tcpdump: concatenation not working with "and"! - tcpdump

I've tried it for a while now, referring to resources on the net and man tcpdump. I just can't get it to work. I've tried sudo tcpdump -i any -A "dst port 62655 and src port 62665", then I tried sudo tcpdump -i any -A "(dst port 62655 and src port 62665)". I also tried sudo tcpdump -i any -A \(dst port 62655 and src port 62665\). I'm going nuts, what am I missing?? According to man tcpdump it's okay to use either and or &&
EDIT:
What do I mean by "it doesn't work"? If I only use sudo tcpdump -i any -A "dst port 62655" I can see the traffic from the server to the client. If I try to combine it in order to try to catch the incoming traffic as well (as described above) I see nothing (not even the outgoing traffic anymore - which worked before!).

By using "and", you're requiring each packet to meet both conditions. Your edit makes it sound like one condition is for incoming and one condition is for outgoing, so use "or" instead of "and".
As an aside, especially for common ports where there's likely more traffic, it's often useful to specify "host X.X.X.X" to filter for packets where the source or destination is the specified IP address.
Manpage for the filter expression

Related

LXD - Cannot list network forwarded ports

I am trying to figure out how to list ports forwarded by LXD through lxc network forward.
I have 2 NIC configured as :
ip a result
I configured network forward ports that way :
lxc network commands
My configuration works quite well and I can access my webserver from the outside :
curl success result
The problem is here : I want to know what ports are opened using this method without using lxd commande (I'm looking for a linux way to list them).
I already tried with netstat, lsof and iptables but nothing seem to let me see the port 8080 that is actually giving me the content I'm looking for :
netstat -ltnuop result
iptables -t nat -L -n result
lsof -i result

Opening a specific port in Oracle Cloud - Ubuntu 18

The above one seems like an easy question, but believe me I have tried multiple methods but all seems to be in vain
For example : Port is 8080
1st - I followed many oracle docs and tried opening port 8080, but failed miserably
2nd - I followed another stack overflow posts - Opening port 80 on Oracle Cloud Infrastructure Compute node
Opening port 19132 on an Oracle compute instance (ubuntu-20.04)
still no success
3rd - I followed these oracle instructions and tried to open up the port - https://docs.cloud.oracle.com/en-us/iaas/developer-tutorials/tutorials/apache-on-ubuntu/01oci-ubuntu-apache-summary.htm
but not working -> to my surprise, when I tried port no 80 with the same method,it worked well..but not working for any other port at all
In short : ** I enabled port 8080 in Security rules in VNC - didnt work
** I tried ,installing firewalld and allowing through that -> didnt work for me
** Tried this -> didnt work
iptables -I INPUT 5 -i ens3 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
So I was hoping someone else can find me a solution Please to open up a port, or is there any way to completely disable my firewall so that I can use any port at all - currently I am able to listen to only port 80 from outside
Thank you
Ubuntu images in Oracle Cloud seem to have this 'strange' (compared to other clouds) behavior by default where you need to explicitly enable incoming traffic in the VM:
sudo iptables -I INPUT -j ACCEPT
Then you need to make this permanent:
sudo iptables-save -f /etc/iptables/rules.v4
To open a certain port it may require creating a security application specific to the port before creating the security rule. Please refer to this walkthru on it if you haven't already - https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/compute/permitting_public_tcp_traffic_to_compute_instances/permitting_public_tcp_traffic_to_compute_instances.html
I am using Oracle Linux and this worked for me.
First add a new rule inside the default security list(see the link below)
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --reload
Reference : OCI: Amend Firewall Rules
In your case, you have Ubuntu instead of Oracle Linux, so you could try the above two commands as per Ubuntu and check if it works.

Opening port 80 on Oracle Cloud Infrastructure Compute node [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
The community reviewed whether to reopen this question 11 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
This is an elementary question however one I cannot seem to resolve by perusing the Oracle Cloud Infrastructure documentation. I've created an Ubuntu-based compute node, and it's attached to a subnet. In that subnet I've created a stateful rule with source 0.0.0.0/0, IP protocol: TCP, Source Port Range: All, Destination Port Range: 80.
There is no firewall configured on the server.
Despite this configuration I can't access the compute node's public IP. Any ideas?
I figured it out. The connectivity issue was due to Oracle's default use of iptables on all Oracle-provided images. Literally the very first thing I did when spinning up this instance was check ufw, presuming there were a few firewall restrictions in place. The ufw status was inactive, so I concluded the firewall was locally wide open. Because to my understanding both ufw and iptables look at the netfilter kernel firewall, and because ufw is the de facto (standard?) firewall solution on Ubuntu, I've no idea why they concluded it made sense to use iptables in this fashion. Maybe just to standardize across all images?
I learned about the rules by running:
$ sudo iptables -L
Then I saved the rules to a file so I could add the relevant ones back later:
$ sudo iptables-save > ~/iptables-rules
Then I ran these rules to effectively disable iptables by allowing all traffic through:
$ iptables -P INPUT ACCEPT
$ iptables -P OUTPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -F
To clear all iptables rules at once, run this command:
$ iptables --flush
Anyway, hope this helps somebody else out because documentation on the matter is non-existent.
When deploying compute instances at Oracle Cloud Infrastructure you need to take into account few things:
Create Internet Gateway (IGW).
Define routes to point to IGW.
Allow port 80 in the Security List associated with the IGW. By default you only have access to SSH and ICMP 3,4 type.
Allow connectivity on Compute's instance firewall (which is enabled by default).
In your example if you are using a OEL shape:
$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
$ sudo firewall-cmd --reload
Always refer to the official guide: https://docs.cloud.oracle.com/en-us/iaas/developer-tutorials/tutorials/apache-on-ubuntu/01oci-ubuntu-apache-summary.htm
$ sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 80 -j ACCEPT
$ sudo netfilter-persistent save
$ sudo systemctl restart apache2
credited to https://medium.com/#fathi.ria/oracle-database-cloud-open-ports-on-oci-1af24f4eb9f2
Coumputer Instance(Such as Ubuntu) -> Virtual Cloud Network -> Security List -> Ingress Rules -> Please add a rule to allow access to port 80 from anywhere
Pre-Requisite
VM instance should have been created and running
Access to Public and Private keys used during the creation of VM instance
Log into the VM using SSH and run the following command
$ sudo iptables --list --line-numbers
It will show the details about Chain INPUT (policy ACCEPT). From the list
required to Delete REJECT all rule in the IPTABLES.
$ sudo iptables -D INPUT <Reject Line number>
e.g.
$ sudo iptables -D INPUT 6
Check if the REJECT rule is deleted
sudo iptables --list --line-numbers
Access the Default Security List and Edit Ingress Rules to Allow Internet Traffic on Port
Edit the INGRES Rule Add CIDR 0.0.0.0/0 TCP Destination 9999
(N): Networking >Virtual Cloud Networks> Virtual Cloud Network Details>Security Lists> Security List Details
Access your application via web browser
Type http://<public IP address of the VM>:port
I guess if you add the rule below to your iptables it should work; otherwise you'll be disturbing other rules which are related to block volume attachment that comes preconfigured on those Oracle images.
iptables -I INPUT 5 -i ens3 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
If you have not created Internet Gateway yet, that might be the reason. In order to connect the VCN with the public internet you need to have an Internet Gateway and a route table to direct the traffic through the gateway.

Capture communication between nginx and http clients, and nginx and my application

My website is hosted on my remote server REM1. I access this server through ssh.
My website, which is used by few persons, slows down sometimes and I think it comes from my nginx's configuration because when I restart it all works again normally.
I'd like to analyse communication/packets exchanged between http client-nginx and between nginx-my application.
When I run this:
sudo tcpdump -S -p -A
I get millions of packets of ssh, so it's impossible to read http packets among the sea of ssh packets.
When I try to run this:
sudo tcpdump -S -p -A port not 22
I get nothing even if I open a page of my website on my browser and I refresh many times.
I'm new to tcpdump, and it's really about tcpdump no matter what web server is used.
How do I capture only nginx communication?

tcpdump doesn't captures properly on specific port

I'm in a network and i wanna capture ftp packets from another server in the network but i have a problem with tcpdump about this.
I've used this command :
tcpdump -i eth0 dst X.X.X.X -A and port 21
But it doesn't shows anything! ( i tested and sure that ftp port is 21 )
But if i use this on my server it works properly.
tcpdump -i eth0 -A and port 21
I've this problem when i enter " port " in the command. but if i enter a command without specific port it works and captures properly.
What is the problem?
Thanks.
I don't have enough reputation to ask a question, so this is part question and part insight.
Is the IP you're filtering on the client or the server for the FTP connection?
For the first command, try using src x.x.x.x or just host x.x.x.x and port 21.
For the second command, the "and" is not necessary with the -A flag. This should look more like this:
tcpdump -A -i eth0 port 21
tcpdump -Ai eth0 port 21
Another thing I've seen is if there are vlan tags, normal filtering won't work without adding "vlan and " to your filter. For example:
tcpdump -A -i eth0 "vlan and host x.x.x.x and port 21"
Also keep in mind that FTP uses a control and data connection. The control is over port 21, but the data can vary depending on whether you're using active or passive FTP.