I've got several docker containers up and running using docker-compose.
Nginx connected to PHP through internal port-forwarding at 9000/tcp. PHP connected to mysql through internal forwarding.
Nginx is reachable at public NIC!
Another container running postfix is based on the same baseimage and configured/launched exactly the same as the Nginx-container but its ports are not accessible from the internet.
Both nginx and postfix are exposing the same way, so why is postfix not reachable??
nginx (Dockerfile)
...
EXPOSE 80/tcp 443/tcp
...
postfix (Dockerfile)
...
EXPOSE 25/tcp 465/tcp 587/tcp
...
docker-compose.yml
...nginx
ports:
- "80:80/tcp"
- "443:443/tcp"
...
and
...postfix
ports:
- "25:25/tcp"
- "465:465/tcp"
- "587:587/tcp"
...
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
550cf81ccfc3 nginx "nginx -g 'daemon ..." 17 minutes ago Up 17 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp nginx
5b1b823c8b75 postfix "/run.sh" 17 minutes ago Up 17 minutes 0.0.0.0:25->25/tcp, 0.0.0.0:465->465/tcp, 0.0.0.0:587->587/tcp postfix
f7541058c973 php "php5-fpm -F" 17 minutes ago Up 17 minutes 9000/tcp php
ad1d1db33351 mysql "/sbin/entrypoint...." 17 minutes ago Up 17 minutes 3306/tcp mysql
netstat -a
Aktive Internetverbindungen (Nur Server)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 464/sshd
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 461/rsyslogd
tcp6 0 0 :::25 :::* LISTEN 24924/docker-proxy
tcp6 0 0 :::443 :::* LISTEN 24937/docker-proxy
tcp6 0 0 :::514 :::* LISTEN 461/rsyslogd
tcp6 0 0 :::587 :::* LISTEN 24899/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 24975/docker-proxy
tcp6 0 0 :::465 :::* LISTEN 24912/docker-proxy
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
Telnet on all ips:ports works fine from docker host.
nmap from outside to public ip:
25: filtered
80: open
110: filtered (although there is no service running, ~* weird *~)
443: open
465: filtered
587: filtered
uname -a
Linux h2127057 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
How knows the solution??
A simple server reboot fixed it! Pretty stupid. :-(
In my aws my site is running on port 8000 due to which in my url 8000 (www.example.com:8000)is visible . i want to remove it is should look like www.example.com.
I have tried this:
RewriteCond %{HTTP_HOST} ^(example[12].com):8080$ [NC] RewriteRule
^(.*)$ http://%1/$1 [L,R=301]
You should consider using a proxy on your server. There is a really good tutorial at apache.org, using an Apache Web Server.
http://tomcat.apache.org/tomcat-7.0-doc/proxy-howto.html
This enables you to connect to your server via port 80, which is not printed in the url bar of your browser.
It can be done using IP tables in linux with redirecting requests from from one port to other, please follow the below syntax to achieve.
Syntax
The syntax is as follows to redirect tcp $srcPortNumber port to $dstPortNumber:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumber
The syntax is as follows to redirect udp $srcPortNumber port to $dstPortNumber:
iptables -t nat -A PREROUTING -i eth0 -p udp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumber
Replace eth0 with your actual interface name. The following syntax match for source and destination ips:
iptables -t nat -I PREROUTING --src $SRC_IP_MASK --dst $DST_IP -p tcp --dport $portNumber -j REDIRECT --to-ports $rediectPort
We have a Ubuntu server that host a php server and game server.
recently, we get a lot of dos and flood attack. so i find some rule for iptables can protect http and game port from attack.
here is my rules:
iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m limit --limit 5/sec -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3724 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state RELATED,ESTABLISHED -m connlimit --connlimit-upto 15 --connlimit-mask 32 --connlimit-saddr -j ACCEPT
but the problem appear when php want to open a request like Soap WebService to another server. and iptables block this connection.
I think that problem is in this line :
iptables -P INPUT DROP
but without this line all request to all other port are allowed.
and this is php Soap error :
object(SoapClient)#48 (2) { ["_soap_version"]=> int(1) ["sdl"]=> resource(97) of type (Unknown) }
I appreciate all your comment. Thanks.
The problem is that outgoing connections use a random local port to listen for replies. So if, for example, you are requesting a DNS entry on port 53, your computer will listen on port 42316 for data. If the latter port is blocked, as is the case in the above setup, the connection will fail.
This is easily solved generally allowing packets of state ESTABLISHED and RELATED connections.
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Also, change the other rules to use state NEW, as that's most likely what you want to restrict. Otherwise it will just cripple the server's connectivty.
I started local server using php on my server . (Trying to work on port 8080/8283 . Anyone of them will do .)
php -S 0.0.0.0 8283 -t testServer/
using curl localhost:8283 I am able to get the result of the index.php file
but when I access it using my server ip I am not able to access that port .
Any when I do netstat -tuplen . I can see that port as well .
How can I make port 8283 available through http request ?
I asked this question here but not much help .
I have used this
# /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8283 -j ACCEPT
# service iptables save
# service iptables restart
and still it did not work
And this is output from telnet on my server
telnet XX.XX.X.XXX 8283
Trying XX.XX.X.XXX...
Connected to XX.XX.X.XXX.
Escape character is '^]'.
GET /
HTTP/0.9 200 OK
Connection: close
X-Powered-By: PHP/5.5.19
Content-type: text/html
Hello World !Connection closed by foreign host.
this one is from my PC
telnet XX.XX.X.XXX 8283
Trying XX.XX.X.XXX...
telnet: Unable to connect to remote host: No route to host
NMAP Result
sudo nmap -p 8283 XX.XX.X.XXX
Starting Nmap 5.21 ( http://nmap.org ) at 2015-02-04 19:18 IST
Nmap scan report for srv1.domain.com (XX.XX.X.XXX)
Host is up (0.035s latency).
PORT STATE SERVICE
8283/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
IPTABLES OUTPUT
/sbin/iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8282
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8283 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
try
php -S 0.0.0.0 8080 -t testServer/
by use localhost you will bound just 127.0.0.1 address: that address is not reachable by other address instead of localhost or localhost.localdomin.
Now by use 0.0.0.0 you will bound all your interfaces. Alternatively you can use your host address where you want expose the service.
You do not have to use localhost you have to use your external ip address:
php -S <ip-address> 8080 -t testServer/
localhost is mapped on ip 127.0.0.1 so it is only available from yor server.
You're explicitly binding to localhost. If you want to bind to a different IP address, then specify it instead of localhost (or use 0.0.0.0 for all network interfaces).
I installed fresh RabbitMQ 3.1.3 on ubuntu 12.04.2 LTS by apt-get, and try to start consumers on the same server, but I have connection problem:
[PhpAmqpLib\Exception\AMQPRuntimeException]
Error Connecting to server(113): No route to host
There is status of working server:
Status of node rabbit#ns1 ...
[{pid,2106},
{running_applications,[{rabbit,"RabbitMQ","3.1.3"},
{mnesia,"MNESIA CXC 138 12","4.5"},
{os_mon,"CPO CXC 138 46","2.2.7"},
{xmerl,"XML parser","1.2.10"},
{sasl,"SASL CXC 138 11","2.1.10"},
{stdlib,"ERTS CXC 138 10","1.17.5"},
{kernel,"ERTS CXC 138 10","2.14.5"}]},
{os,{unix,linux}},
{erlang_version,"Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:4:4] [rq:4] [async-threads:30] [kernel-poll:true]\n"},
{memory,[{total,27728944},
{connection_procs,2704},
{queue_procs,5408},
{plugins,0},
{other_proc,9021680},
{mnesia,60016},
{mgmt_db,0},
{msg_index,31144},
{other_ets,770736},
{binary,1968},
{code,14560395},
{atom,1356081},
{other_system,1918812}]},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,1262847590},
{disk_free_limit,1000000000},
{disk_free,214706556928},
{file_descriptors,[{total_limit,924},
{total_used,3},
{sockets_limit,829},
{sockets_used,1}]},
{processes,[{limit,1048576},{used,125}]},
{run_queue,0},
{uptime,1265}]
...done.
I don't have any limitations by iptables (ports):
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And etc/hosts is OK.
127.0.0.1 localhost
{IP-ADDRESS} ns1.***.org ns1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Whay I'm doing wrong?
UPD:
sudo netstat -nlp | grep 5672 returns: tcp6 0 0 :::5672 :::* LISTEN 2106/beam.smp
From rabbitMQ logs:
=INFO REPORT==== 2-Jul-2013::16:05:11 ===
started TCP Listener on [::]:5672
=INFO REPORT==== 2-Jul-2013::16:05:11 ===
Server startup complete; 0 plugins started.
=INFO REPORT==== 2-Jul-2013::16:35:04 ===
accepting AMQP connection <0.1130.0> (127.0.0.1:44112 -> 127.0.0.1:5672)
=ERROR REPORT==== 2-Jul-2013::16:35:14 ===
closing AMQP connection <0.1130.0> (127.0.0.1:44112 -> 127.0.0.1:5672):
{handshake_timeout,handshake}
I tried to change localhost to ip6-localhost and sometimes when try to starting consumer, it returns:
[PhpAmqpLib\Exception\AMQPRuntimeException]
Error Connecting to server(110): Connection timed out
UPD2 If I start consumer with debug flag and --env=prod (php .../app/console rabbitmq:consumer -w -d consumer_name), consumer starts and working.
If the necessary ports are not open on the rabbitmq server, you get this "No route to host" error when the client tries to connect.
To fix it, make sure the ports are open, if not, open them:
sudo iptables -I INPUT -p tcp --dport 5672 --syn -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 5673 --syn -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 15672 --syn -j ACCEPT
This sets it on temporally. Set it permanently with your iptables.
sudo vi /etc/sysconfig/iptables
Then restart:
sudo service iptables restart
Problem was fixed with reconfiguring listen address from 0.0.0.0:5672 to 127.0.0.1:5672 and small security fixes in OS.