I'm trying to find out if GCP supports the ability to forward ALL ports to a single one.
Currently I'm "manually" setting firewall rules on each instance using the following iptable rule.
iptables -t nat -A PREROUTING -p tcp --dport 1:65535 -j REDIRECT --to-ports 10000
This is not fun to manage because I'm using docker and don't want to manage the VM directly.
The flow I'm trying to implement is as follows:
Received TCP request (Ingres)
Load balance request (GCP TCP-LB)
Redirect ALL requests to port 10000 (???)
Docker container listening on port 10000
You can use one of these two options:
1.- Using a VM instance as a bastion host and be used as NAT gateway for your other instances.
2.- Use Cloud NAT directly or with protocol forwarding that will be something similar to what you are trying to implement.
Related
I have hosted my MEAN project over aws ec2 (mean bitnami hvm) instance. It is running on port 3000 and I am able to access my instance in the following way:
ec2-xx-xx-xx-xx.amazonaws.com:3000
I want to access the instance without the port number (3000), i.e.: ec2-xx-xx-xx-xx.amazonaws.com
How can I do this?
Run this port forward command on your EC2 instance.
sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3000
And your port 80 will be redirected to port 3000.
Run your application on port 80 instead of port 3000, or run a proxy (like nginx) that allows you to map ports and paths as needed.
I have a simple VPC on Amazon EC2 with two instances: an SFTP server, and a web server. I want to route incoming traffic from the internet on port 22 to the SFTP server and ports 80 and 443 to the web server.
I'm having trouble finding exactly how to do this. It's extremely simple with all hardware routers I've ever used.
Can anyone point me to documentation/examples/or just tell me how to do it?
Edit:
I wasn't clear that I want remote hosts to be able to make a request to a single IP address, but on different ports, and have different ports routed to different instances; I already have my security groups set so I can accept traffic to the public IP addresses of each instance.
Below are the steps you will need to follow to achieve your use case.
As you said both servers are in VPC you need to make sure they are
in a Public Subnet with a internet gateway attached to it.(This can
be achieved in Private subnet too but will become more complex
process for you) For more information check this
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html
EC2 Server 1 for SFTP you need to open SSH port 22 in the security group by adding your IP address or open to world rule. Then you can SFTP using your preferred SFTP client.
EC2 Server 2 for port 80 and 443. you need to add two rules in the security group for your instance. Check below screenshot. Once that is done you will be able to route http traffic through port 80 and 443.
More information on security groups is here.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
About your Edit. You have to run a instance in front of both the instance.
Add a HTTP proxy to this new created instance. And then the port redirect should be achieved using IP Tables. Check this below IP tables config you need to add to that server. Let say your HTTP proxy server is Server 1. Port 22 server is Server 2 and Port 80 and 443 Server is Server 3. So Server 1 IP tables will have below rules.
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination <Server3-IP>:80
iptables -t nat -A POSTROUTING -p tcp -d <Server3-IP> --dport 80 -j SNAT --to-source <Server1-IP>
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination <Server2-IP>:80
iptables -t nat -A POSTROUTING -p tcp -d <Server2-IP> --dport 22 -j SNAT --to-source <Server1-IP>
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <Server3-IP>:80
iptables -t nat -A POSTROUTING -p tcp -d <Server3-IP> --dport 443 -j SNAT --to-source <Server1-IP>
As of today, Amazon Elastic Load Balancers have a new "Application Load Balancer" mode which supports routing requests to different EC2 instances based on things such as the HTTP path, and port.
To set this up, do the following:
Create a new ELB, using the new "Application Load Balancer" mode.
Create one target group for port 22.
Add your EC2 instances that will be the SSH targets to this target group.
Create another target group for ports 80 and 443.
Add your EC2 instances that will be the HTTP/HTTPs targets to this target group.
Using this system, SSH requests to the ELB will be forwarded to the SSH instance, and HTTP/HTTPs requests to the ELB will be forwarded to the web servers
I'm running Bitnami MEAN on an EC2 instance. I can host my app just fine on port 3000 or 8080. Currently if I don't specify a port I'm taken to the Bitnami MEAN homepage. I'd like to be able to access my app by directly from my EC2 public dns without specifying a port in the url. How can I accomplish this?
The simple way to do that is Port Forwarding by using below command:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
After logging into the AWS using putty by having private key & with username "bitnami". Type the above command & enter.
Then, you will automatically redirected to your application.
Note : I am assuming, you have already configure port 8080 to security group on AWS
You'll have to open port 80 on the server's firewall, and either run your server on port 80 or forward port 80 to port 8080. You'll need to lookup the instructions for doing that based on what version of Linux you are running, but it is probably going to be an iptables command.
You'll also need to open port 80 on the EC2 server's security group.
two instances:
1.- Orion with 192.168.x.1, public like 130.a.b.c
2.- Keystone with 192.168.x.2. Port 8000 opened and tested from localhost
3.- instances have the same routing rule group.
I edit my security group rules adding port 8000 with a cidr 192.168.x.2/32. Now i test it with telnet from my computer:
telnet 130.a.b.c 8000
result: Connection time out.
i'm wrong? how can i connect to port 8000 from my computer to my second instance using the public Ip (configured in first instance) ? Or need a second public Ip?
There are many ways to do this: IPForwarding with iptables, haproxy, etc.
However, I thinK that the easiest way to do this would be SSH Port forwarding in your host with the public IP:
ssh -f -N -o ServerAliveInterval=30 -L 0:8000:192.168.x.2:8000 $YOUR_USER#192.168.x.1:8000
-L 0:8000:192.168.x.2:8000 means that It'll listen every network interface (0:8000) and will send every query to 192.168.x.2:8000
If you don't have a password to your user or ssh is not configured to accept passwords, you could consider either adding a new authorized key (so you can locally login) or connecting your public IP using -A so your credentials can be forwarded:
*ssh -A -i $PRIVATE_KEY_FILE $YOUR_USER#130.a.b.c
Currently, I have a NAT instance in AWS with some iptables rules, such as to forward the traffic that comes in a certain port to some other instance. So, if I do curl nat.address.com:8090, the traffic is forwarded to some other instance that is listening to the 8090 port, let's say it is instance A.
What I want is to know how to apply this rule only if the original source is inside the local network. That is, if the request to nat.address.com:8090comes from an internal instance with ip 172.31.10.10, the nat instance should forward it to instance A. However, if the request to nat.address.com:8090 comes from some external source (e.g. 189.58.200.10), it should not forward.
Is it possible?
As stated in Documentation you can use the -s option:
-s, --source [!] address[/mask]
Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option.
For example:
iptables -t nat -A POSTROUTING -s 172.31.10.0/24 -j MASQUERADE
You can do this in one of two ways:
(1) Security Group rules:
You can add appropriate rules in the Security Group(s) which is associated with your NAT instance. This will block inbound flow of all packets on port 8090 that are originating from any source which is not your internal instance.
For ex: If you would like to forward packets which are originating from a particular instance with IP 172.31.10.10, you would add an inbound rule in the Security Group of your NAT instance which would look like:
Type: Custom TCP Rule
Protocol: TCP
Port Range: 8090
Source: 172.31.10.10
And you have to make sure that there are no other rules inside the Security Group which would allow traffic on TCP port 8090 from any other source.
And if you would like to make sure that your NAT instance forwards traffic from all the internal instances inside your VPC, then you can edit the Source field to include the CIDR range of your VPC.
This option would be suitable only if you are aware of the network traffic that hits your NAT instance so that you can appropriately add the rules inside your Security Group to match your incoming traffic, otherwise you will end up blocking the meaningful traffic as well.
(2) IPTable rules:
This option requires you to add IPTable rules on your NAT instance such that your NAT instance will only accept network traffic from a specific network (which is your VPC) and only from a specific TCP port. For ex, if you would like to make sure your NAT instance only accepts traffic from your internal instances (i.e. instances inside your VPC) on port 8090, then the following rules would apply:
$ iptables -A INPUT -i eth0 -p tcp -s 172.31.0.0/16 --dport 8090 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 8090 -m state --state ESTABLISHED -j ACCEPT