i have got a new Linux Server (Debian 6.0) with a Database (MySQL) which is accessed by Port 3306 like as usual.
Now I'd like to access the database due port problems of some users (because port 3306 is often blocked by network firewalls) by port 80 or 443. So the transfer must be redirected from Port 80 to 3306 to keep the Database working.
I have tried following command:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3306
but I got following error:
iptables: No chain/target/match by that name.
Does anyone can help me solve this problem? The NAT table is empty (PREROUTING,POSTROUTING,OUTPUT have no entries) (checked with iptables -t nat -n -L)
In iptables Kernel modules required for NAT functionality:
Run following command to load modules in kernel:
# modprobe iptable_nat
# modprobe ipt_REDIRECT
Make sure you have above modules compiled in kernel:
[root#instructor tmp]# grep REDIRECT /boot/config-$( uname -r )
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_BRIDGE_EBT_REDIRECT=m
In VPS Server:
Enable modules on host server using modprobe command
Execute following command from the host server to enable all the modules for the VPS
vzctl set VEID --iptables iptable_nat --iptables ipt_REDIRECT
Add rules in file /etc/vz/conf/veid.conf
IPTABLES="iptable_nat ipt_REDIRECT"
Related
I dont understand the ARP table of 1 machine on my testing network consisting of 3 PCs on Ubuntu20
a client of IP 192.168.0.1
an attacker of IP 192.168.0.2
a server of IP 192.168.0.3
On machine n°2 (attacker), I've installed :
dnsiff and launched arpspoof ( sudo arpspoof -t 192.168.0.1 192.168.0.3)
mitmproxy in transparent mode, which makes a proxy and redirects all the traffic arriving on port 80 to port 8080 by setting properly the iptables rules.
sudo apt install dnsiff
sudo apt install mitmproxy
I activated the ip_forwarding by uncommenting net.ipv4.ip_forward=1 in file /etc/sysctl.conf and then reloaded the system :
sudo sysctl -p /etc/sysctl.conf
mitmproxy --mode-transparent -p 8080
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
All works but when I open the arp table of machine 1 (192.168.0.1) , I read :
192.168.0.3 #MAC of the attacker (which is what I expected)
192.168.0.2 #MAC of the attacker (which is surprinsing)
How is it that address 192.168.0.2 appears whereas there is no trace on any wireshark frame , when wireshark listens to machine 1 interface.
Another surprinsing thing occurs when I set manually the #IP et #MAC of the server :
sudo arp -s 192.168.0.3 #MAC of the attacker
This time the ARP table of machine 1 does not display 192.168.0.2 (attacker).
Thank you for any explanation.
I need to run wireguard only for a single program, and have the rest of my system not use it. Is this possible or doable? I'm currently using wg-quick
Yes you can, using network namespaces.
First let's create the wireguard namespace:
ip netns add wireguard
Then, we create a wireguard interface in your standard namespace
ip link add wg0 type wireguard
(You can configure the interface here)
We move it to the wireguard namespace
ip link set wg0 netns wireguard
And now, you can run a process in the wireguard namespace using
sudo -E ip netns exec wireguard sudo -E -u \#$(id -u) -g \#$(id -g) YOUR_PROCESS_CMD
You should read this for more information: https://www.wireguard.com/netns
5037 is not occupied and the error message is reply fd for adb server to client communication not specified. The version of adb is 1.0.39. I want to share port for STF Provider. Appreciate for any help.
As Moon said in his comment: the solution is to run
adb -a -P 5037 daemon
and then
stf provider --adb-host ip -port 5037
I have a linux box with web serverthe has 2 running services:
web proxy (listens ports 80, 443)
apache (listens port 8080)
The users for proxy can register through web interface. I must give access to proxy only to the registered clients with certain IPs. Proxy is a handwritten script, and I have to use iptables to block the access. I wrote the following rules:
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s <valid IP 1> -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s <valid IP 2> -j ACCEPT
...
iptables -A INPUT -p tcp -m multiport --dports 80,443 -s <valid IP n> -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j DROP
It works. But when a new user is added through web interface, Apache launches a script as a non-root user. And I have to run iptables as root.
I can't set suid bit for a program, written in a scripting language, so I created a C program updater.c:
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char* argv[])
{
int result = system("iptables -L");
printf("\nresult=%i", result);
return 0;
}
Then I compiled it:
# gcc -o updater ./updater.c
# chmod +s ./updater
When I run it as a non-priviledged user in shell it works correctly: prints all the iptables rules.
When I run it from the web, calling the program inside a shell script, it doesn't print anything. Despite the fact, that when I tried to create a file inside this C program, it was created with owner=root. system("ls -l"); also works - it prints the directory listing.
How can I manipulate iptables rules from the web script?
When you call system("iptables -L"); you may or may not be able to find iptables, depending on your PATH environment variable. You should prepend the path to where the binary is so that you know it will be found:
int result = system("/sbin/iptables -L");
I have started the pgpool using the command
sudo pgpool -n &
it started giving the following message on the terminal:
2012-05-04 10:54:29 LOG: pid 4109: pgpool-II successfully started. version 2.3.2.1 (tomiteboshi)
But when I try to run the following command:
createdb -p 9999 bench_replication
I get the following error message:
createdb: could not connect to database postgres: could not connect to server: No such file or directory.
Is the server running locally and accepting connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.9999"?
When I change the port from 9999 to 5432, a database bench_replication is created on the local node only, not on slave nodes. But, tutorial say to mention port 9999 in this command in order to create database bench_replication on all slave nodes through pgpool.
To confirm whether pgpool is really running or not, I stop the pgpool using command
2012-05-04 10:58:50 LOG: pid 4109: received smart shutdown request
stop request sent to pgpool. waiting for termination...done.
[1]+ Done sudo -A pgpool -n
which confirms the pgpool was actually running. What am I doing wrong? I have changed all my pgpool configuration file as mentioned in the standard tutorials on net.
Try this command :
createdb -p 9999 -h 127.0.0.1 bench_replication
By default PostgreSQL try to use the socket.
Late response but useful for future generations:
When you run
createdb -p 9999 bench_replication
under root, this generates the following error in log:
no pg_hba.conf entry for host "12.34.56.78", user "root", database
"postgres", SSL off
This means you should explicit mention username just like this:
createdb -U postgres -p 9999 bench_replication
Then you will get another error:
no pg_hba.conf entry for host "12.34.56.78", user "postgres", database
"postgres", SSL off
So you were blocked by second node on HBA level.
In this case either you should allow on second node access from first (in pg_hba.conf):
host all postgres 12.34.56.77 trust
or you should set password:
createdb -U postgres -p 9999 bench_replication -W SoMeP4Ssw0rD
If this is not clear enough - just check for your logs.