I'm experimenting with mininet in ubuntu 14 in order to create a basic firewall which blocks the udp packets from one host ( h1= 10.0.0.1 ) to another ( h4= 10.0.0.4 ).
Those hosts are in the same vlan and in different switchs (if that can be of any help). Also I would like to block it the udp packets which the destination port as 5001.
To do it so, i have launch two xterm in h1(in mininet) in order to check the ping is working correctly and also launch the packets to h4. xterm h1: "iperf -u -c10.0.0.4 -p 5001 -i 5 -b 200K -t 360".
In mininet I also have open a xterm h4 to set it up as a server listening in the port 5001. xterm h4: "iperf -s -u -p 5001 -i 5".
When I guess the rule I have to introduce is this one "sh ovs-ofctl add-flow s1 udp_dst=5001,nw_proto=17,actions=drop"
But, it doesnt work due to the packets are still arriving. The ping works fine, but ( and here comes the main problem) the packet arrives at the server and it shouldn't.
Any help please?
Thank you very much
Here I leave you the screenshots of the network topology and also what I appear in the xterm windows.
Related
I have done a DevStack installation of OpenStack on a server.
I have added ICMP and SSH rules to the security group. And have made instances on it.
I can ssh and ping these instances from the host machine.
Now the problem is that I'm unable to ssh or even ping my instances from other machines on this network. And the fun part is that these instances can ssh/ping other machines and even ping my other server and ssh VM's on this server.
I hope I made sense but if you have more to ask, please let me know
ADMIN_PASSWORD=openstack
DATABASE_PASSWORD=$ADMIN_PASSWORD
RABBIT_PASSWORD=$ADMIN_PASSWORD
SERVICE_PASSWORD=$ADMIN_PASSWORD
HOST_IP=192.168.4.72
enable_service s-proxy s-object s-container s-account
SWIFT_REPLICAS=1
SWIFT_HASH=66a3d6b56c1f479c8b4e70ab5c2000f5
enable_service h-eng h-api h-api-cfn h-api-cw
enable_plugin heat git://git.openstack.org/openstack/heat
FLOATING_RANGE=192.168.4.240/29
FLAT_INTERFACE=eno1
Doing this worked out fine for me
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp
i have to create a virtual topology with miniedit that has to talk using the mqtt sub/pub system.
i'm working on virtualbox (mininet-wifi)
i have installed mosquitto & the clients... using the terminals i have no problem with:
mosquitto_sub -t test
mosquitto_pub -t test -m hello!
but when i emulate the topology on Miniedit with (controller,switch and two hosts), the hosts cannot talk using mosquitto, i think that there is no broker that can handle the communications in the virtual topology, any suggestions?
I tried to connect also to a remote server, using cloudmqtt but i only got failed connection
i expect that using
xterm h1 h2
on the Comand Line Interface of miniedit, i would be capable of make the two hosts talks beetween them using
mosquitto_sub/pub system, because also in the xterm of the host, if i type
service mosquitto status
i obtain that
mosquitto is active
UPDATE
solved.
i just have to run another host in which i type "mosquitto" and the others hosts would just reach it using "mosquitto_sub/pub - h 10.0.0.3 for example
2 brokers (1 on each hosts) won't automatically discover each other when the "link" comes up.
You will have to either manually configure the a bridge between the 2 brokers if you want messages to be shared.
Or pick one and have the clients explicitly connect to that one broker. e.g. the -h option for the mosquitto_pub or mosquitto_sub commands.
I agree with the solution. Let me give more in depth explanation.
Run basic mininet topo with 4 hosts and 4 switches.
mn --topo linear,4
Then open xterm for 3 hosts
xterm h1 h2 h3
Three terminals will pop up. One of them will be the host. on h3's(10.0.0.3) xterm terminal run
mosquitto
On h2(10.0.0.2) subscribe to the topic with;
mosquitto_sub -h 10.0.0.3 -t "home/bedroom/light"
On h1(10.0.0.1) publish a message by;
mosquitto_pub -h 10.0.0.3 -t "home/bedroom/light" -m "ON"
You can now see the message on h2's terminal. Hope it helps.
I have a webapp running on a Raspberry Pi, which is behind a NAT, and I'm trying to make a tunnel to the company's server so that I can access it from the web. Right now I've been able to establish a tunnel using ssh -fN -R 192.168.0.28:54321:localhost:443 username#192.168.0.28 (both the server and the RPi are in the same LAN at the time), and doing curl -k https://192.168.0.28:54321 returns the contents of the webpage hosted in the RPi, but only if I do it from the server. I have set GatewayPorts yes and AllowTcpForwarding yes (which anyway is the default).
It was the firewall on the server blocking the port. ¬¬
To open said port, the command is sudo iptables -I INPUT -p tcp --dport 54321 -j ACCEPT, which says that any connection comming to the TCP port 54321 must be accepted.
I want to make sure that the only network traffic on my linux CentOS server is my own.
All my server runs is a Tomcat instance with one servlet. This servlet takes a parameter, which is a URL to download. It will download from that url, and pass the contents back to the calling program through the usual http response.
I want to block all network traffic to this server except
1) Ability to ssh
2) Ability to download from host abc.xyz.com
3) Ability for server with IP 111.222.333.444 to download from me
Can someone please tell me the commands to do this in iptables? I tried finding this out myself but I was a bit out my depth with the lingo.
thanks
Configuring a firewall is simple, first of all select what ports you want to be open.
For example Webserver ports:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
For example SSH port:
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
In any way your server is able to download files from other server/hosts.
3) Ability for server with IP 111.222.333.444 to download from me
I suppose that must be port 80, (or any port where the server is downloading from) if your uploading files to your website.
After these steps you need to look if the firewall is configured right:
iptables -L -n
If it's looking good then you're able to save your iptables, and restart the service.
If there is any problem configureren your firewall, please let me know.
It seems I don't understand IPTABLES logic.
I reinstalled ubuntu server 11.10 on my server and turned on forwarding (net.ipv4.ip_forward=1 in /etc/sysctl.conf). Server has two network interfaces - eth0 (ip 192.168.1.1) looks to local network and eth1 (ip 213.164.156.130) looks to internet.
There's also another computer in local network with ip 192.168.1.2.
Then I added two simple rules to ITABLE *nat:
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.2
-A POSTROUTING -o eth1 -j SNAT --to-source 213.164.156.130
I thought that the first rule means forwarding every incoming packet to 192.168.1.2.
But if I run "ping google.com", "wget google.com" from server, they successfully work. Server receives packets and doesn't do forwarding, and I'm really stuck with this.
In case I run these commands from 192.168.1.2 they also work, that means here forwarding works.
These are NAT rules.
In your first rule, address translation occurs before routing the packet. You're changing the destination address to 192.168.1.2 and in the second rule, you're changing the source address before routing to 213.164.156.130.
I'm guessing you can ping & wget because your INPUT and OUTPUT chains have a default action.
TBH, I'm confused about what you actually want to do but if you want to forward packets, you need to modify the FORWARD chain. Here's a link for detailed and helpful information on iptables so you can understand the logic better - Ch14:_Linux_Firewalls_Using_iptables">http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:Ch14:_Linux_Firewalls_Using_iptables.