lunes, 22 de septiembre de 2014

FIWARE Lab: Only one single IP per user?


I've decided to try FIWARE Lab and I've decided to test the cloud. Here, I can create up to 3 VMs and I can have one (and only one) public IP. The first question it comes to my mind is "How am I supposed to access 3 Virtual Hosts with just a single public IP?". But thinking about it more closely, the question turns to be "Do I really need more public IPs to do my project?" -- I don't think so.

To do my testing application, I've deployed 3 VMs and I've allocated one public IP:
  • 10.0.3.214 - which is going to be my frontend and the one with the public IP associated
  • 10.0.4.146
  • 10.0.4.145

The obvious way.

I can access 10.0.4.145 and 10.0.4.146 just by ssh connecting to the first one and from this host, I can ssh the other two VM. Easy even with a single command:

$ssh -t root@<public_ip> ssh root@10.0.4.146
$sst -t root@<public_ip> ssh root@10.0.4.145

Easy, really easy... but that isn't what I was thinking of.

Redirections

A single redirection using IPTABLES would do a the trick very good. However, we'll need to create the security rules in openstack. I've created an insecure security group with absolutely open security groups:



This rules are, by definition, insecure. I should protect my Virtual machine by myself and I shouldn't expect any protection from Openstack. But I can do whatever I want with the ports.  So now we are ready to type the following commands in my Virtual Host with a public IP:

$echo "1" > /proc/sys/net/ipv4/ip_forward

 $iptables -t nat -A PREROUTING -d 10.0.3.214/32 -p tcp -m tcp --dport 20022 \
    -j DNAT --to-destination 10.0.4.145:22
$iptables -t nat -A PREROUTING -d 10.0.3.214/32 -p tcp -m tcp --dport 30022 \
    -j DNAT --to-destination 10.0.4.146:22
$iptables -t nat -A POSTROUTING ! -s 10.0.3.214/32 -d 10.0.4.145 -j MASQUERADE
$iptables -t nat -A POSTROUTING ! -s 10.0.3.214/32 -d 10.0.4.146 -j MASQUERADE


 And now I am able to access the Virtual hosts with private IPs using ssh:

ssh root@ -p 20022
ssh root@ -p 30022


...And how can I access my Database?

If you are absolutely possitive that you want to access your database from anywhere in Internet (I'm possitive I don't want that for my databases), you can simply add a new redirection.
Lets Imagine that I have a MySQL database on 10.0.4.146 -- I could simply add a rule to IP tables:

$ iptables -t nat -A PREROUTING -d 10.0.3.214/32 -p tcp \
  -m tcp --dport 3306 -j DNAT --to-destination 10.0.4.146:3306

And now we have our fully vulnerable MySQL server accesible from the whole internet.


Publicado por en

3 comentarios:

  1. Miguel Ángel Casanova22 de septiembre de 2015, 13:11

    I can not define first security group rule, I can write -1 value! Can you help me?
    I want to use Orion Context Broker in a VM over 1206 port and port 80 in the VM with public IP.

    ResponderEliminar
  2. Unknown30 de noviembre de 2015, 14:59

    I can not define ICMP ports with -1 it's not available .

    ResponderEliminar
  3. Unknown6 de diciembre de 2015, 3:17

    I would add to get NAT rules in your post "iptables -t nat -L -n -v".
    Also I think to save NAT rules is miising in your post with command "iptables-save"

    ResponderEliminar

Suscribirse a: Enviar comentarios (Atom)