I've got several docker containers up and running using docker-compose.
Nginx connected to PHP through internal port-forwarding at 9000/tcp. PHP connected to mysql through internal forwarding.
Nginx is reachable at public NIC!
Another container running postfix is based on the same baseimage and configured/launched exactly the same as the Nginx-container but its ports are not accessible from the internet.
Both nginx and postfix are exposing the same way, so why is postfix not reachable??
nginx (Dockerfile)
...
EXPOSE 80/tcp 443/tcp
...
postfix (Dockerfile)
...
EXPOSE 25/tcp 465/tcp 587/tcp
...
docker-compose.yml
...nginx
ports:
- "80:80/tcp"
- "443:443/tcp"
...
and
...postfix
ports:
- "25:25/tcp"
- "465:465/tcp"
- "587:587/tcp"
...
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
550cf81ccfc3 nginx "nginx -g 'daemon ..." 17 minutes ago Up 17 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp nginx
5b1b823c8b75 postfix "/run.sh" 17 minutes ago Up 17 minutes 0.0.0.0:25->25/tcp, 0.0.0.0:465->465/tcp, 0.0.0.0:587->587/tcp postfix
f7541058c973 php "php5-fpm -F" 17 minutes ago Up 17 minutes 9000/tcp php
ad1d1db33351 mysql "/sbin/entrypoint...." 17 minutes ago Up 17 minutes 3306/tcp mysql
netstat -a
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 464/sshd
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 461/rsyslogd
tcp6 0 0 :::25 :::* LISTEN 24924/docker-proxy
tcp6 0 0 :::443 :::* LISTEN 24937/docker-proxy
tcp6 0 0 :::514 :::* LISTEN 461/rsyslogd
tcp6 0 0 :::587 :::* LISTEN 24899/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 24975/docker-proxy
tcp6 0 0 :::465 :::* LISTEN 24912/docker-proxy
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
Telnet on all ips:ports works fine from docker host.
nmap from outside to public ip:
25: filtered
80: open
110: filtered (although there is no service running, ~* weird *~)
443: open
465: filtered
587: filtered
uname -a
Linux h2127057 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
How knows the solution??
A simple server reboot fixed it! Pretty stupid. :-(
Related
We have a Ubuntu server that host a php server and game server.
recently, we get a lot of dos and flood attack. so i find some rule for iptables can protect http and game port from attack.
here is my rules:
iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m limit --limit 5/sec -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3724 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
but the problem appear when php want to open a request like Soap WebService to another server. and iptables block this connection.
I think that problem is in this line :
iptables -P INPUT DROP
but without this line all request to all other port are allowed.
and this is php Soap error :
object(SoapClient)#48 (2) { ["_soap_version"]=> int(1) ["sdl"]=> resource(97) of type (Unknown) }
I appreciate all your comment. Thanks.
The problem is that outgoing connections use a random local port to listen for replies. So if, for example, you are requesting a DNS entry on port 53, your computer will listen on port 42316 for data. If the latter port is blocked, as is the case in the above setup, the connection will fail.
This is easily solved generally allowing packets of state ESTABLISHED and RELATED connections.
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Also, change the other rules to use state NEW, as that's most likely what you want to restrict. Otherwise it will just cripple the server's connectivty.
I have installed apache and php on a linux server CentOS 6.4. I followed these steps
yum install -y httpd
/sbin/service httpd restart
yum install -y php php-mysql
yum install -y mod_ssl openssl
/sbin/service httpd restart
service iptables stop
I changed the ServerName in /etc/httpd/conf/httpd.conf from
#ServerName www.example.com:80
to
ServerName 172.32.35.14 (ip address of the server)
/sbin/service httpd restart
I have a php sample pas with the following code:
<?php
phpinfo();
?>
But when I try to access the page http://172.32.35.14/info.php from my local machine it says "Problem loading page". Whereas, I get proper response when connected to the page from 172.32.35.15
My ISP doesnt block http requests.
172.* network is a VPN. I connected to the VPN, able to ping the machine, do a ssh connection to the machine using putty. But when I cannot access the php page from my local machine.
What am I missing? Please advice
netstat -tulpn output is:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1235/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4406/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 4198/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4636/master
tcp 0 0 0.0.0.0:52330 0.0.0.0:* LISTEN 1253/rpc.statd
tcp 0 0 :::111 :::* LISTEN 1235/rpcbind
tcp 0 0 :::80 :::* LISTEN 30170/httpd
tcp 0 0 :::22 :::* LISTEN 4406/sshd
tcp 0 0 ::1:631 :::* LISTEN 4198/cupsd
tcp 0 0 ::1:25 :::* LISTEN 4636/master
tcp 0 0 :::443 :::* LISTEN 30170/httpd
tcp 0 0 :::46690 :::* LISTEN 1253/rpc.statd
udp 0 0 0.0.0.0:1005 0.0.0.0:* 1253/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 1235/rpcbind
udp 0 0 0.0.0.0:631 0.0.0.0:* 4198/cupsd
udp 0 0 0.0.0.0:68 0.0.0.0:* 1129/dhclient
udp 0 0 0.0.0.0:986 0.0.0.0:* 1235/rpcbind
udp 0 0 0.0.0.0:39783 0.0.0.0:* 1253/rpc.statd
udp 0 0 :::111 :::* 1235/rpcbind
udp 0 0 :::38152 :::* 1253/rpc.statd
udp 0 0 :::986 :::* 1235/rpcbind
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Please confirm your server(172.32.35.14) where you have install php and mysql right?
What is your local machine ip?
Please run tracert and nslookup command from your local machine:
tracert 172.32.35.14
nslookup 172.32.35.14
and see where packets drops.
I am using laravel 5 for my project and everything has been working fine but recently I am facing this problem which I done understand.
devboy#devboy-hp ~/sonel_ims_project/ims_eneo $ php artisan serve
Laravel development server started on http://localhost:8000/
[Fri Nov 13 12:00:56 2015] Failed to listen on localhost:8000 (reason: Address already in use)
I have tried devboy#devboy-hp ~ $ sudo netstat -plnt and get
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1840/dnsmasq
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1985/cupsd
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN 7563/php-5.6.3
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1656/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 6966/httpd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 740/smbd
tcp 0 0 127.0.0.1:6942 0.0.0.0:* LISTEN 7442/java
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 6931/php-5.6.3
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 1539/ircd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 740/smbd
tcp 0 0 127.0.0.1:63342 0.0.0.0:* LISTEN 7442/java
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6966/httpd
tcp6 0 0 :::21 :::* LISTEN 7337/proftpd: (acce
tcp6 0 0 ::1:631 :::* LISTEN 1985/cupsd
tcp6 0 0 :::3128 :::* LISTEN 1416/squid3
tcp6 0 0 :::25 :::* LISTEN 1656/master
tcp6 0 0 :::445 :::* LISTEN 740/smbd
tcp6 0 0 :::3306 :::* LISTEN 7343/mysqld
tcp6 0 0 :::139 :::* LISTEN 740/smbd
Then I change port like so php artisan serve --port="8888"
but get similar error like below after a while:
Laravel development server started on http://localhost:8888/
[Fri Nov 13 12:01:02 2015] Failed to listen on localhost:8888 (reason: Address already in use)
The first time it happened, it was java using port 8000, so I killed the process and started the server and it worked. Upon stopping and restarting, I get the same error. What could be the problem (as I said everything has been working fine except now and I have not done any major update)?
Your previous deployment in your local is already running that's why you can't run php artisan serve. You can solve your issue by following this command in your terminal:
ps -ef | grep php you'll see this list:
gujarat 6690 3500 0 05:55 pts/1 00:00:00 php artisan serve
gujarat 6694 6690 0 05:55 pts/1 00:00:00 sh -c '/usr/bin/php5'
-S localhost:8000 '/home/gujarat/WebDevelopment/quickstart-basic'/server.php gujarat 6695 6694 0 05:55 pts/1 00:00:00 /usr/bin/php5 -S localhost:8000
/home/gujarat/WebDevelopment/quickstart-basic/server.php
gujarat 7436 3500 0 06:26 pts/1 00:00:00 grep --color=auto php
Now kill it using: sudo kill 6690 if still exist then use this sudo kill -9 6690 you'll see this result:
[1]+ Killed php artisan serve
Now you can serve your local using php artisan serve again
please restart apache server
sudo apache restart
And once again run your project in another port
php artisan serve --port=2020
This is exactly what I did for the problem.
I exit PHPStorm
sudo netstat -plnt
kill 7563 (Process using port 8888)
kill 6931 (Process using port 8000)
sudo /opt/lampp/lampp restart (Restart my server altogther)
php artisan serve
Launch PhpStorm
Now everything is working fine. What caused the problem anyway?
Using lsof, you can see what is listening on the port.
sudo lsof -i :80
Change the 80 to whichever port you're interested. You need to be root or sudo.
Run this comment
sudo netstat -plnt
The output will show like this
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 14 0 127.0.0.1:8000 0.0.0.0:* LISTEN 3648/php7.3
Then kill the port:8000 using this comment
kill -9 3648
Well the problem might be it didnt stop the expected way previously eg via CTRL+C so what you can do is to check for running php processes and kill them 1 by 1.
i) Run ps -A from the terminal then identify the php process ids (most of the times they are two)
ii) Run sudo kill -9 pid# corresponding to the php pids.
iii) Run php artisan serve and it will work.
This can happen when there is already an app running on 127.0.0.1:8000
You can close that app then it will work or not available on the current host.
OR if you want to run multple apps then use shown below way:
You can use this command to run sudo php artisan serve --port=8082 for Linux
php artisan serve --port=8082 for window
I have php program which I run via CLI. The aim of program is to connect some address http and get some data. Its works OK. But I want to use other IP address of my webserver instead of primary. Is there any solution for this ?
EDIT Webserver has multiple ip address. I want to use any of them I choose at any request. If not possible at least 1 specific one. I have tried CURL_INTERFACE, and its not sending data while i give other ip than primary
HOSTNAME=server.xxxx.net
TERM=xterm
SHELL=/bin/bash
HISTSIZE=1000
SSH_CLIENT=<my ip> 23929 22
SSH_TTY=/dev/pts/1
USER=root
LS_COLORS=<blah blah>
MAIL=/var/spool/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
PWD=/root
LANG=en_US.UTF-8
HISTCONTROL=ignoredups
HTTP_PROXY_REQUEST_FULLURI=0
SHLVL=1
HOME=/root
LOGNAME=root
CVS_RSH=ssh
SSH_CONNECTION=<my ip> 23929 <server ip> 22
LESSOPEN=|/usr/bin/lesspipe.sh %s
G_BROKEN_FILENAMES=1
_=/usr/bin/printenv
IPTable rules
xx.xx.xx.xx is servers primary ip address
*filter
:INPUT ACCEPT [85405:31617594]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92024:84346360]
:acctboth - [0:0]
-A INPUT -j acctboth
-A OUTPUT -j acctboth
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --dport 80
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --sport 80
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --dport 25
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --sport 25
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --dport 110
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p tcp -m tcp --sport 110
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p icmp
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p icmp
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p tcp
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p tcp
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo -p udp
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo -p udp
-A acctboth -s xx.xxx.xx.xx/32 ! -i lo
-A acctboth -d xx.xxx.xx.xx/32 ! -i lo
-A acctboth ! -i lo
COMMIT
Depends on http server you are using , you can bind your "virtual host" configurations to specific address and port.
in Apache2 for example :
<VirtualHost **127.0.0.10:8080**>
ServerAdmin myemail#mywebsite.com
ServerName mywebsite.com
ServerAlias www.mywebsite.com
DirectoryIndex index.php index.htm
DocumentRoot /var/websites/mywebsite.com/www
<Directory "/var/websites/mywebsite.com/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
ErrorLog logs/mywebsite.com-error_log
</VirtualHost>
With nginx , something like :
server
{
server_name example.com www.example.com;
**listen 66.113.100.140:80;**
access_log /var/log/ngnix/example.log;
error_log /var/log/nginx/example.error.log;
location /site {
alias /data/www/content/site/example;
}
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 10;
proxy_read_timeout 10;
proxy_pass http://10.15.20.10:8107/;
}
}
Also starting from PHP 5.4 there is build in web server that could be used for testing purposes. Generally you can bind to any local address as following :
$ cd ~/public_html
$ php -S 127.0.1.1:8000
If you can use curl for outgoing http requests, you can set an option in curl: CURLOPT_INTERFACE
curl_setopt($curlh, CURLOPT_INTERFACE, "xxx.xxx.xxx.xxx");
**CURLOPT_INTERFACE**: The name of the outgoing network interface to use. This can be an interface name, an IP address or a host name.
PHP Manual: curl_setopt
I'm trying to get a value from a netcat connection started at a php file, but it dies with:
localhost [127.0.0.1] 2000 (?) : Connection refused
I don't know why but it works well if I ssh it as apache user (www-data), this is what I've done:
1) Start an endless loop serving a date with a little delay:
$ (while true; do nc -l -p 2000 -c "sleep 5; date"; done)&
2) Check if is working:
$ su www-data
$ nc localhost 2000
Fri Oct 16 21:33:20 COT 2009
3) Create /var/www/test.php as follows:
<pre><?php
exec('nc localhost 2000>>/var/www/dates.txt 2>>/var/www/errors.txt &');
?></pre>
4) Run it on a browser:
http://myserver.com/test.php
5) Finally take a look at both txt's, dates is empty (nothing like the response in #2) and errors has the "Connection refused" error.
The server is a LAMP cluster running Ubuntu Server 9.04 with DRBD and Heartbeat.
What is driving me crazy is that this test.php works well in my laptop (LAMP on Ubuntu Desktop 9.04) and the server seems to have the ports already open and listening:
$ netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:4743 0.0.0.0:* LISTEN 2326/openhpid
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3364/mysqld
tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 9510/nc
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3470/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2320/sshd
tcp 0 0 127.0.0.1:3551 0.0.0.0:* LISTEN 2354/apcupsd
tcp6 0 0 :::22 :::* LISTEN 2320/sshd
I think that this is a programming related question right?, if not just close it without any comments please.
Thank in advanced!!!
Well, it was a permission problem after all... fixed editing /etc/sudoers with visudo to add:
www-data ALL = NOPASSWD: /bin/nc