Is there a way to make Nginx 1.11 bind to a specific interface regardless of the IP address?
I've got a home gateway to an ISP provider; it uses DHCP client to obtain its dynamic IP address. I do not know what that IP address is at NGINX configuration time.
Surely, there must be a way to make such a fine HTTP server bind to a specific network interface? I know that Apache can.
Edit your startup sequence to run a command or script that captures the interface's IP address and writes it to a file in the format listen <ip>:80 or whatever port you want:
echo "listen $(ip -o -4 a s eth0 | awk '{ print $4 }' | cut -d/ -f1):80;" > /path/to/some/file
Then just have your nginx config include that file:
include /path/to/some/file;
Obviously, you'll need to make sure the IP capture occurs before the nginx startup does.
Related
Background
I have a strange use-case where my VPN cannot be on any of the private subnets, but, also cannot use a TAP interface. The machine will be moving through different subnets, and requires access to the entire private address space by design. A single blocked IP would be considered a failure of design.
So, these are all off limits:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
In searching for a solution, I came across RFC 5735, which defines:
192.0.2.0/24 TEST-NET-1
198.51.100.0/24 TEST-NET-2
203.0.113.0/24 TEST-NET-3
As:
For use in documentation and example code. It is often used in conjunction with domain names
example.com or example.net in vendor and protocol documentation. As described in [RFC5737], addresses within this block do not legitimately appear on the public Internet and can be used without any coordination with IANA or an Internet registry.
Which, was a "Jackpot" moment for me and my use case.
Config
I configured an OpenVPN server as such:
local 0.0.0.0
port 443
proto tcp
dev tun
topology subnet
server 203.0.113.0 255.255.255.0 # TEST-NET-3 RFC 5735
push "route 203.0.113.0 255.255.255.0"
...[Snip]...
With Client:
client
nobind
dev tun
proto tcp
...[Snip]...
And ufw rules:
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 203.0.113.0/24 -o ens160 -j MASQUERADE
COMMIT
However, upon running I get /sbin/ip route add 203.0.113.0/24 via 203.0.113.1 RTNETLINK answers: File exists in the error logs. While the VPN completes the rest of its connection successfully.
No connection
Running the following commands:
Server: sudo python3 -m http.server 80
Client: curl -X GET / 203.0.113.1
Results in:
curl: (28) Failed to connect to 203.0.113.1 port 80: Connection timed out
I have tried:
/sbin/ip route replace 203.0.113.0/24 dev tun 0 on client and server.
/sbin/ip route change 203.0.113.0/24 dev tun 0 on client and server.
Adding route 203.0.113.0 255.255.255.0 to the server.
Adding push "route 203.0.113.0 255.255.255.0 127.0.0.1" to server
And none of it seems to work.
Does anyone have any idea how I can force the client to push this traffic over the VPN to my server, instead of to the public IP?
This does actually work!
Just dont forget to allow connections within your firewall. I fixed my config with:
sudo ufw allow in on tun0
However, 198.18.0.0/15 and 100.64.0.0/10 defined as Benchmarking and Shared address space respectively, may be more appropriate choices, since being able to forward TEST-NET addresses may be considered a bug.
How do you filter external connections to a specific service, running on Docker? Specifically, how do you filter incoming requests down to a static list of whitelisted IPs?
This answer assumes that:
The container will always listen on the same host:port.
The container will always be bound on the same network card interface, if ever several are available. This is easily done by using the option -p hostIp:hostPort:containerPort within the docker run command.
Stemming from these two assumptions, it can then be assumed that the service running in the container will always listen on the same host socket defined as hostIp:hostPort.
Now, all you have to do is firewalling which is independent from docker.
I am not an expert and did not test theses lines! Be warned before executing them.
# DROP every packets coming from every sources sent to the port $PORT
iptables -A INPUT -p tcp --dport $PORT -j DROP
# ACCEPT every packets coming from source xx.xx.xx.xx sent to port $PORT
iptables -A INPUT -p tcp -s xx.xx.xx.xx --dport $PORT -j ACCEPT
# Repeat the last command if needed, you can also specify a network, such as 192.30.252.0/22 instead of xx.xx.xx.xx
These rules are to be set in this precise order. A whitelist can be likened to a blacklist with expection.
I am using Oracle VirtualBox on Windows. I've setup NAT and forwarded ports.
When some forwarded ports are accidentally conflicting with host machine's ones, no errors are shown and all forwarded ports are failing.
Is there any possibility to detect those conflicting ports? I have used VBoxManage tool and there are neither output messages, nor verbose mode for startvm command.
Thanks
I would recommend using a combination of netstat and VBoxManage and parse the output. You can easily replace the findstr command with grep on non-Windows hosts.
First, I would get a listing of NAT ports on the VM in question. The VBoxManage showvminfo command will output a bunch of info about the configuration which you can filter to look for just the NAT rules. You will want to look for the host port and protocol fields in the output (and possibly host ip if configured) as that is what you will be looking to see if it is already in use.
C:\>vboxmanage showvminfo Linux | findstr Rule
NIC 1 Rule(0): protocol=tcp, host ip=, host port=2222, guest ip=, guest port=22
Second, using the info from above I know I need to check if anything is listening on port TCP port 2222, so I can use the netstat command to show me all the listening sockets, filtered by my criteria:
C:\>netstat -an | findstr LISTENING | findstr TCP | findstr 2222
Proto Local Address Foreign Address State
TCP 0.0.0.0:2222 0.0.0.0:0 LISTENING
Because my guest is already running I can see that it has already grabbed a connection on TCP 2222. If you don't get any output then nothing is listening on that specific port and you are safe to start your VM.
I'm trying to send a broadcast message using netcat.
I have firewalls open and sending a regular message like this works for me:
host: nc -l 192.168.1.121 12101
client: echo "hello" | nc 192.168.1.121 12100
But I can't get something like this to work.
host: nc -lu 0.0.0.0 12101
client: echo "hello" | nc -u 255.255.255.255 12100
Am I using the right flags? Note, the host is on Mac and the client on Linux. Can you give me an example that works for broadcasting a message?
Thanks!
The GNU version of netcat might be broken. (I can't get to work under 0.7.1 anyway.) See http://sourceforge.net/p/netcat/bugs/8/
I've gotten socat to work. Code below does UDP broadcast to port 24000.
socat - UDP-DATAGRAM:255.255.255.255:24000,broadcast
(In socat-world "-" means "stdin".)
You're not saying you want to broadcast, which is done using the -b option to nc/netcat.
nc -h 2>&1 | grep -- -b
-b allow broadcasts
A simple example that works on Ubuntu. All the info in is in the other answers, but I had to piece it together, so thought I would share the result.
server
nc -luk 12101
client
echo -n "test data" | nc -u -b 255.255.255.255 12101
The client will hang until you do Ctrl-C
Sorry, if I am assuming wrong but you mentioned that you have your firewalls set up correctly so I am guessing that the host and client are not on the same subnet???
If that is the case and this firewall is also acting also as a router (or if the packet has to go through a router) then it is going to process that packet but it will not forward it out its other interfaces. If you wanted that to happen then you would need to send a directed broadcast. For example; for the subnet 192.168.1.0/24 the directed broadcast would be 192.168.1.255, the last IP in the subnet. Then the firewall, assuming it had a route to 192.168.1.0/24 and that it is set up to forward directed broadcast, would forward that broadcast out to the destination or next hop. Configuring your device to forward directed broadcast... you would need to reference its documentation. For Cisco IOS you would type in, under the interface, "ip directed-broadcast".
255.255.255.255 is a limited broadcast and is not going to get pass your routers regardless, it is solely intended for the layer 2 link that it resides.
As for how netcat is set up:
-l 0.0.0.0 12101, tells netcat to listen on port 12101 on all interfaces that are up and with an IP address assigned. The -u is not needed as it is telling netcat to listen on a unix domain socket, google IPC :) (this is the biggest reason that your scenario is not working.)
The below should work to get a broadcast forwarded to another network via netcat:
server: nc -l 0.0.0.0 12101
host: echo "hello" | nc 192.168.1.255 12101
Hope that helps, sorry if that was long winded or off from what you were looking for :)
Unix.....>>netstat -al | grep 8787 (will see packets on port 8787)
What is the nature of the question here? Are you trying to see packets on port 8787? Are you looking for services listening on port 8787? Most importantly, how is this a programming-related question?
Use the command
ifconfig -a
to determine the interface you want to listen on. Then use
tcpdump -npi eth0 port 8787
to listen on the port where eth0 is the interface you want to listen on that you identified from the ifconfig command.
If you want to see the actual packets then you need to use tcpdump.
Use the -s option to specify how much of the packet you want to see (0 means the whole packet) and the -X option to get a Hex and ASCII dump.