I've been crashing around on the netfilter/iptables home page as well as beseeching The Google, but no luck so far.
I have a Rails application which needs to control packet filtering for its Linux host. It could do this by just dumping rules into /etc/sysconfig/iptables and bouncing the iptables startup script, of course. But it would be sweeter if it could just seamlessly make the calls via an API.
The app's requirements are actually very very simple; it only needs to add and delete ACCEPT rules for a given source IP address to a given TCP port on the server, to control access to that service.
I found references to a ruby-iptables project, but that apparently went moribund some years ago.
If I have to resort to raw getsocketopt() calls and the like, I'll just do the text-file-and-restart approach, which will offend my Slickness Sensor but make my customer smile, because he likes working software better than really elegant software that will work Very Soon Now.
If you search for "ruby netfilter" there's more to be found. NetFilter (http://netfilter.org/) is the underlying framework behind iptables.
http://rubyipq.rubyforge.org/ (traffic shaping)
https://github.com/johnl/netfilter.rb (DSL)
http://rubyforge.org/projects/iptcext/ (IPTC library interface)
The last is most like what you want, but while there's code, there doesn't seem to be a real release.
Related
Obviously there are multiple steps and phases of implementing such a thing.
I was thinking I would eventually have a webserver that takes http json requests from the ios app, and then queries the cassandra backend and sends results back. I could load balance and all that fancy stuff still, and also provide a logical layer on server side, and keep the client app lightweight.
I'm not sure i understand how cassandra clients fit though. It seems like the cassandra objective c client could eliminate the need for the above approach.
I saw another question and answer but it wasnt clear, perhaps because it varys on the need.
An iPhone app should not directly connect to a Cassandra backend or any other DB store.
First of all, talking to a database often requires adapting a very specific binary protocol (for Cassandra in particular, binary CQL or Thrift). Writing an adapter that would let your Objective-C app communicate in this binary protocol is a major piece of work, and could easily cost more than the rest of your app in effort. If you hide the DB behind a web-server, however, you will be able to select from a variety of existing adapters available in different server-side languages, meaning that you don't need to redo all that low-level work. You'll only be responsible for a relatively small piece of server-side code that would translate your REST queries and forward them to one of the Cassandra adapters (which expose easy-to-use interfaces).
Secondly, if you wanted to connect to a remote database from the phone, your database server would have to open its ports to the internet at large, which is a very bad security practice, even if you use SSL and user credentials. Again, if you hide behind a web server, you will be putting in a layer of technology that has evolved for decades to remain secure on the public internet.
Finally, having your phone talk to Cassandra directly is a poor architectural pattern. When you write apps that communicate on the internet, you want them to know as little as possible about each other, only how to talk to each other (preferably in a standard protocol). That way you can replace or upgrade individual components while keeping everything else the same. This may not sound like a lot, but is actually the main reason why phones, or web browsers, don't directly talk to databases. (If this setup were a good idea in principle, the first two problems could be easily solved given enough engineering effort.)
The approach you first suggested with JSON and the web server is the only correct way to go.
Use something like RESTful API, there are many reasons for that.
if your servers ip addresses change you have to update all client, if you add more nodes you will need to update all clients, if you decide to upgrade your cassandra and some functions change your clients will break and you need to update all clients.
I want to have background service written in Delphi 7, that stops a specific URL from being loaded by any browser. Is this possible?
Can anyone point me in a direction?
Thanks in advance.
Shane
There are two approaches of which the second one is technically the best:
Write a DLL that you inject into all processes and if these processes are for a browser you have to intercept and filter all traffic, e.g. using Windows sockets
Write a Layered service provider that works a bit like a firewall (at a lower level in the OS)
I've worked in internet filtering software and I can tell you both are big undertakings.
We initially took the first approach, then switched to the other because it's technically better. [And we never finished that transition because the company folded ;-(]
We did not write our own LSP (it's a big job in itself) but used the products from Komodia. Although they write for C, the people were very helpful answering our questions about porting to Delphi.
But as I said earlier, this is BIG: you have to deal with 32 and 64 bit code, http versus https, protecting services from being stopped, etc. Any non-programming solution that you can find is better (although easy to circumvent).
If you still want to program: prepare for 1 man-year of coding using LSP.
A service, no, I don't think so. But you can edit the 'hosts' file so that the domain of the url points to 127.0.0.1. You can make a service that 'guards' this file, although the service itself must have elevated rights to be able to edit it, and of course, the service itself can be killed as well, if the user has the rights to do so.
Anyway, if you manage to edit the file, the browser will not be able to find the server by domain name. Of course, urls with an IP address cannot be blocked this way and neither can you block specific urls, only the entire domain.
But in general, this is not something to solve using a custom service, but in the firewall on either the PC or the router.
For Internet Explorer, you can write a Browser Helper Object that IE itself loads and passes browser events to. The BHO can then accept/reject URLS on a per-request basis as needed.
I have two computers, A and B.
On computer A, I want to be able to specify for certain ports that incoming traffic from computers will be automatically routed to a different port on computer B as if it was originally sent to B from .
I'm not really sure what I need here. I thought it might be port forwarding, bridge, ip routing or ip forwarding but was unable to come to a conclusion.
I'm trying to do this on a Windows 2008 machine, in order to shift traffic from an older software on one server to a newer software on a different server. I tested my trials using http://joncraton.org/blog/46/netcat-for-windows, trying to send stuff from my computer to another computer which was supposed to route it back to me, but nothing was received.
I have tried:
http://www.simpleportforwarding.com
but that didn't work for me.
I've also tried:
http://www.quantumg.net/portforward.php
but my Anti-virus blocks it (though it's not a malware, as far as I know).
I know Windows has the command "route" on the shell but I'm not really sure what to do with it as it requires a mask for the IP and doesn't seem to allow choosing ports (and it might not be what I need anyway).
I've also come across this:
http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html
and though I'm pretty sure NAT is not what I need, maybe that "Roles" configuration has something relevant.
Had anyone come across a similar situation and knows how to solve this? I'm pretty sure there's something ready which can do this and no software needs to be written.
EDIT:
I've discovered that netsh can do the above by:
C:\>netsh interface portproxy add v4tov4 listenport=12345 listenaddress=192.168.1.1 connectport=443 connectaddress=192.168.1.1
which is a command I found here:
http://www.rickwargo.com/2011/01/08/port-forwarding-port-mapping-on-windows-server-2008-r2/
But the problem is, and I forgot to mention this, I also need to be able to do this routing only for specific source IP addresses. I'm not sure if netsh can do this (maybe it can?) so is there any other way?
I've searched this subject in stackoverflow and found out that a telnet library would help, and I found a telnet lib here: C# Telnet Library
but I don't know how I can use a telnet library to open a port in my router. I'm using an AT&T 2wire router. Any hints on how I can do this?
You can't. The 2wire router is an island unto itself, if it decides to block a port nothing external can (or should) be able to change that. You are on the wrong track, and would need to restate your goals in order to get a useful answer.
UPnP and other "Hole Punching" techniques do exist: but you'll be in a world of hurt if you try to reply on them for any widespread deployment.
Perhaps you meant to open a connection to a remote server and then establish two way communication. That is easy... and how other games and tools get the job done.
Technically speaking you should not be able to. You shouldn't have outside programatic access to a router to open a port if it's blocked.
If what you mean is opening a port for communication (that is not blocked) then you can simply create Sockets with the address and port (ex. localhost 7777) to establish inter process communication or simply communication with another server.
As I mentioned in a comment below there are ports that are available for use (in C# this can be easily tested, a quick google search will find you many snippets of code for testing if a port is open). A simple approach is to simply start at port 1024 (I believe this is the correct lower bound for ports that should be used by applications, someone correct me if I'm wrong) and just start counting up until you find a port that is available, if you find you've reached some upper limit you can simply report that a connection cannot be made. I hope this clears up a little more and if I have time I will try to find some code I have for this and edit it in but honestly a quick search can net you similar code for checking ports in C#.
I'm not a network specialist so my apologies if i've used some of the domain terminology incorrectly, etc. For web metrics/analytics, we currently use both client-side (js page tags) and server-side (log files) data. Neither gives us "delivery" information (e.g., connection speeds), hence the interest in Network Collectors. We are in a switched environment so installing the N/C as if it were a web server, i.e., on a switch port, won't allow it, i don't think, to see the web server traffic.
After some research, i've learned how to place the N/C by configuring a monitoring port. What concerns me about this is the m/p appears work by duplicating the traffic within the switch.
Is there are better solution for N/C placement in this type of network environment?
Don't worry Doug, switches nowadays won't falter under this sort of load. The way you have explained is quite OK.
Of course, you could buy a more expensive switch with "NetFlow" sort of support... and have the switch collect the data for you....