I'm trying to have the dnsmasq of a server only listen to and respond to queries within a local network using their private IP addresses. All of the hosts needed are already on the /etc/host file, so all I need to do is configure the dnsmasq.conf file so that it only responds to local-only domains.
While researching, I've only found documents for "How to create a DNS/DHCP server using dnsmasq" but not much on routing to only certain IP addresses.
I've tried the instructions from this link:
https://www.linux.com/training-tutorials/dnsmasq-easy-lan-name-services/
and it put dnsmasq in a failed state.
When I used listen-address=[private ip] in the dnsmasq.conf file, I did nslookup for the servers that are supposed to be on the private network but it been showing the public ip for the server and address.
You should consult the official dnsmasq man page. In particular the local-service and localise-queries options:
--local-service
Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect if there are no --interface, --except-interface, --listen-address or --auth-server options. It is in tended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks.
-y, --localise-queries
Return answers to DNS queries from /etc/hosts and --interface-name which depend on the interface over which the query was received. If a name has more than one address associated with it, and at least one of those addresses is on the same subnet as the interface to which the query was sent, then return only the address(es) on that subnet. This allows for a server to have multiple addresses in /etc/hosts corresponding to each of its interfaces, and hosts will get the correct address based on which network they are attached to. Currently this facility is limited to IPv4.
The first option local-service addresses your first concern, so that dnsmasq will only answer queries from hosts on the same subnet. The second option localise-queries will return answers with IP addresses from the same subnet if there are multiple IP addresses for a given name known to dnsmasq.
Related
I am configuring a High Availability load balancing based on HAProxy and Keepalived.
Everywhere I do research they talk about Virtual IP like something that fell off the sky – I mean, with little to none explanation about how to get one.
By now, I have arbitrary defined a virtual ip address in the keepalived.conf like this:
virtual_ipaddress {
10.0.0.100
}
With both Servers running keepalived, I do ip address command in the MASTER machine and it shows inet 10.0.0.100/32 scope global eth0 next to the Public IP, which I believe is correct.
When I do service keepalived stop in the MASTER machine and run ip address in the BACKUP machine, BACKUP shows inet 10.0.0.100/32 scope global eth0, IP which effectively disappeared from MASTER.
The above mentioned behavior indicates me that the config is all right.
Now, how can I publish that Virtual IP? Do I need to buy one? If my server provider (Contabo) doesn't offer the Virtual IP service, where to buy it?
My goal is to have my Front-End API requests aiming at the Virtual IP.
Thanks very much in advance for any guidance!
Server A and server B addresses are either manually configured when setting up the servers, or obtained via dhcp.
There is nothing magical about the virtual ip, other than it is not obtained in the same way.
If it is your own network, you can just pick one in the same range as for the two servers, and make sure that no new servers will use it.
Since you are talking about a provider, you will need to ask them if they provide floating ip addresses.
10.x.x.x is a private ip, so you can not publish that to the internet, but you could use it for example to fail over internal services.
I have two network interfaces. Both interfaces have two private ip each for a total of 4. All are set to elastic ip.
I can ping only two public IP.
How can I activate 4 IP at a time?
You need to configure the secondory IPs from ec2 OS too.
From AWS Documentation:
Configuring the Operating System on Your Instance to Recognize the Secondary Private IPv4 Address
After you assign a secondary private IPv4 address to your instance,
you need to configure the operating system on your instance to
recognize the secondary private IP address.
If you are using Amazon Linux, the ec2-net-utils package can take care
of this step for you. It configures additional network interfaces that
you attach while the instance is running, refreshes secondary IPv4
addresses during DHCP lease renewal, and updates the related routing
rules. You can immediately refresh the list of interfaces by using the
command sudo service network restart and then view the up-to-date list
using ip addr li. If you require manual control over your network
configuration, you can remove the ec2-net-utils package. For more
information, see Configuring Your Network Interface Using
ec2-net-utils. If you are using another Linux distribution, see the
documentation for your Linux distribution. Search for information
about configuring additional network interfaces and secondary IPv4
addresses. If the instance has two or more interfaces on the same
subnet, search for information about using routing rules to work
around asymmetric routing. For information about configuring a Windows
instance, see Configuring a Secondary Private IP Address for Your
Windows Instance in a VPC in the Amazon EC2 User Guide for Windows
Instances
For Linux here is the post where the steps are explained:
https://bobcares.com/blog/an-easy-guide-to-setup-amazon-ec2-multiple-ips/
I've just begun the setup of proxmox for our none profit educational VPS service. However, the problem we're facing is a lack of IPv4 addresses available to us.
Is it possible to route a sub-domain to the host servers IP address and then get that forwarded to the individual containers accordingly. For example:
SSH root#node-123.w-a-s-d.me
Will allow a client with the VM ID of 123 to access their server
And the same goes for things like: node-123.w-a-s-d.me
This would be the web address allowing any applications running on port 80 for that specific node
I'm unsure how to go about this and have looked online with no luck. I hope our goal is clear. I look forward to hearing from you. Josh
Exposing SSH that way will not be easy as you can only have one thing listening on port 22 for every given IP address, and while you could just adding random ports to each VPS and the forward it from primary box which holds public IP (and vms are behind nat) this is not exactly the best solution.
What you may want to do instead is set up one public-facing box that people can ssh into via public IP and from it SSH to subsequent private machines by their internal IP. Alternatively you can set that box with openVPN and set it to assign internal IP address to anyone connecting via it. While openVPN takes more time to set up right, it can come with it's own DNS so when connected to it calling out SSH root#node-123.w-a-s-d.me will automatically route you to the private IP address rather than the shared public facing one.
With HTTP this is much easier as you can set up a proxy on the front-facing machines which then proxies requests for given sub domain to specific internal IP address.
I have tried everything, I can get to my application using the ec2-x-x-x-x.compute-1.amazonaws.com, I cannot ping the address.
However, when I do ping the amazon DNS, it identifies with the IP address of but does not respond to ping.
When I put the IP address in the browser, it times out and gives me the Chrome "Oops", I have went through the Security vgroup several times.
I have checked the server, including the IPtables and the ports that Apache is listening to.
I don't have a lot of knowledge in this area, But I tried everything in the forum and more.
I even created another Elastic IP and associated it with the instance.
Please help.
By default, you cannot ping an EC2 instance, since it is blocked by the firewall (see why can't I ping my instance):
Ping uses ICMP ECHO, which by default is blocked by your firewall.
You'll need to grant ICMP access to your instances by updating the
firewall restrictions that are tied to your security group.
ec2-authorize default -P icmp -t -1:-1 -s 0.0.0.0/0
Check out the latest developer guide for details.
Section: Instance Addressing and Network Security -> Network Security
-> Examples
As for HTTP requests - your instance is available and looks fine (I suggest you remove the real DNS name from your post though)...
For ec2 best options is
1) open port 5060 and 10000-20000 udp on firewall(security group)
2) order and attach elastic IP.
3) in sip.conf add
externhost=elastic_ip_her
localnet=10.0.0.0/255.0.0.0
Every time you start/stop that instance attach same elastic IP.
For web access you also need open port 80 in security group
I tried putting my IP from whatismyip.com in the urlbase of Bugzilla but it did not work. I wasn't able to create a new account for my team mate, and he wasnt able to access the server by typing the my ip address in his browse. And surely, when I connect again, my IP address will change. Do we have to buy a www address to host Bugzilla?
You can setup a dynamic dns service, for example via http://www.dyndns.com or http://www.no-ip.com or http://freedns.afraid.org to solve the changing ip problem without buying a domain (or buying a domain as well, but it's not a requirement).
But the real problem is that your team mate cannot access the server via the current IP address which points to either a misconfiguration of the webserver (listening only on localhost?), to a firewall in between, or most likely, that port forwarding isn't set up in your router for requests coming to your external IP address to be forwarded to the machine where you have Bugzilla set up. Additionally, you must set the urlbase to your local IP address, not to the external IP address, as blak3r says.
Check http://www.portforward.com for instructions on how to do port forwarding. But don't forget that everything mentioned has to be working:
Web server listening to outside requests: This can be tested from the same internal network via the local network IP address (what you see typing in a command line console ipconfig in Windows and ifconfig in Linux). If you can connect from a different machine on the same network via the local IP address, this is solved.
Firewalls (in router and the webserver machine) accepting connections to the web server port: For firewalls in the web server, the same test as above covers it.
Port forwarding so the router forwards the requests received on the web server port to the web server machine: This gets tested in the same way as firewalls in the router, that is, you must have your friend (or yourself from the house of your friend) try to connect to the dyn dns name set up or to the external IP as reported by whatsmyip.org.
This is all assuming your test mate is not on your same network, if he is, just using the local IP address (shown via ipconfig or ifconfig) instead of the external IP address and making sure the first step is covered (web server listening to outside requests) should be enough and nothing else is needed!
You most likely do not have your port 80 forwarded to your machine which is the reason he cannot connect when using the IP that was returned from whatismyip.com.
Assuming you're on a windows box... do
Start->Run->cmd then type
ipconfig
If your address starts with 192...* or 10...* this is your Local Area Network (LAN) IP. If this is the case, then your isp provided you with a router. Look for a setting called port forwarding or "application setting" which allows you to forward all incoming traffic on your router to a particular IP address. Go into your router's configuration settings and make sure port 80 (and maybe 443 if you're using ssl are forwarded to your local ip).
The other problem you mentioned is you do not have a static IP. This is a common problem and no you do not need to buy an address. There are several sites which can provide you a free dynamic dns host. Try no-ip.org.