ping localhosts, edit /etc/network/hosts - networking

I want to succesfully ping some hostnames. These hostnames have the same IP, 127.0.0.1
So i edited /etc/network/hosts:
127.0.0.1 host1
127.0.0.1 host2
127.0.0.1 host3
127.0.0.1 host4
127.0.0.1 host5
127.0.0.1 host6
127.0.0.1 host7
127.0.0.1 host8
127.0.0.1 host9
My /etc/network/interfaces file was:
auto lo
iface lo inet loopback
Then i added this:
iface eth0 inet static
address 127.0.0.1
network 127.0.0.0
netmask 255.255.255.0
broadcast 127.0.0.255
But when i try to do:
ping host1
it doesn't work, even with other hostnames in /etc/network/hosts


In the recent kernels the couples hostname-IP are saved in /etc/hosts, not in /etc/network/hosts, the edit in /etc/network/interfaces is useless, i just tried everything

Related

route print command show almost all On-link gateway

Trying to learn about routing tables, when preforming route print on cmd window I get this result on the IPv4 table:
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.138 10.0.0.9 50
10.0.0.0 255.255.255.0 On-link 10.0.0.9 306
10.0.0.9 255.255.255.255 On-link 10.0.0.9 306
10.0.0.255 255.255.255.255 On-link 10.0.0.9 306
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.0.0.9 306
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.0.0.9 306
===========================================================================
From my understanding, the Network Destination and Netmask combine show the Network ID, and Gateway is the "next hop" meaning it is the address where addresses from Network ID can get to the internet, via the Interface on the right.
This table is different from other I seen on line, and almost all the gateways are On-link. From a simple google search, I found those On-link mean addresses reachable locally (my router's address?) so On-link=10.0.0.138 in this example? And since network ID is all 0.0.0.0 that means the only routing available on my system is going to 10.0.0.138 through 10.0.0.9? If so why I need the other rows? If I'm wrong I would love to know better.
Thanks.

"on-link" doesn't equal 10.0.0.138. It means that the destination network is directly attached to the interface - meaning traffic that matches this route entry will trigger an ARP request that should be sent from this link to resolve the destination IP directly (not the gateway 10.0.0.138).
This is also called "glean adjacency".
The 10.0.0.9 route instructs packets with destination IP 10.0.0.9 to be sent to the CPU (AKA punt adjacency).
127.0.0.0/24 network is for internal communication within the machine.
224.0.0.0/4 is for multicast traffic.

squid as http proxy configuration

I am trying to use Squid as http proxy (proxy all requests from 88.99.219.124 using 85.10.219.144/29 subnet).
$ cat /etc/squid3/squid.conf
acl client src 88.99.219.124
acl proxy dst 85.10.219.144/29
http_access allow client proxy
http_access deny all
http_port 3129
$ tail -f /var/log/squid3/access.log
1543865940.128 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
1543865940.138 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
1543865940.147 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
1543865940.156 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
Whats wrong with my config?

Squid config:
$ cat /etc/squid3/squid.conf
acl client src 88.99.219.124
http_access allow client
http_access deny all
http_port 3129
debug_options ALL,1
To allow your server to use 85.10.219.144/29 subnet, add ip adresses from subnet to network interfaces.
Use subnet calculator to find min & max ip in subnet range.
Network interfaces:
$ cat /etc/network/interfaces
...
auto vmbr0
iface vmbr0 inet static
address x.x.x.x
netmask x.x.x.x
gateway x.x.x.x
bridge-ports __network_interface_name__
bridge-stp off
bridge-fd 0
auto vmbr0:0
iface vmbr0:0 inet static
address 85.10.219.145
netmask 255.255.255.248
auto vmbr0:1
iface vmbr0:1 inet static
address 85.10.219.146
netmask 255.255.255.248
auto vmbr0:2
iface vmbr0:2 inet static
address 85.10.219.147
netmask 255.255.255.248
auto vmbr0:3
iface vmbr0:3 inet static
address 85.10.219.148
netmask 255.255.255.248
auto vmbr0:4
iface vmbr0:4 inet static
address 85.10.219.149
netmask 255.255.255.248
auto vmbr0:5
iface vmbr0:5 inet static
address 85.10.219.150
netmask 255.255.255.248
And now when we try to use our proxy, it works!
$ curl -x http://85.10.219.150:3129 -L http://google.com
In log file:
$ cat /var/log/squid/access.log
1544717769.941 58 _your_ip_ TCP_MISS/200 13234 GET http://www.google.com/ - HIER_DIRECT/2a00:1450:4001:809::2004 text/html

A websocket via nginx proxy?

Hi I have a question ~ I want to use nginx proxy to distribute websocket connect to other port. like this .
client ====> proxy =====> ws server
but my question is the websocket tunnel is build on the client and ws server or client and proxy and ws server.
client === proxy ==== ws server
Or
client ===== ws server
Thanks ~~~

You don't skip proxy as such. The proxy makes the connection on behalf of you. See the below excerpt from https://www.nginx.com/blog/websocket-nginx/
A WebSocket application keeps a long‑running connection open between the client and the server, facilitating the development of real‑time applications. The HTTP Upgrade mechanism used to upgrade the connection from HTTP to WebSocket uses the Upgrade and Connection headers. There are some challenges that a reverse proxy server faces in supporting WebSocket. One is that WebSocket is a hop‑by‑hop protocol, so when a proxy server intercepts an Upgrade request from a client it needs to send its own Upgrade request to the backend server, including the appropriate headers. Also, since WebSocket connections are long lived, as opposed to the typical short‑lived connections used by HTTP, the reverse proxy needs to allow these connections to remain open, rather than closing them because they seem to be idle.
Edit-1 - Connections Comparisons between Nginx and direct NodeJS
So finally I did some test to make sure. Started a socket.io app on 3000 and nginx on 80 to forward to request to the Socket.io
Nginx
When I access the app using http://IP/ in two browser windows, the open connection are as below
$ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 4443 vagrant 11u IPv6 25730 0t0 TCP *:3000 (LISTEN)
node 4443 vagrant 13u IPv6 28591 0t0 TCP localhost:3000->localhost:42698 (ESTABLISHED)
node 4443 vagrant 14u IPv6 28626 0t0 TCP localhost:3000->localhost:42712 (ESTABLISHED)
nginx 5144 vagrant 6u IPv4 28402 0t0 TCP *:http (LISTEN)
nginx 5144 vagrant 13u IPv4 28589 0t0 TCP 192.168.33.100:http->192.168.33.1:64799 (ESTABLISHED)
nginx 5144 vagrant 14u IPv4 28590 0t0 TCP localhost:42698->localhost:3000 (ESTABLISHED)
nginx 5144 vagrant 15u IPv4 28625 0t0 TCP localhost:42712->localhost:3000 (ESTABLISHED)
nginx 5144 vagrant 16u IPv4 28624 0t0 TCP 192.168.33.100:http->192.168.33.1:64826 (ESTABLISHED)
Now after closing both the tabs
$ lsof
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 4443 vagrant 11u IPv6 25730 0t0 TCP *:3000 (LISTEN)
nginx 5144 vagrant 6u IPv4 28402 0t0 TCP *:http (LISTEN)
NodeJS
Opening two browser tabs with direct connection to NodeJS http://<IP>:3000. Then the results are as below
$ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 4443 vagrant 11u IPv6 25730 0t0 TCP *:3000 (LISTEN)
node 4443 vagrant 13u IPv6 30014 0t0 TCP 192.168.33.100:3000->192.168.33.1:52550 (ESTABLISHED)
node 4443 vagrant 14u IPv6 30015 0t0 TCP 192.168.33.100:3000->192.168.33.1:52551 (ESTABLISHED)
node 4443 vagrant 15u IPv6 30016 0t0 TCP 192.168.33.100:3000->192.168.33.1:52552 (ESTABLISHED)
node 4443 vagrant 16u IPv6 30017 0t0 TCP 192.168.33.100:3000->192.168.33.1:52553 (ESTABLISHED)
node 4443 vagrant 17u IPv6 30018 0t0 TCP 192.168.33.100:3000->192.168.33.1:52554 (ESTABLISHED)
node 4443 vagrant 18u IPv6 30020 0t0 TCP 192.168.33.100:3000->192.168.33.1:52556 (ESTABLISHED)
node 4443 vagrant 19u IPv6 30024 0t0 TCP 192.168.33.100:3000->192.168.33.1:52578 (ESTABLISHED)
nginx 5144 vagrant 6u IPv4 28402 0t0 TCP *:http (LISTEN)
This may look a bit strange, but this is because the connections used to open the site are also kept alive for few seconds. So after waiting for sometime
$ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 4443 vagrant 11u IPv6 25730 0t0 TCP *:3000 (LISTEN)
node 4443 vagrant 18u IPv6 30020 0t0 TCP 192.168.33.100:3000->192.168.33.1:52556 (ESTABLISHED)
node 4443 vagrant 19u IPv6 30024 0t0 TCP 192.168.33.100:3000->192.168.33.1:52578 (ESTABLISHED)
nginx 5144 vagrant 6u IPv4 28402 0t0 TCP *:http (LISTEN)
As you can see no. of connections will be always be higher when you use Nginx

Redirecting ports for a service can iptables be used instead of mod_proxy

I have a service which is running on http port 8080 and https port 8443 and all traffic to port 8080 is being redirected to https 8443 which is configured on server.xml itself.
Requirement :
All traffic when using ports 80,8080,443,8443 should be diverted to 8443 without port number getting displayed under URL
Possible solutions :
I know that using mod_proxy,masking and reverse proxy we can implement it (http://www.pothireddy.com/knowledge/environment/masking/)
Question here is can we use IPTABLES to implement that instead of mod_proxy solution, if so how can do we achieve it....
Already tried something like this :
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
Fixed problem when someone is hitting port 443
When someone hits port 8443 explicitly then port 8443 is showing
up on the url ? Can we implement something like .... just to mask
the port 8443 iptables -t nat -A PREROUTING -p tcp --dport 8443 -j
REDIRECT --to-port 8443
How to redirect traffic from port 80 to port 8443, when I tried
using below command, looks like it is getting confused diverting
traffic from http port to https port ? iptables -t nat -A PREROUTING
-p tcp --dport 8443 -j REDIRECT --to-port 8443
Any Possible solution for fixing the above 2 questions ?

if you are using apache web-server, you can make new virtualhost in some port like
http://wiki.apache.org/httpd/RedirectSSL
NameVirtualHost *:8080
<VirtualHost *:8080>
ServerName mysite.example.com
DocumentRoot /usr/local/apache2/htdocs
Redirect permanent /secure https://mysite.example.com/secure:8443
</VirtualHost>
<VirtualHost _default_:8443>
ServerName mysite.example.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine On
# etc...
</VirtualHost>

IP destination header in DNS request/reply

When a DNS request/reply is sent to/by a DNS server on another subnet, what IP destination address will be used in the IP header?

DNS is a normal UDP protocol: The real IP-address of the Client-Host and DNS-Server is sent (it will only change if there is a NAT-Service in between).
Example:
Host: 1.1.1.1
NAT-Router-Service: private 1.1.1.2 / public 2.2.2.2
DNS-Server: 3.3.3.3
1. Host: request-packet from 1.1.1.1 to 3.3.3.3
2. NAT-Service: request-packet from 2.2.2.2 to 3.3.3.3
3. DNS-Server: reply-packet from 3.3.3.3 to 2.2.2.2
4. NAT-Service: reply-packet from 3.3.3.3 to 1.1.1.1
Regards Thomas

Resources