Make VM accessible to the outside world (iptables question)

Similar Messages

• Best Practice on Not Exposing your internal FQDN to the outside world

  Exchange server 2010, sits in DMZ, internet facing. The server is currently using the Default Receive Connector. This exposes the internal fqdn to the outside world (ehlo). Since you should not (can't) change the FQDN on your Default Receive connector, what
  is the best practice here?
  The only solution I can see is the following:
  1. Change the Network on the Default Receive Connector to only internal IP addresses.
  2. Create a new Internet Receive Connector port 25 for external IP addresses (not sure what to put in Network tab?) and use my external FQDN for ehlo responses (e.g. mail.domain.com)
  3. What do I pick for Auth and Permissions, TLS and Annoymous only?
  Michael Maxwell

  Yes, it fails PCI testing/compliance. I shouldn't be able to see my internal server and domain. I understand that is the recommendation, but my client doesn't want to host in the cloud or go with a Trend IHMS (trust me I like that better, but its
  not my choice). I have to work with the deck of cards dealt to me. Thanks, just want a solution with what I have now.
  Michael Maxwell
  Understand. I wont go into the value of those tests  :)
  If the customer is really concerned about exposing the internal name, then create a new receive connector with a different FQDN  ( and corresponding cert)  for anonymous connections as you mention above. Know that  it also means internal clients
  can connect to the server on port 25 as well if you dont have the ability to scope to set of ip addresses ( i.e. a SMTP gateway).
  The internal names of the servers will also be in the internet headers of messages sent out:
  http://exchangepedia.com/2008/05/removing-internal-host-names-and-ip-addresses-from-message-headers.html
  http://www.msexchange.org/kbase/ExchangeServerTips/ExchangeServer2007/SecurityMessageHygiene/HowtoremoveinternalservernamesandIPaddressesfromSMTPheaders.html
  Twitter!:
  Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• How to expose a web service to the outside world?

  Hello,
  i have created a Web service from a Session bean and successfully published it on one of my UDDI registries using the Admin tool.
  At this point, what do I need to do further in order to expose this Web service not just in our LAN but to the outside world?
  Roy

  Offcourse it should be published at UDDI.
  Four play  key roles in Web services: Universal Description, Discovery and Integration (UDDI), Web Services Description Language (WSDL), Web Services Inspection Language (WSIL), SOAP, and Web Services Interoperability (WS-I).
  The UDDI specification defines open, platform-independent standards that enable businesses to share information in a global business registry, discover services on the registry, and define how they interact over the Internet.
  See this link too:
  http://help.eclipse.org/help32/index.jsp?topic=/org.eclipse.jst.ws.consumption.ui.doc.user/concepts/cwsdlud.html
  Regards, Suresh KB

• Make WSUS accessible over the web

  We're in the process of deploying WSUS on Windows 2012 R2 in our environment and I have a question regarding access over the web...  I would  like to provide clients with the ability to access the update server regardless of being connected to
  the company internal network.  I see that the standard GPO settings call for following, and in our lab it is working fine.  One the same internal network.
  Computer Configuration, Policies, Administrative Templates, Windows Components, Windows Update
  Specify intranet Microsoft update service location
  Set the intranet update service for detection updates:
  http://serverhostname:5830
  Set the intranet statistics server: http://serverhostname:5830
  So, If I wanted to change this to HTTPS and make it accessible over the web, based on my experience with Windows Server the steps would look something like this:
  1. Create Internal and external DNS record that will resolve the internal IP address of the WSUS server and the External IP address of the WSUS server.  wsus.domain.com for example.
  2. Purchase a Godaddy or competing certificate from a public store and install it for the default site in IIS. Configure HTTPS bindings to answer on port 5830.
  3. Configure GPO mentioned above to utilize
  https://wsus.domain.com:5830
  ~~~~~~~~~~~~~~~~~
  Seems pretty straight forward.. However I am wondering if this configuration is supported, recommended, or if anyone else out there has it configured in this way? Our deployment will service approximately 300 workstations from a single installation at our
  datacenter. Any insight or recommendations would be greatly appreciated. Thank you!
  Adam Tyler / [email protected]

  Specify intranet Microsoft update service location
  Set the intranet update service for detection updates:
  http://serverhostname:5830
  Set the intranet statistics server: http://serverhostname:5830
  Actually it's port 8530.
  So, If I wanted to change this to HTTPS and make it accessible over the web, based on my experience with Windows Server the steps would look something like this:
  1. Create Internal and external DNS record that will resolve the internal IP address of the WSUS server and the External IP address of the WSUS server.  wsus.domain.com for example.
  2. Purchase a Godaddy or competing certificate from a public store and install it for the default site in IIS. Configure HTTPS bindings to answer on port 5830.
  3. Configure GPO mentioned above to utilize
  https://wsus.domain.com:5830
  ~~~~~~~~~~~~~~~~~
  Seems pretty straight forward..
  That part is, yes. :)
  However I am wondering if this configuration is supported, recommended, or if anyone else out there has it configured in this way?
  It's not supported. It's not recommended, as described, although you're well on your way. And, the real kicker.. strictly speaking, it's not licensed for use in that manner. Let me e'splain why.
  The licensing for WSUS restricts its use to only clients that are licensed to the entity operating the WSUS server. As such client identity is a key component of strict licensing compliance.
  While Server-Side SSL certainly ensures the client only connects to an authorized server, it does not identify the client, nor restrict the client by known identity, and it wouldn't even prevent an unauthorized client from accessing that server -- all that's
  needed is a copy of the CER. So there's that, which is probably not a deal killer, even considering the strictest interpretation of the licensing, because the risk is fairly low, and MS really isn't going to chase you down because you *might* be capable of
  offering services to unlicensed client systems.
  Here's the real risk: Access to the SSL certificate would also permit a rogue downstream server to dump your complete collection of updates, groups, and approvals to itself, effectively giving the operator of that rogue server information about what security
  updates are approved, and when they were approved, but also which updates are NOT approved -- which offers up some sensitive information about existing vulnerabilities in those workstations. In effect, security of the public certificate becomes paramount.
  More significantly, someone using the API can dig out even more sensitive information about client computers, actual installations, etc. without even setting up a WSUS server, all they need is a working API installation (which can be done on any desktop
  operating system).
  SSL is definitely the minimum requirement for this type of deployment, but in conjunction with making the client services available via SSL, you'll also want to BLOCK access to /DssAuthWebService, /ServerSyncWebService, and /ApiRemoting30 via the firewall.
  Blocking /ApiRemoting30 is fairly straightforward as it requires an authenticated connection anyway, so mostly that's a matter of properly securing the server logons, but downstream server sync is anonymous by default, so you'll want to configure required
  authentication for downstream servers. You won't have any, of course, but that will also preclude the possibility of any. Configuring DSS Authentication is discussed in the WSUS Deployment Guide in TechNet.
  Having said all of that, the conventional way in which WSUS services have been made available to Internet-based clients is via VPN using a replica server without a content store. VPN-based clients get approvals from the replica WSUS server, but then download
  content direct from Microsoft. Client installs updates when downloads are complete.
  VPN is a headache for a lot of orgs, though, and it requires active participation on the part of the computer user, which sometimes impedes successful deployment of updates in a timely manner.
  The ideal methodology, but also a PITA to set up, would be to access that WSUS server via an IPSec-encrypted Direct Access connection. This eliminates the end-user from the process, and ensures client identity through IPSec/DA authentication.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Security: Portlets visible to the outside world?

  When I deploy portlets to a oc4j instance managed by the applicationserver it seems that the url of the webapplication is automatically visible through the ora http server. Since my webapplications only contain portlets that should be accessed by the portal, how do I prevent the outside world from sending request directly to the webapplication?

  You have used some very general terms in your question but I will attempt to reply with some caveats.
  Generally speaking most remote access VPNs use private addresses which are translated using NAT when traffic leaves the protected (internal) network en route to a public server, such as a web server on the Internet. You address appears to the remote server as one of the addresses from the NAT pool (or sometimes outside interface) of the VPN concentrator or firewall that is performing that function.
  You can always check your address as it appears to the outside by browsing to something like http://whatismyip.com

• Relay Mail from FAX Machine to the Outside World via GMAIL

  Hey everyone, I am not really sure I am in the right place here, but I am tired of running into a brick wall over this issue.
  Here is my basic issue:
  I have a fax machine that supports a functionality known as Fax to email. The machine is new, but Ricoh (5510nf) does not seem to be up on things when it comes to configuration.
  The machine does not support SSL authentication, and for that matter I believe it requires an open relay to work (that is what Ricoh told me).
  So what I need is for the fax machine to use the OS X mail services (or any service/program...) to send a scanned image along the net to the recipient's address. So I log into the fax machine via it's internal address, and the settings of the fax machine include the following:
  SMTP Server:
  POP Server:
  Host Name:
  E-Mail Address:
  Domain Name:
  Account Name:
  Password:
  Reception Interval(min.)
  At first I thought this was going to be a no brainer, but it turns out that I am the no brainer.
  The OS X Server is not really setup to do anything but serve files right now. It is not setup with DNS or other such services.

  According to the available parameters you posted, the Fax machine supports authentication. This should be good enough to send through a mail server. It certainly does not require an open relay to send.
  However, given that gmail requires SSL, you are indeed stuck. That said, I am not sure setting up your own mail server just for this makes lots of sense. Running a mail server has implications. You need to secure it to make sure it is not abused and it also requires a certain amount of maintenance.
  I would rather try and use your ISP's SMTP server. Most likely they allow for sending without SSL and with authentication. Should this not be an option (unlikely), report back and I can try and help you to get your mail server up and running.
  HTH,
  Alex

• Where to store configuration about the outside world?

  I have an abap report that write files to a network share. I would like to store the information in a way that it won't get transferred to the QA system during system copy. How do you keep this kind of configuration outside of the database? Is there a standard way?
  Thanks.

  Hi Igal,
  I think you create param table in DEV system, then you just shouldn't import it to QUA. Configuration copy should not apply here as well as it is still part of development.
  If this doesn't work you can hardcode system check inside a report. There are system vairables like sy-syst or similar (can't remeber excat sy- names now) which stores name of the system, type, and client. I think by checking them inside a program you can ommit place where you call your production path on QUA system side.
  Regards
  Marcin

• [solved] Postfix smtp filtered to the outside world

  Hi,
  I set up postfix+dovecot successfully except postfix smtp. I can't connect to smtp from a remote network. nmap shows:
  25/tcp filtered smtp
  When I connect to VPN on the same VPS running postfix, everything works. What could be behind this other than iptables? (I don't have any rules relevant to this set)
  Last edited by Nezmer (2010-01-02 14:32:21)

  Fixed running smtps.

• JDEV 10.1.3 and the outside world

  This vesrion of JDEV is excellent when working within a database framework. In fact it is too good, with very little documentation to cover all of the possiblities. But it appears to be database bound.
  Can someone tell me, point me to, or reference if and how well JDEV can be used to communicate with other applications, external i/o data streams, XML translation, etc.
  I'm trying to decide if this is the right environment for a new project or if another IDE like VS.NET or Borland would be more appropriate. I've used them all but have the least experience with JDEV and its capabilities.
  Thanks
  Mike

  Beyond excellent interaction with database oriented application, JDeveloper also has great features for working with other data sources.
  For example you can create data controls for: Web services, XML files, and any Java class. These will allow you to use the drag and drop data binding with these data sources as well.
  Here is a sample of how a Web service can be used in an ADF based application:
  http://www.oracle.com/technology/products/jdev/viewlets/1013/WebServicesAndADF_viewlet_swf.html
  For more infomration you might want to read the ADF Developer Guide:
  For example the chapter about Web services data controls:
  http://www.oracle.com/webapps/online-help/jdeveloper/10.1.3/state/content/navId.4/navSetId._/vtAnchor.CJAJGIEB/vtTopicFile.adfdevguide%7Cweb_services%7Ehtm/

• Why can't quicktime streaming server get to the outside world?

  I cannot get quicktime streaming server to go out to the web. Everyone on the other end gets connection failed. I have my firewall on my server temporarily turned off. It works fine on the LAN. Please give me some ideas.

  Firefox can't establish a connection to the server at upload.xvideos.com.
  How do I fix this

• Relay settings to get mail from the outside world

  Hello. First, let me say - I'm a mail newbie, so be gentle.
  I've just recently set up my mail server, and I am having an issue where I can receive mail from some people and not from others. Those who cannot send me mail get an error about the relay not accepting it. In server admin, I have checked accept SMTP relays only from these hosts and networks, and I have put in 127.0.0.1/32 and my server's ip/32 (at the advice of apple tech support when I was configuring mail). Is something missing here that would allow me to receive mail from anyone? Thanks in advance for any help.

  Here you go. Thank you.
  Admin$ postconf -n
  command_directory = /usr/sbin
  config_directory = /etc/postfix
  content_filter =
  daemon_directory = /usr/libexec/postfix
  debugpeerlevel = 2
  enableserveroptions = yes
  html_directory = no
  inet_interfaces = all
  mail_owner = postfix
  mailboxsizelimit = 0
  mailbox_transport = cyrus
  mailq_path = /usr/bin/mailq
  manpage_directory = /usr/share/man
  messagesizelimit = 10485760
  mydestination = $myhostname,localhost.$mydomain,localhost,brainart.biz,www.artsmiths.biz,artsmi ths.biz,www.brainart.biz,mail.artsmiths.biz,smtp.artsmiths.biz,mail.brainart.biz ,smtp.brainart.biz
  mydomain = artsmiths.biz
  mydomain_fallback = localhost
  myhostname = artsmiths.biz
  mynetworks = 127.0.0.1/32,70.90.83.165/32
  mynetworks_style = host
  newaliases_path = /usr/bin/newaliases
  queue_directory = /private/var/spool/postfix
  readme_directory = /usr/share/doc/postfix
  sample_directory = /usr/share/doc/postfix/examples
  sendmail_path = /usr/sbin/sendmail
  setgid_group = postdrop
  smtpdpw_server_securityoptions = none
  smtpdrecipientrestrictions = permitmynetworks,reject_unauthdestination,permit
  smtpdsasl_authenable = no
  smtpdtls_keyfile =
  smtpduse_pwserver = no
  unknownlocal_recipient_rejectcode = 550

• Computer Not Visible to Outside World

  How do I retain my computer's unique IP address following the addition of an AirPort Extreme base station?
  WIRED SETUP: Telephone line --> DSL modem --> AirPort Extreme --> Ethernet port on back of G5
  My computer has always had a unique IP address. This allows me to connect to my computer when I'm on-the-road traveling, etc. (via Timbuktu or FTP).
  Now that I've set up the AirPort Extreme base station, my base station has been given a unique, static IP but my computer is now dependent on DHCP for it's IP address allocation. As far as I can tell, this renders my computer inaccessible from the outside world.
  How do I configure this so that I'm able to retain the benefits of the AirPort Extreme (using it to broadcast a wireless Internet connection) while ALSO keeping my G5 (see "WIRED SETUP" above) completely accessible to the outside world? Thanks!
  Dual 1.8GHz G5 (rev B)   Mac OS X (10.4.4)  

  Disabling distribute DHCP address won't work for your situation. Since you want to continue to use the wireless connection in addition to the G5 wired computer, you will need to still distribute IP addresses on the AEBS.
  As a solution, SurferLeo v.0, you can set up port forwarding on the base station. In affect, while you're on the road, you would attempt to connect to your public IP address (the one given by your DSL modem; the IP address given to your AEBS). Then, port forwarding would forward that traffic to the specific private IP address specified in the port forwarding settings.
  So, given that your public IP is x.x.x.x and that your G5's IP is 10.0.0.2 (or whatever), you would configure the AEBS to forward port numbers A, B, and C to 10.0.0.2 - where "A, B, and C" are the port numbers for the specific task you are performing.
  This site discusses setting up port forwarding.
  Here's a list of common port numbers.
  Various Macs and PC's   Mac OS X (10.4)  

• [SOLVED] Creating an invisible-to-the-outside network with Arch

  Hi All,
  I want to create an internal network to share access to a larger business network and to the outside world.
  Essentially, I want to create a small network that is invisible to the other machines and routers of our network, but which shares all ports.  My current thinking right now is to buy a network card for my desktop, connect it to a wifi router(specifically this one as it has enough power to reach a few rooms over), and create a wifi network with a hidden-SSID.
  I will then set up port forwarding on my desktop to share my primary ethernet network with the wifi network on my other ethernet card.
  I don't know very much about networking though, so I want to know if this setup will be visible to the greater network, or if it will be hidden?  Also, is that a good wifi router to get for this purpose, and does it matter which ethernet card I get?
  Thanks for your help with this, I realize this a pretty disjointed question - with hardware, software, and random networking questions all mixed together.
  -Mike
  Last edited by MikeDacre (2014-10-14 16:10:35)

  This is actually very simple to do. The wifi router I mentioned in my previous post works well, and any old ethernet card with a chipset supported by the current kernel (most of them), will work too. Then all you do is connect the server to the 'modem' port of the router via an ethernet cable, and configure some sort of dhcp server like dhcpd or dnsmasq to give the wifi router an IP. To share the internet with it, forward your internet connection with iptables and you are good. If you want to also connect to the wifi with the server - for example because that makes file sharing easier - then you need to be a little careful with your routing table to make sure you don't try to connect to the net via the wifi connection.
  Most routers support hidden SSIDs, just log in to the router and configure that directly.
  Hey presto, you are done, you have a hidden wifi network that allows other machines to connect to the net through your server.

• Speed problems to outside world FIXED

  For those of you who have noticed that your connection rates to the outside world have dropped when using your N connection. I have found the solution.
  For reference, here are the results that I was getting using the speak-easy connection rate tester:
  G:
  Last Result:
  Download Speed: 6028 kbps (753.5 KB/sec transfer rate)
  Upload Speed: 353 kbps (44.1 KB/sec transfer rate)
  N:
  Last Result:
  Download Speed: 971 kbps (121.4 KB/sec transfer rate)
  Upload Speed: 357 kbps (44.6 KB/sec transfer rate)
  As you can see - simply switching from G to N was causing a huge drop in my connection rate.
  So all I did was go into my network settings on my client - and clicked 'configure IPv6' - and then turned it to OFF. Here are my results now over the N network:
  Last Result:
  Download Speed: 5925 kbps (740.6 KB/sec transfer rate)
  Upload Speed: 335 kbps (41.9 KB/sec transfer rate)
  Fixed. Turn off IPv6 - its clear that Apple has some issues to work out with their driver.

  First off it should be noted that "off" = Link-local only. If you really want it off turn it off on the desktops two just to remove the seek overhead.
  The new Extreme is the first Apple Product with IPv6 support so hence the new variable...
  1) Does your carrier support ipv6 yet; if not you probably haven't seen the problem.
  2) Are you using PPOE? If you are IPV6 will really hose the connection up.
  It's not so much an Apple Problem as it is a carrier problem. The IPv6 stuff will cause problems with speed if they have to push the node links up several levels from local carrier. Think of it like trying to use a DNS server that is a long ways off at another carrier; the added latency makes the speed stink.
  From local experience in my neck of the woods. IPv6 with Timewarner no problem. With SBC big problems. With PPOE big problems. I can test the same configuration with a dd-wrt upgraded linksys and I see the same slow downs if IPv6 that everyone is reporting on the Extreme.
  IMHO.... Apple made a poor choice shipping with that feature on......
  Probably the typical engineer conversation when when some thing like this....
  (Despised Engineer): Hey guys I got a great idea; let's add IPv6 to the router and make it default to on.
  (Coworkers): Yeah! great idea You run with that! we'll make sure you get all the credit.

• Different Business Cases where SAP needs to be Inegrated with outside world

  Hello Experts,
  Can I get some info, where SAP R/3 needs to be integrated with out side world(Business Flows) that are most commonly used in all industrial sectors.
  Inrgraton either with XI/PI or any other Interation tolls in the market.
  Thanks & Regards,
  Srikanth

  Dear Srikanth,
  Please go through the link:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/46d6c25d-0b01-0010-06a9-8e8218753c02
  Traditionally, integrating SAP applications with the outside world used to be extremely difficult, due to limited interfacing provided by SAP. EAI vendors like IBM and webMethods addressed this business need, providing SAP adapters as part of their integration offerings. Recently, SAP has also addressed this issue through its SAP Net Weaver/XI offering.
  Please let me know in case of any spcific queries.
  Regards,
  Rakesh