example, if you issue the command
ssh2 -L 1234:localhost:23 username#host
all traffic coming to port 1234 on the client will be forwarded to port 23 on the server (host). Note that localhost will be resolved by the sshdserver after the connection is established. In this case localhost therefore refers to the server (host) itself.
Related
I want to connect to my server via limited ip adresses. I thought that may be I can connect to my server via OPENVPN that is installed on my server. I have modified hosts.allow and hosts.deny files in /etc
/etc/hosts.allow file :
sshd : x.x.x.x (server ip )
/etc/hosts.deny file :
sshd : ALL
But I cant connect to my server via OpenVPN at the moment. OpenVPN has different ip adress like 10.8.0.x.
How I can set SSH connection to my server via OpenVpn?
You can use the ListenAddress directive in /etc/ssh/sshd_config to force SSHD to only listen on a specific IP address, namely the OpenVPN private address of your server, e.g.:
ListenAddress 10.8.0.1
This prevents sshd from listening on any other interfaces, including the public ones (by default sshd listens on all the available interfaces). Just make sure you restart sshd after updating the configuration.
After that to connect to SSH you will need to first establish the OpenVPN connection and then ssh into 10.8.0.1.
i suggest using iptables to limit IP addresses
iptables -A INPUT -s x.x.x.x -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
For testing purposes I want to build a server that listens for TCP connections to every port (or at least on most of the ports) on a certain interface (e.g., eth0). The server is accessed via SSH to eth1, so no problem there. (I do not care about UDP or other protocols)
I want to do a special kind of middlebox detection/analysis, therefore I need to be able to fully establish a connection. Having an HTTP connection would be the best, because the "client" could be implemented as JS in the Browser.
I started with a simple jetty server, but had to realize that jetty needs to spawn at least on thread per port it is listening to. This leads to problems when I want to listen to several thousand ports. Or is there a way around that?
My next try was to use iptables:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -j DNAT --to-destination 127.0.0.1:8080`
It seemed to work. It allows to connect on every port and the traffic gets routed to the local port 8080 where jetty listens. But now I no longer know which port was used by the client. Because jetty thinks the connection was established via port 8080. Is there a way to determine the real incomming port from jetty? I could send the port as part of the HTTP request, but if the client tries to contact port 1234 .. and a middlebox redirects this to port 5678 .. I am unable to know what port was used.
I also tried userland solutions like socat. The problem was even worse than before. Because now jetty also saw the remote IP as being 127.0.0.1.
Or, is there another way to achieve this?
Oh and btw: I have full control of the machine. So I could change the kernel or whatever is needed. Right now I use Ubuntu 14.04 LTS, but if a solution needs something else I could go with that.
NB: This is a Python solution, because I know Python, but you can accomplish the same thing in any language the exposes the underlying C library getsockopt call.
If you replace your DNAT rule with a REDIRECT rule, you can then
use getsockopt with the SO_ORIGINAL_DST option to retrieve the
original address of a REDIRECT-ed connection.
Consider the following code:
#!/usr/bin/python
import socket
import struct
SO_ORIGINAL_DST = 80
s = socket.socket()
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('0.0.0.0', 2000))
s.listen(10)
while True:
csock, caddr = s.accept()
orig_dst = csock.getsockopt(socket.SOL_IP, SO_ORIGINAL_DST, 16)
orig_port = struct.unpack('>H', orig_dst[2:4])
orig_addr = socket.inet_ntoa(orig_dst[4:8])
print 'connection from', caddr
print 'connection to', (orig_addr, orig_port)
print
If I have an iptables rule that looks like:
# iptables -t nat -A PREROUTING -p tcp --dport 1500:1600 \
-j REDIRECT --to-port 2000
And while the above Python code is running I connect from another
host to my_ip_address:1500, I see:
connection from ('192.168.1.20', 35790)
connection to ('192.168.1.75', (1500,))
And if I connect to port 1550 I see:
connection from ('192.168.1.20', 42054)
connection to ('192.168.1.75', (1550,))
Which I think is exactly what you were asking for. Note that to my knowledge this will only work for TCP connections; there are other solutions (possibly involving the TPROXY iptables target) that may work with UDP connections as well.
Is it possible to redirect outgoing connection back to localhost using iptables?
For example, if php script requests someonlinesite.com/bla.php then it would redirect to 127.0.0.1/bla.php
OS: Debian 7
The question does not really make much sense the way it currently is asked.
Most likely you are trying to redirect a http request? Then you should take a closer look at your systems name resolution, since that is the step that translates the host name someonlinesite.com to an ip address. So that is where you want to manipulate.
You might also want to consider using a proxy as an alternative. But a pure iptables based solution is questionable, since in typical setups the local http server will not react to incoming requests to a remote ip address...
try with:
iptables -t nat -A OUTPUT -d 0/0 -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:80
Thank you for replies, i managed to do it with hosts file.
/etc/hosts
127.0.0.1 domain.com
Now it redirects always to localhost when script tryes to reach domain.com
I have created a debian wheezy virtual machine in google compute engine but I am unable to connect to it with vnc.
Here is what I have done
Installed gnome and the rebooted the VM
install tightvncserver and started it
I have tried to connect using the static ip that I've attached to the VM but I'm getting the error: "the connection was refused by the host computer".
I thought it was the firewall that was the issue so I disabled iptable using the following commands
$ sudo iptables-save > /root/firewall.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
and I have created rules in google firewall to allow ports 0-65535 for tcp and udp but it still does not work.
Anyone knows how to do it?
Thanks in advance
By default, all incoming traffic from outside a network is blocked and no packet is allowed into an instance without an appropriate firewall rule. To allow incoming network traffic, you need to set up firewall rules to permit these connections:
start the VNC service
look at VNC server settings or netstat -nap to find out the listening port of vnc server
under Google Developer console -> Compute Engine -> Networks -> default -> Firewall rules
create a new rule and open appropriate ports for incoming vnc connections.
VNC uses by default port 5901. In the 'VNC server' field, specify the ip address and the port 5901.
Example: VNC ***Server: 123.123.123.123:5901
Encryption: let VNC Server choose***
Be aware that the free edition of VNC doesn't support encryption, it only encrypts your user name and password. One thing also to configure is /etc/sysconfig/vncservers file where you have to specify the user and the port that VNC server should listen to, and make sure it's not commented
Example:
VNCSERVERS="1:USERNAME"
VNCSERVERAR0GS[1]="-geometry 800x600 -listen tcp -5901"
I have a webservice running on a remote machine available to me through ssh tunneling. Therefore I will be able to access the webservice through http://[local machine ip]:8888. But the problem here is, My source code trying to access the webservice through the public ip (http://[remote server ip]:7777). So I need all the traffic originated from my local machine to the remote machine should be redirected to http://[local machine ip]:8888.
For eg http://[remote server ip]:7777 Redirected to http://[local machine ip]:8888
Please note: the ports are different and my OS is ubuntu 12.04
Try a rule like this:
iptables -t nat -A OUTPUT -p tcp -d [remote server ip] --dport 7777 \
-j DNAT --to-destination [local machine ip]:8888