couldn't access internet resource even if successfully connect to pptp vpn - vpn

I hire host which locate Tokyo as my vps server, and I follow this article to install pptp server
article about install pptp from digital ocean
and my vps ip >>> 107.191.60.187
in addtion, I install ufw and allow pptpd's port by this way
ufw allow 1723
ufw disable && ufw enable
but in fact I can't access internet resource even if I could successfully connect my pptpd program on vps.
I really don't know how to solve it : (
could anybody help me ..
thanks a lot.

just take commit for this question
before I make a mistake that set wrong iptabes rules, and then I resolve it by below method, it works.
#1. first I inspect status and remove ipesec server, it conflicts.
sudo service ipsec status
sudo apt remove ipsec xl2tpd
#2. then I look for port 1723 that judge whether it recive data package
sudo tcpdump -i eth0 port 1723
#3. finally I change rules by using iptabes clearly
sudo iptables -t nat -nL
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
#4. and save it
sudo iptables -t nat -S
sudo iptables-save -t nat
#5. modify content in file before.rules, confirm it as a daemon
sudo vi /etc/ufw/before.rules
# just like below this
*nat
:PREROUTING ACCEPT [73:5676]
:INPUT ACCEPT [6:1415]
:OUTPUT ACCEPT [7:431]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
that's all..

Related

Route local port from Raspbian to another machine (port tunneling)

I want to route incoming tcp traffic on port 5555 on a Raspberry with Raspbian to another machine and port within the same local network, and make it persistent to reboots.
Context
The objective is that if I access the service on 5555 on localhost, it will load a different port on the remote machine. The ultimate goal is to forward port 53 (DNS) into another machine (non-53 port), but in the meantime, I am testing with http: https://localhost:5555, it should load https://192.168.250.250:9999 where 192.168.250.250 is a remote machine within my local network (accessible to all local network, ping 192.168.250.250 works).
What I've tried
There's a lot of resources on networking like this. Most rely on IP Forwarding on the router, which won't work in my case as I am trying to redirect ports within hosts in my localhost accessing the machines directly. The others, for port tunnelling, all use the methods below:
iptables
sudo iptables -t nat -A PREROUTING -p tcp --sport 5555 -j DNAT --to-destination 192.168.250.250 --dport 9999
This didn't work. I tried a few variations, including:
sudo iptables -t nat -A PREROUTING -p tcp --sport 5555 -j DNAT --to-destination 192.168.250.250:9999
This didn't work, despite the rule getting registered:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp spt:5555 dpt:9999 to:192.168.250.250
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I have also installed iptables-persistent to make it persistent, but it just doesn't redirect in the first place.
I have also tried a variant of the command since I think I may have misunderstood the "source" port as being the destination:
sudo iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination 192.168.250.250:9999 --dport 5555
After any of these changes, I always run:
sudo dpkg-reconfigure iptables-persistent
sudo netfilter-persistent save
sudo netfilter-persistent restart
To make sure the rules are permanently applied. I have also tried this tutorial to load the configuration on reboot. Nonetheless, again, this just doesn't forward, the permanent side of it is unclear and secondary at this stage.
socat
socat tcp-listen:5555,reuseaddr,fork tcp:192.168.250.250:9999
This works fine. However, it's not persistent. As soon as I cntrl+c the terminal, it stops redirecting.
nc
sudo nc -l -p 5555 -c 'nc 192.168.250.250 9999'
and
sudo nc -l -p 5555 192.168.250.250 9999
Neither work. The first one throws errors (-c not existing). The latter doesn't do anything.
The up tables solution should work. However, you must check your ipv4 forwarding and enable it (most linux distros will have this as not enabled/allowed) and this is likely to be your problem.
Check this
$ cat /proc/sys/net/ipv4/ip_forward
0
0 means ip_forwarding is not allowed and the kernel will not perform it.
Either do
$ echo 1> /proc/sys/net/ipv4/ip_forward
or use sysctl
$ sysctl -w net.ipv4.ip_forward = 1

IPtables NAT/Masquerade to allow OpenStack instances to access sites external to the laptop they're running on

I have OpenStack running on a Fedora laptop. Openstack hates network interfaces that are managed by NetworkManager, so I set up a dummy interface that's used as the port for the br-ex interface that OpenStack allows instances to communicate through to the outside world. I can connect to the floating ips fine, but they can't get past the subnet that br-ex has. I'd like them to be to reach addresses external to the laptop. I suspect some iptables nat/masquerading magic is required. Does anyone have any ideas?
For Centos7 OpenStack with 3 nodes you should use networking:
just install net-tools and disable NetworkManager:
yum install net-tools -y;
systemctl disable NetworkManager.service
systemctl stop NetworkManager.service
chkconfig network on
Also You need IP tables no firewalld.
yum install -y iptables-services
systemctl enable iptables.service
systemctl disable firewalld.service
systemctl stop firewalld.service
For controller node have one NIC
For Network and compute nodes have 2 NICs
Edit interfaces on all nodes:
for Network eth0: ip:X.X.X.X (external) eth1:10.0.0.1 - no gateway
for Controller node eth0: ip:10.0.0.2 - gateway 10.0.0.1
for compute node eth0: ip:10.0.0.3 - gateway 10.0.0.1
Set up iptables like:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A POSTROUTING -o eth0-j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0-j ACCEPT
iptables -A FORWARD -i eth0-o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
service iptables save
Also enable forwarding. In file: /etc/sysctkl.conf add line:
net.ipv4.ip_forward = 1
And execute command:
sysctl –p
Should work.

iptables command to bridge openstack virtual network

I successfully installed openstack on spare server using the ubuntu single-node installer script. The openstack status page on the underlying ubuntu instance is green across the board. From the host ubuntu instance I can ping / ssh to all of the various openstack instances which have been started on the virtual network.
I now want to access the horizon dashboard from my pc on the local network. (I can't access it from the host ubuntu machine since it is a server install & thus has no desktop to run a web browser on) My local network is 192.168.1.xxx, with the ubuntu server having a static ip of 192.168.1.200. Horizon was installed on an instance with ip 10.0.4.77.
Based on the following blog post, (http://serenity-networks.com/installing-ubuntu-openstack-on-a-single-machine-instead-of-7/) it looks like I need to make an iptables change to the host ubuntu instance to bridge between the two networks. The suggested command from the blog post above is:
$ sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.250 --dport 8000 -j DNAT --to-destination 10.0.6.241:443
Which if I modify for my network / install would be:
$ sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.200 --dport 8000 -j DNAT --to-destination 10.0.4.77:443
However, I am suspicious this is not the preferred way to do this. First, because the --dport 8000 seems wrong, and second because I was under the impression that neutron should be used to create the necessary bridge.
Any help would be appreciated...
$ sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.1.200 --dport 8000 -j DNAT --to-destination 10.0.4.77:443
This command has nothing to do with neutron. It just made your ubuntu server a router connecting your local network and openstack private network, so that you can access horizon through ip of local network.
--dport 8000 is not fixed, you can change to any unoccupied port. It only influence the horizon address you enter in address bar.

Plex VPN port forwarded properly but not accessible

TL;DR version at the bottom.
My ISP gives me a private IP (10 48 64 1) and I'm unable to do any port forwarding.
My setup:
Debian Wheezy Linux headless Server
Asuswrt-merlin router(latest version)
AirVPN via Openvpn
With some reading, some VPN allow port forwarding to be done. So I went ahead with AirVPN and it worked great (for torrent). I tried to port forward Plex Media Server unfortunately it doesn't work.
Port Forward in AirVPN (24253 is for torrent and 61477 is for Plex with local port of 32400)
Even Plex says that it works!
I was told to do some forwarding on IPtables on my router, so I went ahead with these codes (got it from AirVPN forum)
#!/bin/sh
iptables -I FORWARD -i tun11 -p udp -d 192.168.2.140 --match multiport --dports 24253,32400,61477 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.2.140 --match multiport --dports 24253,32400,61477 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --match multiport --dports 24253,32400,61477 -j DNAT --to-destination 192.168.2.140
iptables -t nat -I PREROUTING -i tun11 -p udp --match multiport --dports 24253,32400,61477 -j DNAT --to-destination 192.168.2.140
With this, somehow my router shows blank on the PREROUTING (but port is opened based on what I see from torrent and canyouseeme org)
With this everything should be set up, no problem and it be visible from outside, but unfortunately it doesn't. I tried from work to view my plex but it keeps saying 'connecting'.
All I can think now is the problem lies in the linux part (firewall maybe?)
I'm stuck for a few days and googling doesn't seem to help anymore.
Thanks for reading! I hope it can be solved.
TL;DR version
I'm connected to VPN but I have forwarded properly (canyouseeme org says it's opened) but Plex says cannot be viewed from outside network (keep connecting).
Nevermind! I made the mistake by not changing the port back to 61477 which was for Plex. I used torrent's port and hence why it wasn't working.

Iptables to modify source ip. Nothing in POSTROUTING chain log

Here is a little picture
Asterisk eth1 10.254.254.2/28------------- Many Good Guys
eth1:1 192.168.83.5/32----------- 192.168.59.3 Bad Guy Peer
I have an Asterisk which is connected with several peers. Some of them are connected through
eth1 and one the badest through alias eth1:1.
Then my asterisk send invite to peers it goes with the eth1 source. So for the bad guy I need to change my source ip to 192.168.83.5 As far as I know it can be done with iptables.
So I tried the rule
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j SNAT
--to 192.168.83.5
nothing happens.
When I log I can see send packets in INPUT and OUTPUT chains with :
iptables -t filter -A OUTPUT -o eth1 -s 10.254.254.2 -d 192.168.59.3
-j LOG --log-level 7 --log-prefix "OUTPUT"
iptables -t filter -A INPUT-i eth1 -s 192.168.59.3 -d 192.168.83.5 -j
LOG --log-level 7 --log-prefix "OUTPUT"
but I don’t see any in POSTROUTING chain with:
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j LOG
--log-level 7 --log-prefix "POSTROUTING"
That is I have nothing to SNAT(((
At the same time the traffic from other peers is visible in POSTROUTING log. What can it be?
Any thoughts, wishes, kicks would be very appreciated!
The solution has been found!!
I didn' t find a way to make my iptables work. But know i know how to do it without iptables at all.
So generally speaking my task was to modify|mask|replace my source ip of eth1 with eth1:1 ip.
By the way i use CentOS 5.8
And there is a command:
ip route add
which gives you ability to point scr address unlike the route command.
so
ip route add 192.168.59.3/32 via 10.254.254.1 dev eth1 src
192.168.83.5
is doing just what i need.
Thank you for attention!
That will not work. Reason is simple, asterisk will set in packet source addres=address of eth1.
You can start enother asterisk same host(with other config dir). I am sorry, i not know other simple variants.

Resources