I want to access an RMI-Service from a remote Server.
Locally everything works fine. But from the remote side i get the following exception:
java.net.ConnectException: Connection timed out
I used IP-Tables, that the server believes the request comes to 127.0.0.1 and not to the public ip address xx.yy.zz
iptables -t nat -A PREROUTING -p tcp -d xx.yy.zz --dport 1099 -j DNAT --to-destination 127.0.0.1:1099
The server is started with "-Djava.rmi.server.hostname=127.0.0.1" as JVM-Argument.
Regards,
Markus
For me this looks like misuse of iptables. Do the following:
Make sure your application binds to the public address. For example by removing "-Djava.rmi.server.hostname=127.0.0.1".
If you still can't reach your app. Add a firewall rule to iptables something like:
$iptables -A INPUT -p tcp --dport 1099 -j ACCEPT
I suspect the DNAT only changes the destination of the packet, rather than the source. Wouldn't it make a lot more sense to make the RMI server accept packets from a trusted LAN or VPN, instead of trying to rewrite the packets using iptables?
Related
I'm trying to implement a "dynamic" proxy forward to access localhost from Internet, like Ngrok in pure Java.
This guy does essentially the same thing: https://serveo.net/#intro (but, without a client)
The idea would be to use the SAME port on the server, and make a dynamic proxy for each client, based on a subdomain
The problem is that the default implementation throws error on the second connection .. saying that the port is already open.
org.apache.sshd.common.forward.DefaultForwardingFilter # doBind
Who has an idea of how to implement this?
The advantage of this is that you do not even need a CLIENT like Ngrok for that ... just using normal ssh would be possible.
ssh -R http2:9000:localhost:8002 localhost -p 4440
ssh -R http2:pSERVER:localhost:pLOCAL localhost -p SSHD_PORT
an option I imagined, is to generate the ports dynamically on the server: IGNORING THE 'pSERVER' port, and creating an HttpProxy, to do the redirection for each port. But I find this very inefficient, I believe it would be possible to do only by analyzing the request header and making the redirects for the corresponding channels / connections
After too much headache.
The code is in very low quality, just a proof of concept that can be implemented.
The implemented idea was made by changing sshd-netty, and adding a function to unpack the http request and remove the HOST HEADER (this needs to be improved here).
Only 1 port on the server is used, and it is kind of a reverse proxy for clients ...
I would like the help of the developers to improve the code in question. My knowledge in Netty and Mina is very limited.
Appreciate:
Source: https://github.com/ricardojlrufino/sshd-dyn-tunneling
Testing: Open 2 connections:
ssh -v -R http1:9000:localhost:8001 localhost -p 4440
ssh -v -R http2:9000:localhost:8002 localhost -p 4440
Make requests:
curl -v -H "Host: http1" http1:9000
curl -v -H "Host: http2" http2:9000
Start test servers:
https://github.com/ricardojlrufino/sshd-dyn-tunneling/blob/tunel/src/test/resources/setup_remotes.sh
I'm working on a little java project and I have a problem.
The Mysql-Protocol is blocked by the Firewall and the only ports I'm able to use are 80 or 443. Is there any way to connect to my database over these ports? Acutally I'm using the mysql-connector library for java to connect.
You can change the port of MySQL.
change the port in /etc/mysql/my.cnf
example :
cp /etc/mysql/my.cnf /etc/mysql/my-3307.cnf
//edit my-3307.cnf, for example
port = 3307
basedir = /var/lib/mysql-3307
datadir = /var/lib/mysql-3307
//end-edit
mysql_upgrade --defaults-file=/etc/mysql/my-3307.cnf #checks the syntax and creates the dirs you need.
#start mysqld
mysqld --defaults-file=/etc/mysql/my-3307.cnf
source : http://dev.mysql.com/doc/refman/5.1/en/multiple-servers.html
PS : 443 is default https port. It is not advisable to use this and 80(http) port.
Maybe you can change the MySQL port to 443;
But, i think it's bad...
I recommend you to setup SSH server on 443 port and use it for tunelling traffic to your database and any other service.
Here's how you can tunnel traffic from your local machine to remote database:
ssh -L 9000:localhost:3307 user#1.2.3.4 -p 443
Now you can connect to database, like you have it running locally on localhost:9000. All your traffic to SSH server is encrypted. Check this article for another examples.
You can also check chisel project, however I'm not very familiar with it.
I'm trying to connect to a RMI registry that I have started on a remote server, but I get the following exception after a while:
java.rmi.ConnectException: Connection refused to host: *.*.*.*; nested exception is:
java.net.ConnectException: Connection timed out
By running the client localy on the server everything works, but I can't connect to it remotely; Not even from telnet. However, if I run
start rmiregistry 1337
I can connet to it remotely from telnet. I'm assuming that it's something I have to set up when I'm running the server code, but I have trouble finding out what it is.
This is part of the server code:
String codeBasePath = "file:/C:/*path*/build/classes";
System.setProperty("java.rmi.server.codebase", codeBasePath);
System.setProperty("java.rmi.server.hostname", *host IP*);
RemoteFileServer server = new FileServer();
Registry registry = LocateRegistry.createRegistry(PORT);
registry.bind(*name*, server);
System.out.println("Server ready");
Let me know if you need more info/code to help me figure it out.
Ok there is two options I can think of
1 - Did you give permission for incoming connections with a security policy. This step is quite simple actually see here: rmi run tutorial
2 - The port might be closed for outside from OS. For example if you are using linux you need to open the port from iptables like:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1099 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -m tcp -p tcp --dport 1099 -j ACCEPT
or if you use windows you can configure it from firewall.
If anything is unclear you can ask.
I am trying to set up a transparent TCP proxy on Android for my dissertation, but am having some issues. I am using software that I found on this site - http://en.dfr.ch/free-software/java-tcp-proxy - the source is freely available.
I have extracted the source and created an Android application from it. The main bulk of the code is in the below loop.
while(!interrupted()) {
Socket serverSocket=srvSock.accept();
Log.e(TAG, "New incoming connection");
try {
serverSocket.setSoLinger(true,lingerTime);
Socket clientSocket=new Socket(dstAddr,dstPort);
clientSocket.setSoLinger(true,lingerTime);
Log.e(TAG, "Server socket and client socket created");
StreamCopyThread sToC=new StreamCopyThread(serverSocket,clientSocket, "BrowserSide");
StreamCopyThread cToS=new StreamCopyThread(clientSocket,serverSocket, "ServerSide");
Log.e(TAG, "Working threads created");
sToC.setPeer(cToS);
cToS.setPeer(sToC);
Log.e(TAG, "Peers defined");
synchronized(lock) {
connections.addElement(cToS);
connections.addElement(sToC);
sToC.start();
cToS.start();
Log.e(TAG, "Working threads running");
}
} catch(Exception xc) {
Log.e(TAG, header+":"+xc.getMessage());
// xc.printStackTrace();
}
}
srvSock.close();
Traffic is redirected from an IP to localhost where the proxy handles it. To do the redirect, I have used the following iptables rule:
iptables -t nat -A OUTPUT -p tcp --dport 80 -d [any ip] -j REDIRECT --to-port 8080
This seems to work in redirecting the traffic, however when the proxy is running, it seems to continuously creates new threads (connections) until it runs out of memory. With the logging, the output it similar to below. Where ... represents several loops of the above output logging before the error.
Working threads running
New incoming connection
Server socket and client socket created
Working threads created
Peers defined
BrowserSide-->611
Working threads running
...
/127.0.0.1:8080 <-> /[any ip]:80:Too many open files
I am really confused as to why it's not working properly. The same error appears when I try it in Ubuntu on a computer, but it works perfectly fine in Windows. I am thinking it may be an issue with iptables or some jvm/socket based issues in Linux. I am currently running iptables version 1.4.4.
Thank you in advance for taking your time to have a look at this problem.
You are more than likely initiating a connection in your code to the same port that is being redirected.
Consider:
iptables -t nat -I OUTPUT -p tcp --dport 80 -d [any ip] -m owner \! --gid-owner proxyrunner -j REDIRECT --to-port 8080
This will exclude programs running as group proxyrunner, make sure to execute your proxy accordingly:
sg proxyrunner 'java [...]'
Have you tried to run other Java proxies such as Little proxy with the same configuration?
http://dev.littleshoot.org/littleproxy/
Other open source proxies: http://proxies.xhaus.com/java/
Let me explain my situation.
Currently, I have a lot of applications running on Tomcat 6, on the default port 8080.
I just created some applications that will need a log in. I'm going to buy an SSL certificate to install on this server.
I don't like the idea of using port 8443 because it makes the URL more complicated.
If I run Tomcat on port 80, I'd have to change dozens of links and I'd have to run Tomcat as root ( rather than tomcat ).
Is there any problem running the insecure applications on port 8080 but having the secure run on port 443?
I'm imagining my setup will have URLs that look like this:
http://mydomain.com:8080/report/controller?id=weather
https://mydomain.com/secure/controller?id=profile
Is this possible?
Setup HTTP connector on 8080 and HTTPS connector on 8443. In your <Connector> declaration add proxyPort attribute and set it to default HTTP and HTTPS port ( 80 and 443 respectively ). Setup firewall redirect rule from 80 to 8080 and from 443 to 8443. Then the server will accept regular http and https URLs without the need to specify port numbers.
Below is a sample declaration of these connectors.
<Connector
maxSpareThreads='75'
port='8080'
proxyPort='80'
enableLookups='false'
maxThreads='150'
connectionTimeout='20000'
disableUploadTimeout='true'
minSpareThreads='5'
maxHttpHeaderSize='8192'
redirectPort='443'
acceptCount='200'
/>
<Connector
SSLEnabled='true'
keystoreFile='/path/to/keystore.jks'
maxSpareThreads='75'
port='8443'
proxyPort='443'
algorithm='SunX509'
enableLookups='false'
secure='true'
maxThreads='150'
connectionTimeout='20000'
disableUploadTimeout='true'
scheme='https'
minSpareThreads='5'
maxHttpHeaderSize='8192'
sslProtocol='SSL'
acceptCount='200'
clientAuth='false'
/>
And here are some redirect IPTABLES commands:
# Redirect external packets
-A PREROUTING -j NAT-Port-Redirect
# redirect http traffic
-A NAT-Port-Redirect -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
# redirect https traffic
-A NAT-Port-Redirect -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
Yes, it's perfectly OK. Just configure the connectors to use the respective ports. But for 443 I'd guess root would be required as well.