There have been a few questions like this around the place but none have really answered my question specifically.(for example Connecting to device behind firewall )
What I want is a central server, that receives a heartbeat from multiple ( say 100's) embedded devices behind personal firewalls. These devices need to be able to do two things.
Grab new config from the server. I
suspect I can just do this via a
http get from the device to the
server and pull down some XML, then
reload its own config.
Open an ssh connection to the server
to allow an admin to login to the
command line of the device and do
maintenance and troubleshooting
remotely.ie device => server <= admin and admin can get to bash command line or equivalent.
the device is a low powered embedded device that will be running linux. A solution in python would be preferable (im thinking something with paramiko for the ssh) but im open to other solutions. The main thing is there is there will be no technical users in the private network, so it should be able to plug into a consumer grade ADSL modem, get a DHCP address and all this should work. I can preload the device with anything before hand, for example ssh certificates for passwordless ssh etc.
anybody got any idea's?
Cheers
Mark
You can setup ssh tunnel (from python script or from console):
ssh -NR10022:localhost:22 foo#mainserver.com
Then you can simply login to main server and then ssh bar#localhost -p 10022
You should have ssh keys, so you don't have to put password (google about "ssh without password").
A more elaborate method might be some type of firewall hole punching.
On second though, maybe this is not necessary, since there is only one firewall involved. The trick is to get your embedded device to initiate an outbound connection first.
Related
Trying to connect to my django website (from the browser) that's stored on the GCP virtual machine.
Everything works fine if I'm accessing it internally using internal IP or localhost.
However, I can't access website with external IP.
No logs in django that would say someone trying to access if I'm trying with external IP.
I have http, https traffic enabled on instance.
Firewall rule to allow port 80:
Here is Test-Net results.
Searched the web for answers but nothing looks wrong in my settings..
Any ideas would be appreciated.
UPDATE:
Do not create or change egress rules unless you know exactly what they do. They are not necessary for ingress rules (VPC Firewalls automatically allow return traffic):
I've changed all firewall rules back how they were so now only port 80 is allowed.
You have an ingress rule for the target http-server. Is that target flag set on the VM instance?
What is the output from sudo lsof -i -P -n | grep LISTEN? Your Django server must be listening on 0.0.0.0.0 instead of localhost.
I have 0.0.0.0 with port 80 at django terminal.
I use windows 2016 server so don't know the powershell function that would display what you asked for.
Here is netstat listening ports for django.
what I have:
I made a simple web application using Flask, which woks great on the localhost.
what I want to achieve:
I want to deploy it so it is visible in the internet.
Because Flask says that the production server should not be used for deployment I installed gunicorn.
I managed to get it working on localhost (running gunicorn server:app).
Then I tried to make it public using the -b 0.0.0.0:5000 option. it said it is running on 192.168....:5000 Now I could access the website using that ip address from my computer and also from my phone connected to the same wifi. however I was unable to connect to the website when I didn't use this wifi.
when I searched about this, I found out that the 192.168.... ip address range is reserved to the local network and cannot be accessed from anywhere else.
how do I need to run the script so it is accessible from everywhere? Do I need to modify the firewall settings? Maybe there is a better way to deploy such an app on the local machine using a different framework?
Just some additional information:
python version: 3.9
I am using a venv (and installed flask and gunicorn into it)
os: macos 11.6.1 (I could run it on an Ubuntu machine if that is easier)
This question isn't anything related with Python or Gunicorn but to networking (so maybe StackOverflow isn't the correct place to ask but other community like ServerFault)
Currently your application is already exposed on your machine in the defined port, so next step would be to forward all the traffic that comes to your router to there.
In order to do that, you will have to configure the firewall of your router to accept incoming traffic through a desired port and finally forward the traffic which comes from that port to your machine in the port 5000.
Also, in the case that you have everything already configured, it will only work if your ISP is providing you a single IPv4, what currently doesn't happen anymore but you actually are sharing that with few more people. Other option would be that you configure IPv6 incoming traffic.
As you can see, this isn't a simple task neither one that should be done without proper care, since you would be literally opening your network to possible attackers.
So, in order to simplify it at the most for you, since you already have Gunicorn, I would recommend you to use any of the resources exposed by other users as Heroku or Netlify which are free for a single application and will fulfill your expectations without requiring high amount of networking knowledge.
You would need to do the following steps:
read up and learn a lot about security for Web servers, then read some more, it is fraught with risks
find your Mac's IP address on your local network and make sure it is fixed, i.e. set as static on your Mac (under "System Preferences->Network") or reserved in your router's DHCP tables (by putting your Mac's MAC address in its allocation tables) so that it always gets the same local address on your internal network when it boots
log into your router and set up "Port Forwarding" to forward external requests (coming from the Internet) for port 5000 (or some other port) to your Mac's fixed IP address and the port 5000 where Gunicorn is serving
log into your router and find your WAN IP address, or go to http://whatsmyip.com to get the address you need to put in your browser, or your friends need to put in their browsers to see your shiny new website
as it stands, this will work until the next time your router reboots when your ISP will likely allocate it a new IP address. If you want it permanent, you need to either 1) ask your ISP for a static IP address, or 2) subscribe a DDNS service (e.g. noip.com or dyndns.com) or 3) tell your friends your new IP address every time you reboot your router
I do not know anything about gunicorn. But what I used to use when needing to deploy a flask app was pythonanywhere. They have a great and totally free hosting service. It's really fast in deploying, needs no resources from your computer and is just great. Also you would have to forward the port 5000 for your computer to enable other devices not in the same network to access your computer/flask app. That comes with security issues. However, you do not need any of that when using pythonanywhere.
There are also other great hosting services like that one. It's just the only one I know and used yet but you'll find others for sure if you don't like that one.
I'm using Python 3.8.5 currently on windows, but the script should run also on linux and on macOS.
I'm creating UDP server and a client and have establish communication between them via multicast.
The client does not know from advanced the IP of the server so it is a "discovery tool" that will let me know information about the server ones it has received the data. -This is working-
On the server I'm using netifaces to get information about the interfaces.
The server sends information to the client such as IP address, mask, gateway. -information that I get from netifaces and is working-.
Example of data I get:
Now to the issue:
The python server can have a static IP or can be connected to a DHCP server -in case that is connected to a DHCP server I will not have access to the DHCP server-.
I wish to know when the DHCP is enabled or disable on the python server so I can send this as a flag to the client together with the rest of the information.
The idea is for the client to know that the IP that he's connecting to can change and he may lose connection and will need to start the discovery tool once more.
Because the user will not know in advanced if the python server is connected to a DHCP server or wil know the IP address of the python server or have access to the python server command line or configuration, using ip addr show, ipconfig, ifconfig and other commands before connecting is not an option.
I have seen that people use scrapy for DHCP communications but it seems that it does not solves what I wish to accomplish.
I do no need to configure the DHCP, just detect if my python server IP is static or dynamic.
I have search for over 4 days and have not found a possible solution.
I'm not asking to have the solution in silver spoon just to be pointed on the right direction.
**EDIT: I forgot to mention that the python server will be running on Ubuntu 16.04 and 20.04.
This will depend on your operating system setup. For example, here's a related question on how to detect whether DHCP is enabled in Ubuntu.
Background
So after about a year of having a GoDaddy cloud service, and super disappointed with it from the get-go. Once they announced that they would be discontinuing Cloud Server services, it was like a sign from the heavens.
I then created a Google Cloud account. One of the biggest reasons I got a Cloud Server to begin with was to have an eclipse Che instance, an IDE wherever you are! I love it, but despite the temporary partnership between Bitnami and GoDaddy, launching a Eclipse instance with them with such a mind-numbing task since their internal Factory build still required a ton of Docker configurations...
And though I can appreciate the fact that I did learn the ins-and-outs of configuring Dockers Network settings, which is not something to wince at... As soon as I got my Google Cloud account it was simply a 1 2 3 and go!
Question
Whilst I'm running an Eclipse chat instance, what is the proper way to port-forward a given work space to my local machine? The scenario is simple...
I created a Python stack of which I am using Django but when I run server, of course default being the local IP to the project, I have yet to find the easy and more than likely existing standard way to run the Django server and have the eclipse Che create the URL to the project. I'm ninety-nine percent sure that I'm going about this the wrong way given the fact that even some of the demo stack projects with Node or Python are plug-and-play.
PS: I am able to ssh into the workspace no issue, I'm just confused on how to port forward from remote to local as I've only really done it the other way around.. ssh -R ... or -L?
What you need is SSH Tunnel, which is -L. If you need to send a port from local to server that is called a Reverse SSH Tunnel, which is -R.
so simple command
ssh -L <localport>:127.0.0.1:<remoteport> <user>#<server>
Some extension to the other answer mentioning ssh tunneling...
If you run a docker-dev on a server (e.g. 192.168.1.123) not being your local machine in eclipse-che that provides some web service you want to access, then find out the IP address of the docker-dev, e.g. by opening a terminal in your eclipse che workspace and executing ip addr. There you will see some 172.17.x.x that is accessible only from the server. Assume the service in docker-dev is listening on port 12345, then you need the following ssh port forwarding from your local machine to access it:
ssh -L 8888:172.17.0.2:12345 192.168.1.123
While the ssh connection is open, you can access the web service with you browser by accessing http://127.0.0.1:8888/
Here's what I need to do:
The user is on a remote machine and connects to a server via ssh. He runs a python script on the server. The script running on the server starts a script on the user's remote machine as a subprocess and opens a pipe to it for communication.
First, is this at all possible?
Second, is this possible in such a way that the user does not need to do anything fancy, like open up a reverse ssh tunnel? If they do have to open up a reverse ssh tunnel, can I figure out which port they are using?
First, is this at all possible?
With simple user --SSH--> server - no, its not.
is this possible in such a way that the user does not need to do anything fancy
User will have to run sshd on his machine, add a user for your server and somehow let you to connect to it, bypassing NAT if any. So no, there is no such way with SSH.
I'd go with client-side application. Give script to user and let him run the script instead of SSH'ing. If you need to communicate with server, you can use something like paramiko on client side to connect to server from script. Then, script can launch other applications on client's computer based on data it receives from server.