[sudo-sys] Adding Scuttlebutt to sudo gateway (Firewall changed)
cel at celehner.com
cel at celehner.com
Fri Aug 9 17:10:44 PDT 2019
Changes to firewall:
- Removed port forwards for old SSB pub device
- Added port forward for SSB server on space.local
- Bridge SSB broadcast packets from Wired subnet to WiFi subnet, allowing peers on WiFi to discover the ssb-server on space.local.
- Removed interface filter for port forwards, allowing e.g. SSH to 142.254.26.9:60643 to work from the WiFi subnet (still does not work from the Wired subnet), instead of only from the Internet.
- Fix accepting mosh ports (60000-61000), allowing mosh to work from Internet to space.local.
Diff:
--- rules.v4-orig 2019-08-09 12:04:34.677178824 -0700
+++ /etc/iptables/rules.v4 2019-08-09 16:52:33.241820114 -0700
@@ -6,20 +6,16 @@
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp3s0 -j SNAT --to-source 142.254.26.9
-# 5 port forward rules: ssb & ssh to jefdajs raspberry pi server
--A PREROUTING -p udp -m udp -i enp3s0 -d 142.254.26.9 --dport 8007 -j DNAT --to-destination 192.168.42.22:8007
--A PREROUTING -p udp -m udp -i enp3s0 -d 142.254.26.9 --dport 8008 -j DNAT --to-destination 192.168.42.22:8008
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 8007 -j DNAT --to-destination 192.168.42.22:8007
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 8008 -j DNAT --to-destination 192.168.42.22:8008
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 6492 -j DNAT --to-destination 192.168.42.22:22
# 4 port forward rules: ssh & mosh to space.local
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 60643 -j DNAT --to-destination 192.168.42.2:60643
--A PREROUTING -p udp -m udp -i enp3s0 -d 142.254.26.9 --dport 60000:61000 -j DNAT --to-destination 192.168.42.2:60000-61000
+-A PREROUTING -p tcp -m tcp -d 142.254.26.9 --dport 60643 -j DNAT --to-destination 192.168.42.2:60643
+-A PREROUTING -p udp -m udp -d 142.254.26.9 --dport 60000:61000 -j DNAT --to-destination 192.168.42.2:60000-61000
+# 1 port forward rule: ssb to space.local
+-A PREROUTING -p tcp -m tcp -d 142.254.26.9 -j DNAT --dport 8008 --to-destination 192.168.42.2:8008
# 3d printer:
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 8081 -j DNAT --to-destination 100.64.64.20:8081
+-A PREROUTING -p tcp -m tcp -d 142.254.26.9 --dport 8081 -j DNAT --to-destination 100.64.64.20:8081
# liquid-handling robot:
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 46698 -j DNAT --to-destination 100.64.64.100:8080
--A PREROUTING -p tcp -m tcp -i enp3s0 -d 142.254.26.9 --dport 46699 -j DNAT --to-destination 100.64.64.100:22
+-A PREROUTING -p tcp -m tcp -d 142.254.26.9 --dport 46698 -j DNAT --to-destination 100.64.64.100:8080
+-A PREROUTING -p tcp -m tcp -d 142.254.26.9 --dport 46699 -j DNAT --to-destination 100.64.64.100:22
COMMIT
*filter
:INPUT DROP [0:0]
@@ -46,12 +42,8 @@
-A FORWARD -i enp3s2 -o enp3s0 -j ACCEPT
-A FORWARD -i enp3s2 -o enp0s25 -j ACCEPT
-A FORWARD -i enp0s25 -o enp3s2 -j ACCEPT
--A FORWARD -p udp -d 192.168.42.22 --dport 8007 -j ACCEPT
--A FORWARD -p udp -d 192.168.42.22 --dport 8008 -j ACCEPT
--A FORWARD -p tcp -d 192.168.42.22 --dport 8007 -j ACCEPT
--A FORWARD -p tcp -d 192.168.42.22 --dport 8008 -j ACCEPT
--A FORWARD -p tcp -d 192.168.42.22 --dport 22 -j ACCEPT
--A FORWARD -p udp -d 192.168.42.2 --dport 60001 -j ACCEPT
+-A FORWARD -p tcp -d 192.168.42.2 --dport 8008 -j ACCEPT
+-A FORWARD -p udp -d 192.168.42.2 --dport 60000:61000 -j ACCEPT
-A FORWARD -p udp -d 192.168.42.2 --dport 60643 -j ACCEPT
-A FORWARD -p tcp -d 192.168.42.2 --dport 60643 -j ACCEPT
-A FORWARD -p tcp -d 100.64.64.20 --dport 8081 -j ACCEPT
@@ -73,6 +65,7 @@
-A open -p udp -m udp --dport 67 -j ACCEPT
-A open -p tcp -m tcp --dport 80 -j ACCEPT
-A open -p tcp -m tcp --dport 443 -j ACCEPT
+-A open -p tcp -m tcp --dport 8008 -j ACCEPT
-A open -p tcp -m tcp --dport 40629 -j ACCEPT
# Port 22 is especially useful for github
-A open-out -p tcp -m tcp --dport 22 -j ACCEPT
@@ -82,5 +75,15 @@
-A open-out -p tcp -m tcp --dport 443 -j ACCEPT
-A open-out -p udp -m udp --dport 67 -j ACCEPT
-A open-out -p udp -m udp --dport 68 -j ACCEPT
+-A open-out -p udp -m udp --dport 8008 -j ACCEPT
-A open-out -m owner --uid-owner yar -j ACCEPT
COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+# bridge ssb peer discovery broadcast packets from Wired subnet to WiFi subnet
+-A INPUT -i enp0s25 -d 255.255.255.255 -p udp -m udp --dport 8008 -j TEE --gateway 100.64.67.255
+COMMIT
On Thu, 8 Aug 2019 08:03:04 -1000
cel at celehner.com wrote:
> Thanks Yar for helping me get this set up. A scuttlebutt instance (ssb-server) is now running at ssb at space.local.
>
> Could we get port 8008 forwarded to this server from WAN?
>
> Another issue: the server is on the Wired subnet, so it is not discoverable by peers on the WiFi subnet. It should be discoverable over WiFi to be most useful. To make this peer discovery work, would it be feasible to forward UDP broadcast packets between the subnets (or just from Wired to WiFi)? Alternatively, a script could run on the WiFi subnet to send the periodic UDP broadcast packets advertising the ssb-server at space.local. Could such a script run on the gateway server?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://sudoroom.org/pipermail/sudo-sys/attachments/20190809/b7da2ea2/attachment.sig>
More information about the sudo-sys
mailing list