I have a broadband connection and it changes my ip address pretty frequently but will always be from xx.yy.0.0 to xx.yy.255.255
I want to use a CIDR address format like xx.yy.0.0/16
When i configure like this, redis server doesn't start up.
One alternative i have in mind is to allow redis on 0.0.0.0 but allow the port 6379 at the firewall to only xx.yy.0.0/16
I will end up doing like this, if redis doesn't support CIDR address binding out of the box.
please suggest.
Related
I understand that 0.0.0.0/0 this means that i'm allowed whatever my IP is to connect to this instance(server).
I'm trying to modify my GCP instance firewall rule, to allow my IP only to access this instance, I'm accessing it via ssh as it's an ubuntu server. So I've to specify in the rule some adress in the form of 0.0.0.0/0 where my public IP is not in this format.
I don't understand the following
what is /0 means ?
How to generate an IP that match this format ?
Should I be using my public IP or another kind of IP ?
Have a look at this Wiki Article on CIDR notation.
https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation
In GCP (and possibly elsewhere), the CIDR range of 0.0.0.0/0 is used to donate any address at all.
If you want to restrict traffic to your Compute Engine instance at the IP level, then:
Determine your own IP address ... for example 1.2.3.4
Change the firewall rule to allow only traffic from 1.2.3.4/32
Given that an IP address (ipV4) is 32 bits then when we suffix a CIDR range with /32 we are saying the whole IP address must match.
1) Get the external ip from where you going to ssh with typing ( what is my ip ) in any browser , copy that ip
2) create firewall rule and use that external ip e.g 35.34.36.37/32 for port 22 (ssh ) with "apply to all instance" option set
3) If you are using putty for ssh then make sure to export the ssh key to the instance
After following all above step if should work
The best recommendation I would give is to open a case on issuetracker where your project will inspect closely by GCP team if you dont have any support package orthherwise open a case directly from your project.
The reason behind this recommendation is because some needs to inspect your project for solving your problem
I tired to provide my IP4/32 it still wasn't working. But i found a solution for this problem.
solution
First go to IAP
Copy this IP 35.235.240.0/20 under Preparing your project for IAP TCP forwarding
This range contains all IP addresses that IAP uses for TCP forwarding
Paste the copied IP inside the IP source of your firewall rule.
Go to What_Is_My_IP and copy your IPv4
Add your copied IP to the IP source range inside your firewall rule
save, and start your ssh connection to the VM
I am trying to set up a STUN/TURN server on my local computer for a webrtc application of me. I decided to use coturn. Note that my server is running behind a NAT.
So i fired up my Ubuntu VM and installed it. After reading through the wiki I got it working, atleast on my local network. For testing purposes, i use this site. Therefore, when i try it there with 192.168.178.25:3478, it works. When i try it with "public-ip":3478, it doesnt.
This told me, it is working locally and it should be a port/NAT issue. What i did:
1) I set the VM to Bridging
2) I opened the port 3478 on my router. To test if this is really working, i used telnet on a remote machine and it worked. Another test was that i set up a quick apache server on my local machine on port 3478 and it could be accessed from the outside. This told me that there is, or should be, not port/NAT issue and my turn server should be working.
Any ideas?
I am running my server with the following command:
"sudo turnserver -X "public-ip" -listening-port=3478 -v
The turnserver.conf looks something like this:
fingerprint
realm="myRealm"
lt-cred-mech
user=test:test
As telnet and apache server are both working, i am pretty sure i have a configuration issue. I basically spent the weekend trying and im really lost on what could be wrong.
Thanks for any help!
From the documentation of turnserver
-X, --external-ip <public-ip>[/private-ip] TURN Server public/private address mapping, if the server is behind NAT. In that situation, if a -X is used in form "-X " then that ip will be reported as relay IP address of all allocations. This scenario works only in a simple case when one single relay address is to be used, and no CHANGE_REQUEST STUN functionality is required. That single relay address must be mapped by NAT to the 'external' IP. The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field. For that 'external' IP, NAT must forward ports directly (relayed port 12345 must be always mapped to the same 'external' port 12345). In more complex case when more than one IP address is involved, that option must be used several times, each entry must have form "-X ", to map all involved addresses. CHANGE_REQUEST NAT discovery STUN functionality will work correctly, if the addresses are mapped properly, even when the TURN server itself is behind A NAT. By default, this value is empty, and no address mapping is used.
So, it is not enough that you expose only the listening port from the inside LAN to the public network but all ports that you are going to use to relay. Please, note what is said in the same documentation:
--min-port <port> Lower bound of the UDP port range for relay endpoints allocation. Default value is 49152, according to RFC 5766.
--max-port <port> Upper bound of the UDP port range for relay endpoints allocation. Default value is 65535, according to RFC 5766.
You should choose a range of ports in the server, configure with them the options --min-port and --max-port and create a NAT rule to expose those ports to the public side of the router without change.
I'm trying to configure Redis (redis.conf, bind parameter) to accept access only from certain ips. In my case I want to enable access for the loopback network interface (127.0.0.1/::1) and for the ip 192.168.56.101 (192.168.56.102 is the ip of the Redis server). According to all the documentation that I have read so far the configuration below should work...
bind 127.0.0.1 ::1 192.168.56.101
... but that's not what happens.
I've tried several other configurations...
bind 127.0.0.1 192.168.56.101 ::1
bind 127.0.0.1 192.168.56.101
bind 192.168.56.101
bind 192.168.56.0
bind 192.168.0.0
... and nothing works. =|
The only configuration that worked was this...
bind 0.0.0.0
But, this configuration opens access to any ip!
NOTE: The protected-mode parameter (redis.conf) has a no value.
Any idea what might be happening?
REFERENCE:
Redis bind to more than one IP
https://redis.io/topics/security
http://download.redis.io/redis-stable/redis.conf
FURTHER QUESTION:
How could I enable access for an IP range (bind parameter)? Something like...
bind 192.168.56.0
... or...
bind 192.168.56.0/24
In these examples any machine with an ip starting at "192.168.56" will have access to the Redis server.
#Carl Dacosta
#Jacky
Thanks!
I think you misunderstand the bind configuration and IP-whitelist.
The bind configuration specifies the IP addresses that Redis listens to. If you bind Redis to loopback interface, only local clients can access Redis. If you want other hosts to access Redis, you have to bind Redis to all network interfaces (i.e. 0.0.0.0), or some specified network interfaces.
What's you need is IP-whitelist, which lists the IP addresses that can access Redis. AFAIK, so far, Redis DOES NOT support that (correct me, if I'm wrong).
There are other solutions to limit the access to Redis (all these solution needs Redis NOT to bind on loopback interface).
Limit access by authentication
You can use the requirepass configuration to set a password for Redis. Only clients with the password can access Redis.
Limit access by OS utility
On Linux, you can use iptables to control the network access. With this utility, you can only allow specified hosts to access the port that Redis bind to.
log:Creating Server TCP listening socket (myip:port): bind: Cannot assign requested address
my redis.conf
bind 10.114.234.11
when i cofig like this
bind 127.0.0.1
it works well
You likely do not currently have any interfaces set up for the 10.x.x.x subnet. If you're on any flavor of Linux, ifconfig should be able to tell you which interfaces are currently set up. For example, I'm running Mint 17:
$ ifconfig | grep "inet addr"
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
So I (like you) would not be able to bind Redis (or most any other service requesting a TCP socket) to 10.x.x.x. If you are really trying to listen for connections on that subnet, you will need to change your network setup (how exactly that would be done depends largely on your operating system).
I also faced same issue while setting up redis for remote access. I was using google cloud platform and we created Google compute engine VM instance where we installed our Redis server. Redis doesn't ship with by default with security configured. You have to perform some steps to secure it. By updating IP address in redis.conf in bind will allow access only from that IP addresses. When we were doing it, we were getting same error.
To solve this issue we haven't added IP addresses in redis.conf file instead in Google cloud firewall rules when we add port open record in network -> IP ranges you can specify IP address which you want allow to access redis. In redis.conf file update from bind 127.0.0.1 to bind 0.0.0.0. So basically we will restrict it from Google cloud firewall rules dashboard.
Below are steps to add IP address restrictions:
Login to your google cloud console
Navigate to VPC Network -> Firewall Rules
Click on CREATE FIREWALL RULE or edit existing one if it's already there
In Source IP ranges add your IP address to allow access only - See below screenshot
Once you create this rule add this source tags under your VM instances network type and you are done.
I have faced the same issue when I changed the default redis.conf to custom Redis conf and after changing the bind as below then it started working, Please be aware that the below conf will open the Redis connection from all sources.
bind 127.0.0.1 -::1 to bind 0.0.0.0 -::1
At /etc/redis/redis.conf
Please change
bind 127.0.0.1 ::1
to
bind 0.0.0.0
then restart
/etc/init.d/redis-server restart
It's work to me
Okay so I have been on Google for about an hour or so trying to figure this one out.
I have a L2TP/IPSec vpn setup. When clients connect a new interface is created for that client the issue is durning boot and most of the time these interfaces do not exist. My vpn range starts at 10.24.1.1 I want sshd to listen on 10.24.1.1 but when there is no client connected it failes to bind address
/var/log/secure:
Apr 15 01:38:26 arija sshd[28068]: error: Bind to port 22 on 10.24.1.1 failed: Cannot assign requested address.
which makes sense. My Question is. Is there a way to create some sort of dummy interface or just assign 10.24.1.1 so sshd will listen on it? Thanks for the help!!
Also Server is CentOs 6 64bit
you can just add the ip address you need to the interface during startup
the configuration depends on which linux flavor you're using, as an example for ubuntu it's located in /etc/network/interfaces.d/eth0.cfg.
Make sure you're excluding this address from the address pool you are using to provision IP Addresses to the L2tP clients
First of all, you need to understand, that in common situation service can listen only on 'up-and-running' interface with assigned IP. The reason of this is Linux core limitations. You can change this behavior at runtime with:
sysctl net.ipv4.ip_nonlocal_bind=1
or at boot time by setting same parameter in /etc/sysctl.conf:
...
net.ipv4.ip_nonlocal_bind=1
...
But there is simpler way for you: you can bind sshd to 0.0.0.0 in their config /etc/ssh/sshd_config:
...
ListenAddress 0.0.0.0
...