Develop Reference

Wireguard windows 11 - not able to access client lan

I have setup wireguard server and client.
Server - Ubuntu 18.04
Client - Windows 11(x64)
Wireguard Interface Subnet - 10.200.1.0/24
Wireguard Server IP - 10.200.1.27/24
server.conf
Address = 10.200.1.27/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
ListenPort = 51820
PrivateKey = WHnFUoljugAbX3XkmHg2TmZH4k2ptbX0N1xB7cruN2g=
[Peer]
PublicKey = *********
AllowedIPs = 10.200.1.72/32, 192.168.1.0/24
Endpoint = ********:63587
[Peer]
PublicKey = ********
AllowedIPs = 10.200.1.71/32
Endpoint = ********:10295
Wireguard Client is in home network 192.168.1.0/24 and windows 11 has the IP address 192.168.1.25
windows11-Wireguard-Client-Config
[Interface]
Address = 10.200.1.72/24
ListenPort = 63587
PrivateKey = *******
[Peer]
PublicKey = ********
AllowedIPs = 10.200.1.0/24
Endpoint = *******:51820
PersistentKeepalive = 30
Problem
From another peer, I am able to ping 192.168.1.25 but I have a macOS running on IP 192.168.1.6, so I am unable to ping the macbook.
I even tried adding route on windows
route add -p 192.168.1.0 mask 255.255.255.0 10.200.1.72
From the other peer if I ping after adding the above route the ICMP response will be,
FROM 10.200.1.72: icmp_seq=1 Redirect Network(New nexthop: 192.168.1.6)
Can someone please guide me in what to do, as I have ran out of thoughts.

SbSocketResolveTest.IgnoreExtraBits test fail with NPLB

The SbSocketResolveTest.IgnoreExtraBits test case of cobalt release 11 would be probabilistic failed(sometimes would pass) with the same platform and the same binary, from the test code in socket_resolve.cc
it can see that when the filters is set to 1<<14 or 0, it will both run into line 68(hints.ai_family = AF_UNSPEC; at line 39), but for the same hostname, the first time it get 2 IP addresses(1 IPV4, 1 IPV6), for the second time, it get 5 IP addresses(1 IPV4, 4 IPV6), and then it will fail because the test case think the ip addresses number should the same, so it seemed be something wrong with test test case itself, can someone help to have look?
[ RUN ] SbSocketResolveTest.IgnoreExtraBits
[AAAAA]in SbSocketResolve at 53 in ../../third_party/starboard/shared/posix/socket_resolve.cc, filters=16384
[AAAAA]in SbSocketResolve at 67 in ../../third_party/starboard/shared/posix/socket_resolve.cc
getaddrinfo response 0
Flags: 0x20
Family: AF_INET v4
IPv4 addr 203.188.200.67
getaddrinfo response 1
Flags: 0x20
Family: AF_INET v6
IPv6 addr 2406:2000:ec:c00::1001
[AAAAA]in SbSocketResolve at 53 in ../../third_party/starboard/shared/posix/socket_resolve.cc, filters=0
[AAAAA]in SbSocketResolve at 67 in ../../third_party/starboard/shared/posix/socket_resolve.cc
getaddrinfo response 0
Flags: 0x20
Family: AF_INET v4
IPv4 addr 203.188.200.67
getaddrinfo response 1
Flags: 0x20
Family: AF_INET v6
IPv6 addr 2001:4998:c:e33::53
getaddrinfo response 2
Flags: 0x20
Family: AF_INET v6
IPv6 addr 2001:4998:44:204::100d
getaddrinfo response 3
Flags: 0x20
Family: AF_INET v6
IPv6 addr 2001:4998:44:204::a7
getaddrinfo response 4
Flags: 0x20
Family: AF_INET v6
IPv6 addr 2001:4998:c:e33::54
../../starboard/nplb/socket_resolve_test.cc:80: Failure
Value of: resolution1->address_count
Actual: 2
Expected: resolution2->address_count
Which is: 5
[ FAILED ] SbSocketResolveTest.IgnoreExtraBits (5203 ms)
[1]: https://cobalt.googlesource.com/cobalt/+/release_11/src/starboard/shared/posix/socket_resolve.cc

not sure if shell script that opens ports/protocols in the event any are blocked is correct

I'm writing a script that will check/open ports/protocols in the event any are blocked. What I have so far is below. The port/protocol names look strange to me. I would have expected IP addresses, but I've never done this before. Would the host be IP address of the DSLAM? Also, can I run nc without specifying host if it's the current machine? Otherwise, does this script do what is needed?
#!/bin/bash
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
echo -e "############################nnnPresent ports opened on this machine are
$(iptables -nL INPUT | grep ACCEPT | grep dpt)
nCompleted listing...nnn#########################"
#these look funny to me
PORTS=( 123 161 69 "UDP" 80 443 22 8443 8080 23 25 3307 "TCP" "HTTPS" "SNMP" "SFTP" "TFTP")
#modified ip's for public sharing
HOSTS=( "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x")
for HOST in "${HOSTS[#]}"
do
for PORT in "${PORTS[#]}"
do
#see which ones need opening...0 is pass (open), 1 fail, 5 timeout; need host still
#alternatively try nmap
nc -z -v -w5 ${HOST} ${PORT}
#if it's not open, then open it
if [ "$?" ne 0 ]; then #shellcheck err this line: Couldn't parse this test expression.
iptables -A INPUT -m tcp -p tcp --dport "$PORT" -j ACCEPT &&
{ service iptables save;
service iptables restart;
echo -e "Ports opened through iptables are n$(iptables -nL INPUT | grep ACCEPT | grep dpt)"; }
else
echo "Port $PORT already open"
fi
done
done
I've been referring to test if port is open, and also open port.

These lines seem odd, OP edit #6 adds an outer for loop which assigns the same value to $HOST on each go-round:
HOSTS=( "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x")
for HOST in "${HOSTS[#]}"
do
< stuff ... >
done
Assuming running < stuff ... > four times is not necessary, then
the seven lines above, as written, would be equivalent to:
HOST="10.x.x.x"
< stuff ... >
(Fixed.) Remove the commas from this line:
PORTS=( 123, 161, 69, UDP, 80, 443, 22, 8443, 8080, 23, 25,
3307, TCP, HTTPS, SNMP, SFTP, TFTP)
bash does not use commas to define arrays, and if commas are used
they become chars in the the array data. Example, given the array
exactly as it is above:
echo ${PORTS[0]}
Outputs:
123,

DNS configuration for accessing consul remotely

I have installed consul on AWS EC2, with 3 servers and 1 client.
server IPs = 11.XX.XX.1,11.XX.XX.2,11.XX.XX.3.
client IP = 11.XX.XX.4
consul config: /etc/consul.d/server/config.json
{
"bootstrap": false,
"server": true,
"datacenter": "abc",
"advertise_addr": "11.XX.XX.1",
"data_dir": "/var/consul",
"log_level": "INFO",
"enable_syslog": true,
"addresses": {
"http": "0.0.0.0"
},
"start_join": ["11.XX.XX.2", "11.XX.XX.3"]
}
netstat output on server:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8400 0.0.0.0:* LISTEN 29720/consul
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1006/sshd
tcp 0 0 127.0.0.1:8600 0.0.0.0:* LISTEN 29720/consul
tcp6 0 0 :::8301 :::* LISTEN 29720/consul
tcp6 0 0 :::8302 :::* LISTEN 29720/consul
tcp6 0 0 :::8500 :::* LISTEN 29720/consul
tcp6 0 0 :::22 :::* LISTEN 1006/sshd
tcp6 0 0 :::8300 :::* LISTEN 29720/consul
curl is working fine from remote machine but dig is only working on the local machine.
; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> #127.0.0.1 -p 8600 web.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40873
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;web.service.consul. IN A
;; ANSWER SECTION:
web.service.consul. 0 IN A 11.XX.XX.4
;; Query time: 0 msec
;; SERVER: 127.0.0.1#8600(127.0.0.1)
;; WHEN: Fri Dec 30 08:21:41 UTC 2016
;; MSG SIZE rcvd: 52
but dig is not working from remote machine:
dig #11.XX.XX.1 -p 8600 web.service.consul
; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> #11.XX.XX.1 -p 8600 web.service.consul
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
-----------------------------
How to make it work?

By default consul only listens for DNS connections on the instance loopback device. Best practices asks you to install the client on any remote machine looking to consume consul DNS. This is not always practical.
I have seen people expose DNS (consul port 8600) on all interfaces via the Consul configuration JSON like so:
{
"server": true,
"addresses": {
"dns": "0.0.0.0"
}
}
You can also expose all ports listening on loopback with the client_addr field in JSON or pass it via the command line with:
consul agent -client 0.0.0.0
There are more controls and knobs available to tweak (see docs):
https://www.consul.io/docs/agent/options.html

Send SNMP trap to particular host in Nagios

I have the nagios with two host. one is localhost(10.10.62.5) and another one is
ubuntu(10.10.62.10). i set up nagios monitor on localhost.
host configuration files are below
localhost.cfg:
define host{
use linux-server
host_name localhost
alias localhost
address 10.10.62.5
}
define service{
host_name localhost
service_description WSN_COUNT
is_volatile 1
check_command check-host-alive
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
active_checks_enabled 0
passive_checks_enabled 1
check_period 24x7
notification_interval 31536000
notification_period 24x7
notification_options w,u,c
notifications_enabled 1
}
ubuntu.cfg:
define host{
use linux-server
host_name ubuntu
alias ubuntu
address 10.10.62.10
}
define service{
host_name localhost
service_description WSN_COUNT
is_volatile 1
check_command check-host-alive
max_check_attempts 1
normal_check_interval 1
retry_check_interval 1
active_checks_enabled 0
passive_checks_enabled 1
check_period 24x7
notification_interval 31536000
notification_period 24x7
notification_options w,u,c
notifications_enabled 1
}
MIBfile:
NAGIOS-TRAP-TEST-MIB DEFINITIONS ::= BEGIN
IMPORTS enterprises FROM SNMPv2-SMI;
nagiostests OBJECT IDENTIFIER ::= { enterprises 0 }
nagiostraps OBJECT IDENTIFIER ::= { nagiostests 1 }
nagiosnotifs OBJECT IDENTIFIER ::= { nagiostests 2 }
WSNcount NOTIFICATION-TYPE
OBJECTS { sysLocation }
STATUS current
DESCRIPTION "SNMPv2c notification"
::= { nagiosnotifs 9 }
END
I used snmptt(net-snmp) to integrate the traps with nagios. configuration files are
snmptt.conf.local:
EVENT WSNcount .1.3.6.1.4.1.0.2.1 "Status Events" Normal
FORMAT SNMPv2c notification $*
EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result localhost WSN_COUNT 1 "SNMPv2c notification $*"
SDESC
SNMPv2c notification
Variables:
1: sysLocation
EDESC
snmptt.conf.local:
EVENT WSNcount .1.3.6.1.4.1.0.2.1 "Status Events" Normal
FORMAT SNMPv2c notification $*
EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result ubuntu WSN_COUNT 1 "SNMPv2c notification $*"
SDESC
SNMPv2c notification
Variables:
1: sysLocation
EDESC
When i sending trap from ubuntu(10.10.62.10) machine using following command, trap sending to both hosts in nagios.
snmptrap -v 2c -c private 10.10.62.5 "" NAGIOS-TRAP-TEST-MIB::RFIDcount SNMPv2-MIB::sysLocation.0 s "snmptest trap"
PLEASE help me with send trap to particular host.. how it is possible...

I think you misinterpreted what a SNMP-trap is. A SNMP-trap is a SNMP message sent to your monitoring system/service from a network device such as a router, switch, blade, cluster, ..
I guess the thing you want to do is search the MIB-file for the particular network device you want to monitor and search the OID that matches the information you want the gather from that specific device.
The device you want to monitor through SNMP has to have SNMP enabled in it's configuration (webbased or something..).
You can do a SNMPwalk to this device to see all available OIDs :
snmpwalk -v 2c -c public <ip address network device>
-c stands for 'community' and by default this is 'public', you can edit this in the configuration of your network device.
-v stands for the version of SNMP you want to use.
When you find the OID which provides you the device's information you wore looking for you can do the following command (or put this in a perl or bash script) :
snmpwalk -v 2c -c public <ip address network device> <OID>
When you made this script you can define a command for this script in commands.cfg :
#'check_lefthand' command definition
define command{
command_name check_lefthand
command_line $USER1$/lefthands.pl $ARG1$ $ARG2$
}
You can now use this check_ in your service definitions of Nagios.