I need to run wireguard only for a single program, and have the rest of my system not use it. Is this possible or doable? I'm currently using wg-quick
Yes you can, using network namespaces.
First let's create the wireguard namespace:
ip netns add wireguard
Then, we create a wireguard interface in your standard namespace
ip link add wg0 type wireguard
(You can configure the interface here)
We move it to the wireguard namespace
ip link set wg0 netns wireguard
And now, you can run a process in the wireguard namespace using
sudo -E ip netns exec wireguard sudo -E -u \#$(id -u) -g \#$(id -g) YOUR_PROCESS_CMD
You should read this for more information: https://www.wireguard.com/netns
Related
I have read the documentation and I know that:
To enable a real can you do
$ sudo ip link set can0 type can bitrate 125000
$ sudo ip link set up can0
and to enable a vcan you do
$ modprobe vcan
$ sudo ip link add dev vcan0 type vcan
$ sudo ip link set up vcan0
In my case, I even disable vcan before enabling can as in
$ sudo ip link set dev vacn0 down
$ sudo ip link set can0 type can bitrate 125000
$ sudo ip link set up can0
My question is how about the opposite? (Going from can to vcan)?
If my can is up , should I disable it before enabling vcan? and how?
and also enabling vcan uses add not set... why?
There is no connection between real CAN network devices and virtual CAN devices, other than they share the same socket interface.
What you've shown here is how you make either kind of CAN device (real or virtual) active and set it up.
How you'd switch between one and the other in your application should be as simple as using one or the other name for the network device.
You can have real CAN and virtual CAN devices available and up at the same time with no concerns.
As for why you need to add your vcan0 device but not to add your real can0 device, the operating system usually detects your CAN hardware and creates the device automatically.
One exception to this is if you're using a CAN-to-serial adapter with slcand, where you would need to run slcand first (and it will create devices named like slcan0):
$ sudo slcand -o -s8 -t hw -S 3000000 /dev/ttyUSB0
$ sudo ip link set up slcan0
I am using the latest Docker version (17 CE) on a Mac OSX and I have spun up an instance of SQL Server using the following tutorial: https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-setup-docker
The server was set up successfully and I managed to connect to it from outside the container via an SQL command line utility.
The next step is that I want to be able to connect to this instance from another PC within the same local network by assigning a public IP to the instance.
I have looked through a number of tutorials and it seems that with docker 10 this functionality is now possible, so I am looking to do it the 'right' way rather than the hacky way (pre-docker 10). I have looked through a number of tutorials namely How to assign static public IP to docker container and Assign static IP to Docker container.
I was testing using the ubuntu image to stay true to the example, but it still didn't work. Although the image ran, whenever I tried to ping the assigned IP from the same computer docker is installed on, I was not receiving a request timeout. Also on Kitematic the only host under IP AND PORTS is localhost. The image is being assigned to the custom network (docker network prune while instance is running does not prune my custom network) but I can't seem to discover my instance from the outside.
Commands I am using are
$ docker network create --subnet=172.18.0.0/16 mynet123
$ docker run --net mynet123 --ip 172.18.0.22 -it ubuntu bash
$ ping 172.18.0.22
and for my sql server
$ docker network create --driver=bridge --subnet=192.168.0.0/24 --gateway=192.168.0.1 mynet
$ docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=MyPassword123<>' -p 1433:1433 --ip=192.168.0.10 --net=mynet microsoft/mssql-server-linux
$ ping 192.168.0.10
What am I missing?
Any help would be appreciated.
I have a linux box with web serverthe has 2 running services:
web proxy (listens ports 80, 443)
apache (listens port 8080)
The users for proxy can register through web interface. I must give access to proxy only to the registered clients with certain IPs. Proxy is a handwritten script, and I have to use iptables to block the access. I wrote the following rules:
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s <valid IP 1> -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s <valid IP 2> -j ACCEPT
...
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s <valid IP n> -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j DROP
It works. But when a new user is added through web interface, Apache launches a script as a non-root user. And I have to run iptables as root.
I can't set suid bit for a program, written in a scripting language, so I created a C program updater.c:
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char* argv[])
{
int result = system("iptables -L");
printf("\nresult=%i", result);
return 0;
}
Then I compiled it:
# gcc -o updater ./updater.c
# chmod +s ./updater
When I run it as a non-priviledged user in shell it works correctly: prints all the iptables rules.
When I run it from the web, calling the program inside a shell script, it doesn't print anything. Despite the fact, that when I tried to create a file inside this C program, it was created with owner=root. system("ls -l"); also works - it prints the directory listing.
How can I manipulate iptables rules from the web script?
When you call system("iptables -L"); you may or may not be able to find iptables, depending on your PATH environment variable. You should prepend the path to where the binary is so that you know it will be found:
int result = system("/sbin/iptables -L");
The first thing i did in my odoo was created two databases, later i want to remove the port ip:8069 from the url so i do:
Go to terminal open rc.local file. rc.local file reside in etc folder.
sudo gedit /etc/rc.local
Paste this command on rc.local file and save
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8069
Reboot Ubuntu, to see effect
sudo reboot
the result is that i can acces without put the port in the URL, but it send me to the page to create a database, not to the selection.
I think i must configure something in the databases created but i don't know what.
Can anyone help me?
thanks for any help you can offer.
To change the port of an Openerp server, you have to make the change in config.py file. Which is located at
your-openerp-server/openerp/tools/config.py
and change the port in the below my_default attribute
group.add_option("--xmlrpc-port", dest="xmlrpc_port", my_default=8069,
help="specify the TCP port for the XML-RPC protocol", type="int")
and restart the server.
i have got a new Linux Server (Debian 6.0) with a Database (MySQL) which is accessed by Port 3306 like as usual.
Now I'd like to access the database due port problems of some users (because port 3306 is often blocked by network firewalls) by port 80 or 443. So the transfer must be redirected from Port 80 to 3306 to keep the Database working.
I have tried following command:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3306
but I got following error:
iptables: No chain/target/match by that name.
Does anyone can help me solve this problem? The NAT table is empty (PREROUTING,POSTROUTING,OUTPUT have no entries) (checked with iptables -t nat -n -L)
In iptables Kernel modules required for NAT functionality:
Run following command to load modules in kernel:
# modprobe iptable_nat
# modprobe ipt_REDIRECT
Make sure you have above modules compiled in kernel:
[root#instructor tmp]# grep REDIRECT /boot/config-$( uname -r )
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_BRIDGE_EBT_REDIRECT=m
In VPS Server:
Enable modules on host server using modprobe command
Execute following command from the host server to enable all the modules for the VPS
vzctl set VEID --iptables iptable_nat --iptables ipt_REDIRECT
Add rules in file /etc/vz/conf/veid.conf
IPTABLES="iptable_nat ipt_REDIRECT"