I am trying to receive data on port 443 and forward that to my coturn server listening to port 5349.
I want this set up so that my webRTC app can connect over 443 but without my coturn server having root access(for privilege port 443).
In my /etc/ufw/before.rules I have below entries
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5349
COMMIT
When I test my turn setup at https://test.webrtc.org/ using 443 port I get:
Udp disabled
Relay connectivity timed out
Reflexive connectivity timed out
But using using port 5349 it seems to work.
I have all needed ports open in ufw. I tried with ufw disabled too.
Do I need to add any other changes for port forwarding like adding entry OUTPUT(which I don't know how to add, though).
Do I need to add the rule entry for IPv6 too (/etc/ufw/before6.rules)?
I added these to the before.rules file
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5349
-A PREROUTING -p udp --dport 443 -j REDIRECT --to-port 5349
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 5349
-A OUTPUT -o lo -p udp --dport 443 -j REDIRECT --to-port 5349
COMMIT
I am not sure if it is ok. But at the moment this seems to work. I am still open for suggestion. Please give me suggestions to improve what I have done so far
Related
I am trying to run Mitmdump and the Sslstrip2 together but they are not working together.
Whereas they're both need to listen port 80, I forwarded both applications to unic ports, like following ;
For SSLStrip preperation-->
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9090
For Mitmdump preperation -->
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
--Then I activated both of those applications ;
#Arp poisoning is active in this proccess.
1-) python sslstrip.py -l 9090 #Set this up to 9090, because following mitmdump listeneris default of 8080.
2-) ./mitmdump --mode transparent --modify-body :~s:"":"alert("hi");"
Problem is, they work seperately, but while co-execution just one of them working.
I need to be able to use mitmdump while hsts, https is hijacked successfully.
I need to set up access to the HTTP(S) servers on devices like KVMs and PDUs on a private network (192.168.0.0/24). I must get through an isolated network (10.0.0.0/8) limited to ports 22 and 443. I have a dual-NIC Linux server inside the network that serves as a gateway to the private network. See diagram Here:
Network Diagram
I need to use a forward SSH tunnel to get to the Linux gateway, then use iptables NAT to route HTTP(s) traffic to the web frontends on the devices.
I've observed with both tcpdump and iptables trace that the inbound HTTP(s) request through the SSH tunnel shows up on interface lo , not eth1 as one might expect.
This has led me to come up with the following nat and filter rules:
*nat
-A PREROUTING -i lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.100:80
-A PREROUTING -i lo -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.0.101:443
-A POSTROUTING -d 10.0.0.0/8 -o lo -j SNAT --to-source <10.gateway_IP>
COMMIT
*filter
:INPUT ACCEPT [37234:5557621]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26648:27864039]
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
So, when I set up the tunnel with:
ssh -L 8080:<gateway>:8080 <user>:#<gateway>
Then making sure on the gateway:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
and then execute http://localhost:8080,
The packets make it out of the tunnel onto the gateway, out of interface lo, but iptables doesn't seem to forward it to the destination in the PREROUTING rule. stderr from the tunnel returns "Connection refused."
What am I missing?
Host A has https service serviceA and provides two IP for high availability。
e.g. Bose [ip1:443] and [ip2:443] are routed to the serviceA.
Host B (do not has ssl_certificate and ssl_certificate_key) use Nginx proxy module to proxies the requests towards the actual serviceA.
How to simply forward 443 port traffic to serviceA without ssl verification?
Here is my config:
http {
upstream backend {
server [ip1]:443;
server [ip2]:443;
}
server {
listen 443;
listen [::]:443;
location / {
proxy_pass https://backend;
}
}
}
There're two theoretically possible ways to solve your issue:
Nginx with ngx_stream_ssl_preread module
HAproxy (for balancing) -> proxy_protocol -> Nginx (with ssl certs)
Try:
ip6tables -t nat -A PREROUTING -d 2002:xxxx:9a21::1/128 -i sit6to4vip -p tcp --dport 443 -m statistic --mode random --probability .5 -j DNAT --to-destination 2002:xxxx:f6ea::1
ip6tables -t nat -A PREROUTING -d 2002:xxxx:9a21::1/128 -i sit6to4vip -p tcp --dport 443 -m statistic --mode random --probability .5 -j DNAT --to-destination 2002:xxxx:f6e9::1
ip6tables -t nat -A POSTROUTING -d 2002:xxxx:f6ea::1/128 -o sit6to4vip -p tcp --dport 443 -j SNAT --to-source 2002:xxxx:9a21::1
ip6tables -t nat -A POSTROUTING -d 2002:xxxx:f6e9::1/128 -o sit6to4vip -p tcp --dport 443 -j SNAT --to-source 2002:xxxx:9a21::1
It does't work
I'm wondering if I could forward SQL queries from localhost to another local IP address?
I don't want to install SQL Server on Linux, but I need to connect to it on another PC through localhost.
Thanks
You can use iptables:
iptables -A FORWARD -p tcp -i eth0 -s localhost -d x.x.x.x --dport 3306 -j ACCEPT
where x.x.x.x is the mysql server ip address, and eth0 is the interface you use.
It seems like you are asking if you are on a Linux machine you want to query to localhost and have that query forwarded to a SQL Server. In this case the above answer is partially correct and will allow packets to be forwarded but doesn't actually perform the forward/redirect. You also say "SQL Server" which I take to mean MS SQL Server. The default port in this case is listed as 1433. You would actually need (2) rules:
# iptables -t nat -A PREROUTING -p tcp -i lo -d localhost --dport 1433 -j DNAT --to-destination x.x.x.x # where x.x.x.x is the SQL Server IP address
# iptables -A FORWARD -i lo -p tcp --dport -j ACCEPT # only if your default FORWARD policy is DROP. Otherwise you just need the prerouting rule.
I have an apache webservice running on port 8080 but would like to be able to connect on port 80. However, my unix sysadmin does not allow apache to be started as root nor does she provide access to sudo.
However, she will execute commands on request.
I believe this can be achieved with iptables. Is there a way to map port 80 to 8080 and 443 to 8083 without this sysadmin having to edit any files.
i.e. just using echo with appender >>.
She can do this by running :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
This will make redirection active immediately, but doesn't save it and thus it will not work anymore after a reboot.
It is possible to do this without editing any file at all by using iptables-save. But it depends which linux flavor you're running, and if you use ferm, ufw, or some other firewall management tools.
On RedHat/CentOS, she could just do :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
iptables-save > /etc/sysconfig/iptables
On other OSes variants, YMMV !