5 Aug
2019
5 Aug
'19
11:03 a.m.
cel is in town and wants to set up a scuttlebutt pub at sudo room. I
have no problem with him having root access on our gateway and letting
him set it up as its own user.
If no-one has objections I'll grant him access.
6 Aug
6 Aug
4:19 p.m.
Hi sudo-sys,
Thanks Marc for sharing this idea. Yes, I would like to set up a Scuttlebutt node at Sudo
Room. I would like it to be on the same LAN as the Omni Commons AP, so that people in the
space can discover it via UDP broadcast. Where would be a good place to put this?
Sincerely,
~cel
7 Aug
7 Aug
12:59 a.m.
On Tue, Aug 6, 2019 at 4:19 PM <cel(a)celehner.com> wrote:
I would suggest space.local, it's the closest thing we have to a shell
server. However, be warned that this is an old machine running Ubuntu
14.04 (EOL) and I plan to replace it as soon as somebody can find some
better hardware with more reasonable power consumption.
I'd be fine trusting you with access to the gateway machine if you
want, but I think it would be best if we kept it as strictly a gateway
machine rather than have it turn into another generic shell server.
Send me an ssh key (rsa cuz it's old) and I'll send you instructions.
8 Aug
8 Aug
11:03 a.m.
Thanks Yar for helping me get this set up. A scuttlebutt instance (ssb-server) is now
running at ssb(a)space.local.
Could we get port 8008 forwarded to this server from WAN?
Another issue: the server is on the Wired subnet, so it is not discoverable by peers on
the WiFi subnet. It should be discoverable over WiFi to be most useful. To make this peer
discovery work, would it be feasible to forward UDP broadcast packets between the subnets
(or just from Wired to WiFi)? Alternatively, a script could run on the WiFi subnet to send
the periodic UDP broadcast packets advertising the ssb-server at space.local. Could such a
script run on the gateway server?
--
~cel
On Wed, 7 Aug 2019 00:59:42 -0700
Yardena Cohen <yardenack(a)gmail.com> wrote:
9 Aug
9 Aug
5:10 p.m.
New subject: Adding Scuttlebutt to sudo gateway (Firewall changed)
Changes to firewall:
- Removed port forwards for old SSB pub device
- Added port forward for SSB server on space.local
- Bridge SSB broadcast packets from Wired subnet to WiFi subnet, allowing peers on WiFi to
discover the ssb-server on space.local.
- Removed interface filter for port forwards, allowing e.g. SSH to 142.254.26.9:60643 to
work from the WiFi subnet (still does not work from the Wired subnet), instead of only
from the Internet.
- Fix accepting mosh ports (60000-61000), allowing mosh to work from Internet to
space.local.
Diff:
--- rules.v4-orig 2019-08-09 12:04:34.677178824 -0700
+++ /etc/iptables/rules.v4 2019-08-09 16:52:33.241820114 -0700
@@ -6,20 +6,16 @@
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp3s0 -j SNAT --to-source 142.254.26.9
-# 5 port forward rules: ssb & ssh to jefdajs raspberry pi server
--A PREROUTING -p udp -m udp -i enp3s0 -d 142.254.26.9 --dport 8007 -j DNAT
--to-destination 192.168.42.22:8007
--A PREROUTING -p udp -m udp -i enp3s0 -d 142.254.26.9 --dport 8008 -j DNAT
--to-destination 192.168.42.22:8008
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 8007 -j DNAT
--to-destination 192.168.42.22:8007
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 8008 -j DNAT
--to-destination 192.168.42.22:8008
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 6492 -j DNAT
--to-destination 192.168.42.22:22
# 4 port forward rules: ssh & mosh to space.local
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 60643 -j DNAT
--to-destination 192.168.42.2:60643
--A PREROUTING -p udp -m udp -i enp3s0 -d 142.254.26.9 --dport 60000:61000 -j DNAT
--to-destination 192.168.42.2:60000-61000
+-A PREROUTING -p tcp -m tcp -d 142.254.26.9 --dport 60643 -j DNAT --to-destination
192.168.42.2:60643
+-A PREROUTING -p udp -m udp -d 142.254.26.9 --dport 60000:61000 -j DNAT --to-destination
192.168.42.2:60000-61000
+# 1 port forward rule: ssb to space.local
+-A PREROUTING -p tcp -m tcp -d 142.254.26.9 -j DNAT --dport 8008 --to-destination
192.168.42.2:8008
# 3d printer:
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 8081 -j DNAT
--to-destination 100.64.64.20:8081
+-A PREROUTING -p tcp -m tcp -d 142.254.26.9 --dport 8081 -j DNAT --to-destination
100.64.64.20:8081
# liquid-handling robot:
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 46698 -j DNAT
--to-destination 100.64.64.100:8080
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 46699 -j DNAT
--to-destination 100.64.64.100:22
+-A PREROUTING -p tcp -m tcp -d 142.254.26.9 --dport 46698 -j DNAT --to-destination
100.64.64.100:8080
+-A PREROUTING -p tcp -m tcp -d 142.254.26.9 --dport 46699 -j DNAT --to-destination
100.64.64.100:22
COMMIT
*filter
:INPUT DROP [0:0]
@@ -46,12 +42,8 @@
-A FORWARD -i enp3s2 -o enp3s0 -j ACCEPT
-A FORWARD -i enp3s2 -o enp0s25 -j ACCEPT
-A FORWARD -i enp0s25 -o enp3s2 -j ACCEPT
--A FORWARD -p udp -d 192.168.42.22 --dport 8007 -j ACCEPT
--A FORWARD -p udp -d 192.168.42.22 --dport 8008 -j ACCEPT
--A FORWARD -p tcp -d 192.168.42.22 --dport 8007 -j ACCEPT
--A FORWARD -p tcp -d 192.168.42.22 --dport 8008 -j ACCEPT
--A FORWARD -p tcp -d 192.168.42.22 --dport 22 -j ACCEPT
--A FORWARD -p udp -d 192.168.42.2 --dport 60001 -j ACCEPT
+-A FORWARD -p tcp -d 192.168.42.2 --dport 8008 -j ACCEPT
+-A FORWARD -p udp -d 192.168.42.2 --dport 60000:61000 -j ACCEPT
-A FORWARD -p udp -d 192.168.42.2 --dport 60643 -j ACCEPT
-A FORWARD -p tcp -d 192.168.42.2 --dport 60643 -j ACCEPT
-A FORWARD -p tcp -d 100.64.64.20 --dport 8081 -j ACCEPT
@@ -73,6 +65,7 @@
-A open -p udp -m udp --dport 67 -j ACCEPT
-A open -p tcp -m tcp --dport 80 -j ACCEPT
-A open -p tcp -m tcp --dport 443 -j ACCEPT
+-A open -p tcp -m tcp --dport 8008 -j ACCEPT
-A open -p tcp -m tcp --dport 40629 -j ACCEPT
# Port 22 is especially useful for github
-A open-out -p tcp -m tcp --dport 22 -j ACCEPT
@@ -82,5 +75,15 @@
-A open-out -p tcp -m tcp --dport 443 -j ACCEPT
-A open-out -p udp -m udp --dport 67 -j ACCEPT
-A open-out -p udp -m udp --dport 68 -j ACCEPT
+-A open-out -p udp -m udp --dport 8008 -j ACCEPT
-A open-out -m owner --uid-owner yar -j ACCEPT
COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+# bridge ssb peer discovery broadcast packets from Wired subnet to WiFi subnet
+-A INPUT -i enp0s25 -d 255.255.255.255 -p udp -m udp --dport 8008 -j TEE --gateway
100.64.67.255
+COMMIT
On Thu, 8 Aug 2019 08:03:04 -1000
cel(a)celehner.com wrote:
2077
days inactive
2082
days old
7 comments
4 participants
participants (4)
-
cel@celehner.com -
danarauz@gmail.com -
Marc Juul -
Yardena Cohen