I am trying to create a BGP session between my router appliance and GCP cloud router (both are connected on the same subnet as usual). Once I configure the BGP neighborship on both end, I see the Cloud router’s connection TCP SYN request coming into my router appliance. But since my router appliance doesnt have ARP entry for the cloud router IP, it tries to resolve the mAC address through ARP request. But I dont see the response coming from Cloud router.
Is there any specific settings to be done in Cloud router configuration?
Packet trace: (192.168.100.10 is my router appliance and 100.2 and 100.3 are cloud router IPs)
05:18:02.062141 42:01:c0:a8:64:01 > 42:01:c0:a8:64:0a, ethertype IPv4 (0x0800), length 74: 192.168.100.2.42421 > 192.168.100.10.179: Flags [S], seq 2626298341, win 65535, options [mss 1350,sackOK,TS val 1980420628 ecr 0,nop,wscale 8], length 0
05:18:02.072313 42:01:c0:a8:64:01 > 42:01:c0:a8:64:0a, ethertype IPv4 (0x0800), length 74: 192.168.100.3.32877 > 192.168.100.10.179: Flags [S], seq 1024207481, win 65535, options [mss 1350,sackOK,TS val 2059405060 ecr 0,nop,wscale 8], length 0
05:18:02.209120 42:01:c0:a8:64:0a > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.100.3 tell 192.168.100.10, length 28
05:18:02.209120 42:01:c0:a8:64:0a > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.100.2 tell 192.168.100.10, length 28
Related
Im working in a project aimed to build a public VPN that passes through a Suricata IPS filter. Im using Wireguard VPN,Suricata IPS mode with Nftables.
I achieved to block IPS testing traffic from host (the server) to and from internet; also the VPN is working routing all traffic from clients to internet through the server.
But the problem is that this traffic is not detected by Suricara engine. I cannot find the appropiate nftables rule for this..
I have this nftables.conf file (some filtering ingress rules that I also have for bad traffic is not showed in this sample, for resuming space):
table inet firewall {
# Sets are dictionaries and maps of ports, addresses etc.
# These can then easily be used in the rules.
# Sets can be named whatever you like.
# TCP ports to allow, here we add ssh, http and https.
set tcp_accepted {
# The "inet_service" are for tcp/udp ports and "flags interval" allows to set intervals, see the mosh ports below.
type inet_service; flags interval;
elements = {
22, 8080
}
}
# UDP ports to allow, here we add ports for WireGuard and mosh.
set udp_accepted {
type inet_service; flags interval;
elements = {
19869
}
}
# The first chain, can be named anything you like.
chain incoming {
# This line set what traffic the chain will handle, the priority and default policy.
# The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
# Use a semicolon to separate multiple commands on one row.
type filter hook input priority 0; policy drop;
# Drop invalid packets.
ct state invalid drop
# Drop none SYN packets.
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second burst 5 packets drop
# OBS! Rules with "limit" need to be put before rules accepting "established" connections.
# Allow all incmming established and related traffic.
ct state established,related accept
# Allow loopback.
# Interfaces can by set with "iif" or "iifname" (oif/oifname). If the interface can come and go use "iifname", otherwise use "iif" since it performs better.
iif lo accept
# Allow certain inbound ICMP types (ping, traceroute).
# With these allowed you are a good network citizen.
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
# Without the nd-* ones ipv6 will not work.
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# Allow needed tcp and udp ports.
iifname $wan tcp dport #tcp_accepted ct state new accept
iifname $wan udp dport #udp_accepted ct state new accept
# Allow WireGuard clients to access DNS and services.
iifname $vpn udp dport 53 ct state new accept
iifname $vpn tcp dport #tcp_accepted ct state new accept
iifname $vpn udp dport #udp_accepted ct state new accept
# Allow VPN clients to communicate with each other. (disabled)
# iifname $vpn oifname $vpn ct state new accept
}
chain forwarding {
type filter hook forward priority 0; policy drop;
# Drop invalid packets.
ct state invalid drop
# Forward all established and related traffic.
ct state established,related accept
# Forward WireGuard traffic.
# Allow WireGuard traffic to access the internet via wan.
iifname $vpn oifname $wan ct state new accept
}
chain outgoing {
type filter hook output priority 0; policy drop;
# I believe settings "policy accept" would be the same but I prefer explicit rules.
# Drop invalid packets.
ct state invalid drop
# Allow all other outgoing traffic.
# For some reason ipv6 ICMP needs to be explicitly allowed here.
ip6 nexthdr ipv6-icmp accept
ct state new,established,related accept
}
chain IPS_input {
type filter hook input priority 10; policy drop;
counter queue num 0 bypass
counter drop
}
chain IPS_output {
type filter hook output priority 10; policy drop;
counter queue num 1 bypass
counter drop
}
}
# Separate table for hook pre- and postrouting.
# If using kernel 5.2 or later you can replace "ip" with "inet" to also filter IPv6 traffic.
table inet router {
# With kernel 4.17 or earlier both need to be set even when one is empty.
chain prerouting {
type nat hook prerouting priority -100;
}
chain postrouting {
type nat hook postrouting priority 100;
# Masquerade WireGuard traffic.
# All WireGuard traffic will look like it comes from the servers IP address.
oifname $wan ip saddr $vpn_net masquerade
}
}
Suricata is launched with this (queued):
suricata -D -c /etc/suricata/suricata.yaml -q 0 -q 1
Any idea?
thanks for your time!
I am trying to connect my ESP32 which runs using the ESP-IDF framework to MQTT. I have imported this MQTT library successfully and have set up the configuration to look like this:
static void mqtt_app_start(void)
{
const esp_mqtt_client_config_t mqtt_cfg = {
// .host = "m15.cloudmqtt.com",
.uri = "mqtt://rxarkckf:smNb81Ppfe7T#m15.cloudmqtt.com:10793", // uri in the format (username:password#domain:port)
// .host = "m15.cloudmqtt.com", // config with host, port, user, password seperated
// .port = 10793,
// .username = "rxarkckf",
// .password = "smNb81Ppfe7T",
.event_handle = mqtt_event_handler,
// .user_context = (void *)your_context
};
esp_mqtt_client_handle_t client = esp_mqtt_client_init(&mqtt_cfg);
esp_mqtt_client_start(client);
}
I call mqtt_app_start(); in my app_main function. After uploading the code my ESP-32 doesn't connect to the MQTT broker and outputs this:
␛[0;32mI (12633410) MQTT_CLIENT: Sending MQTT CONNECT message, type: 1, id: 0000␛[0m
␛[0;31mE (12633710) MQTT_CLIENT: Error network response␛[0m
␛[0;32mI (12633710) MQTT_CLIENT: Error MQTT Connected␛[0m
␛[0;32mI (12633710) MQTT_CLIENT: Reconnect after 10000 ms␛[0m
␛[0;32mI (12633710) MQTT_SAMPLE: MQTT_EVENT_DISCONNECTED␛[0m
I have double checked that the values for the host, username, password, and port are all correct. When I look at the logs on the web interface hosted at cloudmqtt.com, I can see this output:
2018-11-17 03:50:53: New connection from 73.94.66.49 on port 10793.
2018-11-17 03:50:53: Invalid protocol "MQIs�" in CONNECT from 73.94.66.49.
2018-11-17 03:50:53: Socket error on client <unknown>, disconnecting.
2018-11-17 03:51:20: New connection from 73.94.66.49 on port 10793.
I had similar experience using mosquitto.
Adding this line to mqtt_config.h made my mqtt working.
#define CONFIG_MQTT_PROTOCOL_311
I think the more correct way to set this configuration is in sdkconfig.h, either manually or using "make menuconfig"
The problem is very simple. The library you are using implements the MQTT 3.1 protocol. The server you are trying to connect to implements the MQTT 3.1.1 protocol or higher.
As specified in the document (https://www.oasis-open.org/committees/download.php/55095/mqtt-diffs-v1.0-wd01.doc):
4.1 Protocol Name
The Protocol Name is present in the variable header of a MQTT CONNECT control packet. The Protocol Name is a UTF-8 encoded
string. In MQTT 3.1 the protocol name is "MQISDP". In MQTT 3.1.1 the
protocol name is represented as "MQTT".
For technical info:
https://mqtt.org/mqtt-specification/
I hosted my project at www.example.appspot.com and I want to register for a service that required my public Ip address. How do i get the IP address of my app engine project. Thanks.
You can use any DNS lookup tool to get the address of the host.
For example on linux you'd get something along these lines:
$ nslookup www.example.appspot.com
...
Non-authoritative answer:
www.example.appspot.com canonical name = appspot.l.google.com.
Name: appspot.l.google.com
Address: 216.58.219.241
$ host www.example.appspot.com
www.example.appspot.com is an alias for appspot.l.google.com.
appspot.l.google.com has address 216.58.219.241
appspot.l.google.com has IPv6 address 2607:f8b0:4006:80e::2011
appspot.l.google.com mail is handled by 10 alt1.gmr-smtp-in.l.google.com.
appspot.l.google.com mail is handled by 40 alt4.gmr-smtp-in.l.google.com.
appspot.l.google.com mail is handled by 5 gmr-smtp-in.l.google.com.
appspot.l.google.com mail is handled by 30 alt3.gmr-smtp-in.l.google.com.
appspot.l.google.com mail is handled by 20 alt2.gmr-smtp-in.l.google.com.
Google AppEngine doesn't have a single IP. It runs on Google's network on very large number of machines over different regions and therefore it has many IP addresses (or ranges).
Here is how you can find these ranges:
Run dig -t txt _cloud-netblocks.googleusercontent.com
Partial list of CIDR blocks is:
8.34.208.0/20
8.35.192.0/21
8.35.200.0/23
23.236.48.0/20
23.251.128.0/19
107.167.160.0/19
107.178.192.0/18
108.170.192.0/20
108.170.208.0/21
108.170.216.0/22
108.170.220.0/23
108.170.222.0/24
108.59.80.0/20
130.211.4.0/22
146.148.16.0/20
146.148.2.0/23
146.148.32.0/19
146.148.4.0/22
146.148.64.0/18
146.148.8.0/21
162.216.148.0/22
162.222.176.0/21
173.255.112.0/20
192.158.28.0/22
199.192.112.0/22
199.223.232.0/22
199.223.236.0/23
A more updated (April 2018) answer based on what I went through today to launch pixler.io is as follows:
In Google Cloud Platform go to your App Engine and click on "settings", from there you will have to go to "Custom Domains" and add your domain.
You will be asked to verify your domain by adding a TEXT record. After you do that, you will see the IP addresses populated in the "Data" column, you can copy that into your A record
I am trying to Use SSL on top of tcp/ip to send an HTTPS request to a site using C. I have no access to curl or other standard libraries. Pretend like i can't load any libraries at all.
I need to set an SSL Profile Cipher. When I successfully use curl on my linux box to talk with the server I see: SSL Connection using ECDHE-RSA-AES128-SHA
If my options for setting the cipher are:
SSL_kRSA (RSA Key Exchange)
SSL_kEDH (tmp DH key no DH cert)
SSL_aRSA (Authenticate with RSA)
SSL-aDSS (Authenticate with DSS)
SSL_DES (DES)
SSL_3DES (3DES)
SSL_RC4 (RC4)
SSL_RC2 (RC2)
SSL_AES (AES)
SSL_MD5 (MD5)
SSL_SHA1 (SHA1)
SSL_SHA256 (SHA256)
SSL_SHA384 (SHA384)
SSL_RSA ([SSL_kRSA|SSL_aRSA] RSA)
SSL_DSS ([SSL_aDSS] Authenticate with DSS)
I can set multiple things by something like:
SSL_RSA | SSL_AES
Protocol is TLSv1.2
What should my cipher look like?
"Pretend like i can't load any libraries at all." If that is true, you will need to implement the cipher itself plus the SSL handling layer ^_^.
Assuming you are using OpenSSL and have TCP established with socket_fd, you need to create a SSL_CTX with SSL_CTX_new (SSLv23_client_method()). Normally, to set the cipher list, you use SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL:#STRENGTH"), see http://openssl.org/docs/apps/ciphers.html for all available options, you may specific a particular cipher.
Then create a SSL session with SSL_new(ctx) and SSL_set_fd (ssl, socket_fd), after that use SSL_connect(...), SSL_read(...)/SSL_write(...) to communicate with server.
After all have been done, SSL_shutdown(...) and SSL_Free(...), SSL_CTX_Free(...).
Dialout user Pickuped/Answer call and merge into Confbridge but Admin getting "Ringtone" Asterisk-11.5.1 Confbridge . ?
Expected : admin user (A 7002) ,of current Conference Dailout and Invite user (B 7001) to join Confernece. B Picked call and joined Confbridge.
A and B should Communincate with each other and press "*" to listen conf Menu file.
Originale: B can listen menu by Press "*";
A can not Talk to B .
A press * ,but MenuFile did not played .
A only getting "Ringingtone".
Why, any help ?
C**onference Bridge Name Users Marked Locked?
================================ ====== ====== ========
1010101 2 1 unlocked**
*CLI> confbridge list 1010101
Channel User Profile Bridge Profile Menu CallerID
============================= ================ ================ ================ ================
SIP/7002-00000009 default_bridge conf-admin-sub-dialout7002
SIP/7001-0000000a default_user default_bridge conf-admin-sub-dialout7001
*CLI> sip show channels
Peer User/ANR Call ID Format Hold Last Message Expiry Peer
XXX.YYY.ZZZ.XXX 7001 1deffeb72b0f045 (ulaw) No Tx: ACK 7001
XXX.YYY.ZZZ.XXX 7002 fd2d41c9-e39354 (ulaw) No Tx: ACK 7002
==========================================================================
*CLI> sip show channel 65a218b00e4e389
* SIP Call
Curr. trans. direction: Outgoing
Call-ID: 65a218b00e4e389f56c1327c684e8513#XYZ.XYZ.XYZ.XYZ:5060
Owner channel ID: SIP/7001-0000000c
Our Codec Capability: (ulaw|alaw)
Non-Codec Capability (DTMF): 1
Their Codec Capability: (ulaw)
Joint Codec Capability: (ulaw)
Format: (ulaw)
T.38 support No
Video support No
MaxCallBR: 384 kbps
Theoretical Address: XXX.YYY.ZZZ.XXX:5060
Received Address: XXX.YYY.ZZZ.XXX:5060
SIP Transfer mode: open
Force rport: Yes
Audio IP: XYZ.XYZ.XYZ.XYZ (local)
Our Tag: as420f4f04
Their Tag: 864d22e793aa05b8i0
SIP User agent:
Username: 7001
Peername: 7001
Original uri: sip:7001#XXX.YYY.ZZZ.XXX:5060
Caller-ID: 91xxxxxxxxxxxx
Need Destroy: No
Last Message: Tx: ACK
Promiscuous Redir: No
Route: <sip:7001#XXX.YYY.ZZZ.XXX:5060>
DTMF Mode: rfc2833
SIP Options: (none)
Session-Timer: Inactive
===========================================================================
*CLI> sip show channel fd2d41c9-e39354
* SIP Call
Curr. trans. direction: Outgoing
Call-ID: fd2d41c9-e3935429#XXX.YYY.ZZZ.XXX
Owner channel ID: SIP/7002-00000009
Our Codec Capability: (ulaw|alaw)
Non-Codec Capability (DTMF): 1
Their Codec Capability: (ulaw)
Joint Codec Capability: (ulaw)
Format: (ulaw)
T.38 support No
Video support No
MaxCallBR: 384 kbps
Theoretical Address: XXX.YYY.ZZZ.XXX:5061
Received Address: XXX.YYY.ZZZ.XXX:5061
SIP Transfer mode: open
Force rport: Yes
Audio IP: XYZ.XYZ.XYZ.XYZ (local)
Our Tag: as165d44ab
Their Tag: 316d654987e586a9o1
SIP User agent: Linksys/PAP2T-3.1.15(LS)
Username: 7002
Peername: 7002
Original uri: sip:7002#XXX.YYY.ZZZ.XXX:5061
Caller-ID: 7002
Need Destroy: No
Last Message: Tx: ACK
Promiscuous Redir: No
Route: <sip:7002#XXX.YYY.ZZZ.XXX:5061>
DTMF Mode: rfc2833
SIP Options:
Session-Timer: Inactive
============================================================
*CLI> sip show channelstats
Peer Call ID Duration Recv: Pack Lost ( %) Jitter Send: Pack Lost ( %) Jitter
XXX.YYY.ZZZ.XXX 5e81a94e-44 00:03:51 0000010612 0000000000 ( 0.00%) 0.0000 0000009484 0000000000 ( 0.00%) 0.0006
XXX.YYY.ZZZ.XXX 65a218b00e4 00:02:17 0000006816 0000000000 ( 0.00%) 0.0000 0000006632 0000000000 ( 0.00%) 0.0006
======================================================
CLI> sip show channels
Peer User/ANR Call ID Format Hold Last Message Expiry Peer
XXX.YYY.ZZZ.XXX 7002 5e81a94e-449935 (ulaw) No Tx: ACK 7002
XXX.YYY.ZZZ.XXX 7001 65a218b00e4e389 (ulaw) No Tx: ACK 7001
========================================================
i have solved it ,By Using AMI and Originate app .now Works as expected.