I've been struggling with this for a while now, and I can't find any answers online. Looking up the documentation doesn't really help. I don't understand what the argument host in a BPF code is supposed to represent or how to use it properly. Does it work the same way as net? (not saying I know what net does, I just assumed they might be similar) Please help.
host can be used to match a destination or source IP address in packets, whereas net can be used to match all IPs in a subnet and takes a CIDR. For example:
# matches all packets with 192.168.1.1 as source or destination IP address:
host 192.168.1.1
# matches all packets with destination IP address 192.168.1.1
dst host 192.168.1.1
# matches all packets with a source IP address within 192.168.1.0-255
src net 192.168.1.0/24
Note that host 192.168.1.1 is equivalent to net 192.168.1.1/32.
Source: This is all documented at https://www.tcpdump.org/manpages/pcap-filter.7.html.
Related
I understand that 0.0.0.0/0 this means that i'm allowed whatever my IP is to connect to this instance(server).
I'm trying to modify my GCP instance firewall rule, to allow my IP only to access this instance, I'm accessing it via ssh as it's an ubuntu server. So I've to specify in the rule some adress in the form of 0.0.0.0/0 where my public IP is not in this format.
I don't understand the following
what is /0 means ?
How to generate an IP that match this format ?
Should I be using my public IP or another kind of IP ?
Have a look at this Wiki Article on CIDR notation.
https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation
In GCP (and possibly elsewhere), the CIDR range of 0.0.0.0/0 is used to donate any address at all.
If you want to restrict traffic to your Compute Engine instance at the IP level, then:
Determine your own IP address ... for example 1.2.3.4
Change the firewall rule to allow only traffic from 1.2.3.4/32
Given that an IP address (ipV4) is 32 bits then when we suffix a CIDR range with /32 we are saying the whole IP address must match.
1) Get the external ip from where you going to ssh with typing ( what is my ip ) in any browser , copy that ip
2) create firewall rule and use that external ip e.g 35.34.36.37/32 for port 22 (ssh ) with "apply to all instance" option set
3) If you are using putty for ssh then make sure to export the ssh key to the instance
After following all above step if should work
The best recommendation I would give is to open a case on issuetracker where your project will inspect closely by GCP team if you dont have any support package orthherwise open a case directly from your project.
The reason behind this recommendation is because some needs to inspect your project for solving your problem
I tired to provide my IP4/32 it still wasn't working. But i found a solution for this problem.
solution
First go to IAP
Copy this IP 35.235.240.0/20 under Preparing your project for IAP TCP forwarding
This range contains all IP addresses that IAP uses for TCP forwarding
Paste the copied IP inside the IP source of your firewall rule.
Go to What_Is_My_IP and copy your IPv4
Add your copied IP to the IP source range inside your firewall rule
save, and start your ssh connection to the VM
Solution: It turns out ipv6 has got it's own firewall which I didn't know and it filtered out 80 and 443! Thanks so much Nicholas Pipitone!
I'm having difficulties to get apache to accept ipv6 connections (everything perfect on ipv4). Results from ready.chair6.net:
What I tested/tried:
Disabling firewall doesn't change the result
Getting apache to listen on all interfaces or specifically the ipv6 interface doesnt change the result
Executing 'curl https://v6.ident.me/' correctly sends me back my ipv6 address
Netstat tells me that both the ipv4 AND ipv6 address are listening for connections on 80 and 443
I'm really stuck here, what else can I do?
The MX record error means it's having a problem getting the IP address from the DNS servers.
Solution: Try dig +short AAAA $hostname and dig +short MX $hostname, with $hostname being your URL. If you don't see an IPv6 IP in the terminal, then you don't have DNS fully setup. If you just recently setup your URL, then wait a day for caches to be updated. If it's been a while, talk to who you bought the domain name from / who's responsible for making your URL point to your IP.
Note: MX is only for mail. If you don't want incoming mail / that's not what the problem is, then that test is testing something it doesn't have to test, and you can ignore it.
More possibilities: Is the hostname on line 4 the same as the host name on the second to last line? Try pinging that IPv6 address from line 4 on a different computer (Not on the same private network); what do you get?
If you get a response, try nmaping the IPv6 on another computer to see if port 80 is open to the public.
-If the nmap fails then try checking your port forwarding settings if you're behind a NAT. If you're not behind the NAT then something might be blocking the request in-between their computer and your computer (Very unlikely); you can try telnet'ing to port 80 remotely and see if you're getting the requests - because then it's just an apache issue.
-If nmap succeeded, then what do you get? Send an HTTP request over command line from the another computer and see if you get a response.
If pinging doesn't work, then you're just not connected to the internet (o.O), idk how to help with that. If pinging the IPv6 works but pinging the URL doesn't, then dig must not be showing anything and it's the DNS as mentioned previously. If dig does show something in that case, then I'm lost.
I am trying to set up a STUN/TURN server on my local computer for a webrtc application of me. I decided to use coturn. Note that my server is running behind a NAT.
So i fired up my Ubuntu VM and installed it. After reading through the wiki I got it working, atleast on my local network. For testing purposes, i use this site. Therefore, when i try it there with 192.168.178.25:3478, it works. When i try it with "public-ip":3478, it doesnt.
This told me, it is working locally and it should be a port/NAT issue. What i did:
1) I set the VM to Bridging
2) I opened the port 3478 on my router. To test if this is really working, i used telnet on a remote machine and it worked. Another test was that i set up a quick apache server on my local machine on port 3478 and it could be accessed from the outside. This told me that there is, or should be, not port/NAT issue and my turn server should be working.
Any ideas?
I am running my server with the following command:
"sudo turnserver -X "public-ip" -listening-port=3478 -v
The turnserver.conf looks something like this:
fingerprint
realm="myRealm"
lt-cred-mech
user=test:test
As telnet and apache server are both working, i am pretty sure i have a configuration issue. I basically spent the weekend trying and im really lost on what could be wrong.
Thanks for any help!
From the documentation of turnserver
-X, --external-ip <public-ip>[/private-ip] TURN Server public/private address mapping, if the server is behind NAT. In that situation, if a -X is used in form "-X " then that ip will be reported as relay IP address of all allocations. This scenario works only in a simple case when one single relay address is to be used, and no CHANGE_REQUEST STUN functionality is required. That single relay address must be mapped by NAT to the 'external' IP. The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field. For that 'external' IP, NAT must forward ports directly (relayed port 12345 must be always mapped to the same 'external' port 12345). In more complex case when more than one IP address is involved, that option must be used several times, each entry must have form "-X ", to map all involved addresses. CHANGE_REQUEST NAT discovery STUN functionality will work correctly, if the addresses are mapped properly, even when the TURN server itself is behind A NAT. By default, this value is empty, and no address mapping is used.
So, it is not enough that you expose only the listening port from the inside LAN to the public network but all ports that you are going to use to relay. Please, note what is said in the same documentation:
--min-port <port> Lower bound of the UDP port range for relay endpoints allocation. Default value is 49152, according to RFC 5766.
--max-port <port> Upper bound of the UDP port range for relay endpoints allocation. Default value is 65535, according to RFC 5766.
You should choose a range of ports in the server, configure with them the options --min-port and --max-port and create a NAT rule to expose those ports to the public side of the router without change.
So I have a whole bunch of machines on my 10.10.10.x subnet, all of them are essentially configured in the same way. I differentiate these from machines on my 10.10.11.x subnet which serves a different purpose.
I'd like to be able to type 'ssh 10.x' to connect to machines on the 10. network and 'ssh 11.x' to connect to machines on the 11 network.
I know I can setup individual machines to allow access to the full ip, or the shorthand version like this in my ~/.ssh/config:
Host 10.10.10.11 10.11
HostName 10.10.10.11
User root
This can get pretty repetitive for lots of hosts on my network, so my question is, is there a way to specify this as a pattern, for the entire subnet, something like:
Host 10.10.10.x
User root
Host 10.x
HostName 10.10.10.x
User root
Thanks
This line will provide the desired functionality:
Host 192.168.1.*
IdentityFile KeyFile
If you attempt to connect a server whose ip is in this subnet, you will be able to establish an ssh connection.
From the ssh_config(5) Manpage:
A pattern consists of zero or more non-whitespace characters, ‘*’ (a
wildcard that matches zero or more characters), or ‘?’ (a wildcard that
matches exactly one character). For example, to specify a set of decla‐
rations for any host in the “.co.uk” set of domains, the following pat‐
tern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network
range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within
pattern-lists may be negated by preceding them with an exclamation mark
(‘!’). For example, to allow a key to be used from anywhere within an
organisation except from the “dialup” pool, the following entry (in
authorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
So you can just use host 10.*
I have written a network client for iOS which uses the SCNetworkReachabilityCreateWithName() function to initiate monitoring of the availability of the remote hosts. This works beautifully if the remote hosts have only IPv4 addresses or only IPv6 addresses.
A problem arises when the client is on an IPv4 only network and is monitoring a host which has both an IPv4 address and an IPv6 address. The client will monitor the IPv6 address of the remote host and indicate that the host is unavailable even though the IPv4 address is reachable.
I've searched and have been unable to find a way to instruct SCNetworkReachability to default to monitoring the IPv4 address if an IPv6 network is unavailable.
I can work around this by programmatically determining the public IP addresses of the device, manually resolving the hostname, and using the IPv4 address if a non-link local IPv6 address exists, however I'm hoping that someone has a simpler solution.
Since the functions are the same for both iOS and OS X, this problem would affect OS X clients as well.
My specific implementation is the .m and .h files for my BKNetworkReachability class:
https://github.com/bindle/BindleKit/tree/master/BindleKit/controllers