I want to use postfix at my serverB (fictive ip: 1.2.3.4) and postfix at my serverC (fictive ip: 5.6.7.8) to send all its outgoing mails via my postfix at my serverA (fictive ip: 120.230.140.150), so that serverA is the one sending those mails to the world. Note that serverA, serverB en serverC are NOT in the same (local) network. Is it possible? And if so, what do I need to do to make it work as described?
KevinX
Related
I have a server running Wireguard, and I have multiple clients (peers) connected to it up and running. I am not very sure how VPN works, but this is my current setup.
The /etc/wireguard/wg0.conf of my server looks like this.
[Interface]
Address = 172.16.16.1/24
SaveConfig = true
ListenPort = 8999
PrivateKey = XXX
[Peer]
PublicKey = XXX
AllowedIPs = 172.16.16.2/32
[Peer]
PublicKey = XXX
AllowedIPs = 172.16.16.3/32
And the configuration on my clients wg0.conf looks like this.
[Interface]
PrivateKey = XXX
Address = 172.16.16.x/32
[Peer]
PublicKey = XXX
AllowedIPs = 172.16.16.0/24
PersistentKeepalive = 30
With everything up and running, from my client with IP address 172.16.16.2, I am able to ping the server 172.16.16.1. I am able to do the same from my other client with 172.16.16.3, I can ping the server 172.16.16.1.
Interestingly, from my server, I am able to ping all the peers! That is, from within 172.16.16.1, I can ping both 172.16.16.2 and 172.16.16.3. But that is the prime purpose of the setup!
Now, I want my peers to talk to each other, that is, I must be able to ping 172.16.16.2 from my other peer 172.16.16.3 and vice-versa, but this is not working. It says that the network is unreachable.
The idea is, I want it to work like a LAN server, where one server that acts as a gateway, and multiple peers/clients that can talk to each other, and also talk to the server.
Is this possible? If yes, what am I missing?
After the whole evening of searching through the internet, I found some useful links that talks about the same problem that I am facing.
Link: https://lists.zx2c4.com/pipermail/wireguard/2018-August/003250.html
That says, we must enable ip forwarding in the server to make it work like an edge router.
By default, the IPv4 policy in linux kernels disables support for IP forwarding. This prevents machines that run linux server from functioning as dedicated edge routers. To enable IP forwarding, use the following command:
[root#myServer ~ ] # sysctl -w net.ipv4.ip_forward=1
This configuration change is only valid for the current session; it does not persist beyond a reboot or network service restart. To permanently set IP forwarding, edit the /etc/sysctl.conf file as follows:
Locate the following line:
net.ipv4.ip_forward = 0
Edit it to read as follows:
net.ipv4.ip_forward = 1
Use the following command to enable the change to the sysctl.conf file:
[root#myServer ~ ] # sysctl -p /etc/sysctl.conf
Read more: https://docs.fedoraproject.org/en-US/Fedora/18/html/Security_Guide/sect-Security_Guide-Firewalls-FORWARD_and_NAT_Rules.html
With this done, now all my peers are able to talk to each other, and this functions just like a LAN network!
I followed all the steps suggested by Sibidharan but also needed to add an iptables command on the server to forward the wireguard traffic from peer to peer.
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
I was then able to connect via ssh from peer to peer.
Just set your interface up on the client to a prefix of /24
We have just set up Mikrotik router and have public ip address and our local ip address for the server.
We created a dst-nat rule where anyone who accesses
public_ip:80 is applied a dst_nat to local_ip:8082 port
However, from our local ip address we cannot access this public ip address.
It will work if at hosts file we write local_ip public_dns_name.
Why does mikrotik not send to the public_ip address, i.e does not apply a dst-nat rule?
The problem got solved via adding srcnat rule, which masquearades all traffic from local network
Chain
srcnat
Src. Address -> our local network
192.168.88.0/24
Dst. Address -> our server
192.168.88.249
Protocol
6 (tcp)
Action
masquerade
This problem and its solution are explained on microtik's documentation: https://wiki.mikrotik.com/wiki/Hairpin_NAT
Basically, the router translates everything into local IP addresses when replying to machines inside the network. Your client sent a request to some public IP, so it's waiting for a reply from that same public IP. The microtik translated the request into a local IP, so it sent a reply with the wrong "from" address, and your client ignored it. You can work around this by setting up a masquerade rule, or by adding a static DNS entry that bypasses the need for a public IP.
In my case, the problem was that the rule was set up to only work for traffic coming in on WAN (not LAN). I changed it to route traffic from anywhere, as long as it is requesting my public IP.
chain: dstnat
dst address: <public ip>
protocol: 6 (tcp)
dst port: 80
in. interface list: all
action: dst-nat
to addresses: <server local ip>
to ports: <server port>
So a couple of days before, I tried creating a Home FTP Server, which I can access from my own network. It worked. But now I want to go further. I wanted my Home FTP Server accessible from any network via an external IPv4 address. So here is my problem.
Every time if I want to connect to my server on localhost or on my local IP address, it works. But when I try to connect with the same credentials on my external IP address, it says that it cannot retrieve the directory listing:
Status: Connecting to *************:800...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (**,***,*,***,***,106)
Command: MLSD
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server
Response: 425 Can't open data connection for transfer of "/"
Error: Failed to retrieve directory listing
The (obfuscated) IP address in the 227 response does not match the (obfuscated) server IP address in the "Connecting to ..." message.
I tried turning off my firewall, forwarded port 21 and port 800 for both TCP and UDP, but nothing worked. I also made exceptions for both ports, and that didn't work as well.
Another problem is, that if I want to log in on my external IP address on my FileZilla Server, it shows this:
Connecting to server -censored-:14147...
Error, could not connect to server
Trying to reconnect in 5 seconds
My question is: how do I create a Home FTP Server which is can access remotely?
Response: 227 Entering Passive Mode (**,***,*,***,***,106)
Command: MLSD
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server
If the IP address in the 227 response to the PASV command does not match the actual FTP server IP address, the server is misconfigured.
This usually happens, when the server is not aware of its external IP address and reports its internal IP address. But most FTP clients (including FileZilla) would be able to detect that by checking the IP address against a range of addresses reserved for local communications within a private network. See Server sent passive reply with unroutable address in FileZilla. As that did not happen, the server is probably explicitly configured with an incorrect IP address.
For generic information, see my article about network configuration needed for FTP.
You have to reconfigure the FTP server to the new IP address. In FileZilla FTP server you can do that by going to Edit > Settings > Passive mode settings > IPv4 specific > External Server IP Address for passive transfers in FileZilla Server Interface.
I am reading Computer Networking: A Top-Down Approach 5th (fifth) edition. I have reached chapter two and I wonder if it is possible to actually try out the different application protocols by writing the requests etc? I am using Windows if that matter if you need a tool for doing that, and if I need a tool, what does the tool do behind the scenes for connecting?
You should use telnet to connect to all of these protocol, do your request, reading the answer and so on.
I'm reading that telnet is disabled by default on newer windows version (unbelievable, why? Thank goodness I stopped using it!)... Follow this guide to re-enable it if you're using a windows version newer than xp.
Telnet was used to remotely login to a host. Today it's completely unsafe to use it in this way, as long as a telnet connection isn't encrypted and we have such a better tool like ssh for remote connection. However, you can think to Telnet as a generic TCP client. It can establish TCP connection on every port.
By default, it will try to attempt to connect to port 23 (that is the telnet port) but you can easily change that.
For example, if you want to test HTTP, you can write in your command line:
~$ telnet www.example.com 80
Trying 192.0.43.10...
Connected to www.example.com.
Escape character is '^]'.
Where 80 is the http port (of course, if you're running it locally, you should connect to localhost). Other lines state the connection is ready to receive a request. Now you can type any http command you want.
GET /
HTTP/1.0 302 Found
Location: http://www.iana.org/domains/example/
Server: BigIP
Connection: close
Content-Length: 0
Where GET / is the command I typed and the rest is the http response.
Changing the port number, you can speak to (almost?) every protocol in the internet.
Well you can them out like this.... just to name a few...
Ftp : ftp ip_addr or ftp domain_name
Telnet : telnet ip_addr or telnet ip_addr:port_no or tracert domain_name
tracert : tracert ip_addr or tracert domain_name
ping : ping ip_addr or ping domain_name
How to know if ssl is supported on smtp server from the terminal ?
You can connect to the mail server on the standard port, send a EHLO command and see if the response includes the STARTTLS capability. This tells you that the mail server will let you run an encrypted session over a standard SMTP connection. For example:
$ telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost
220 localhost ESMTP
EHLO localhost
250-localhost
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS <--- here it is
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Alternatively, you can try connecting to the default SMTP-over-SSL port of 465/tcp, and assume that the mail server supports SSL if you get a positive response and a successful SSL handshake followed by a SMTP greeting.