#+INCLUDE: header.org * *~* Lezzonet: la configurazione di rete ** QoS There is already a qos script in the forge. It should be self documenting so check that. To facilitate qos, we are using two network interfaces: - eth1 (10.0.1.0) where the hosts with higher priorities go - eth2 (10.0.2.0) used by the hosts which traffic is less important and can be deprioritized ** Firewall *** Router Let's break down the router configuration into two parts: port forwarding (NAT) and blocked ports, protocols, and routes. Port forwarding allows incoming connections from the internet to be redirected to specific devices or services on your local network. This is typically done using Network Address Translation (NAT) in the router configuration. NAT is responsible for translating the IP addresses and ports of incoming packets to the appropriate internal IP addresses and ports. We use iptables is used to configure the port forwarding rules. The iptables command, specifically in the nat table (-t nat), is used to set up the rules that define which incoming ports should be forwarded to which internal IP addresses and ports. #+begin_src # iptables -t nat -L -n # 10.0.1.3 is the client that hosts the main webserver with the reverse proxy Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.1.3:80 DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.1.3:443 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0 #+end_src Using iptables commands: #+begin_src iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d 10.0.1.3 -j SNAT --to-source 10.0.1.1 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.3 iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT #+end_src Let's explain this as a list: 1. add a rule to the NAT table (-t nat). It specifies that outgoing TCP traffic (-p tcp) with a destination port of 80 (--dport 80) and a destination IP address of 10.0.1.3 (-d 10.0.1.3) should be SNAT (Source Network Address Translation) translated. The source IP address is changed to 10.0.1.1 (--to-source 10.0.1.1). This rule is typically used to rewrite the source IP address of outgoing traffic to appear as if it's coming from the router itself 2. add a rule to the PREROUTING chain of the NAT table. It specifies that incoming TCP traffic (-p tcp) with a destination port of 80 (--dport 80) coming from the eth0 interface (-i eth0) should be DNAT (Destination Network Address Translation) translated. The destination IP address is changed to 10.0.1.3 (--to-destination 10.0.1.3). This rule is used to forward incoming traffic from port 80 to the specified internal IP address 3. add a rule to the FORWARD chain. It allows traffic from eth1 interface (-i eth1) to eth0 interface (-o eth0) that is already established or related (-m conntrack --ctstate ESTABLISHED,RELATED). This rule is used to permit incoming responses or related traffic for connections initiated from the internal network 4. add a rule to the FORWARD chain. It allows traffic from eth0 interface (-i eth0) to eth1 interface (-o eth1) that is already established or related (-m conntrack --ctstate ESTABLISHED,RELATED). This rule is used to permit incoming responses or related traffic for connections initiated from the external network. 5. add a rule to the FORWARD chain. It allows incoming TCP traffic (-p tcp --syn --dport 80) from eth0 interface to eth1 interface that is in a NEW state (-m conntrack --ctstate NEW). This rule is used to permit incoming new TCP connections to port 80 on the internal network. Alongside port forwarding, we need to block certain ports, protocols, or routes to enhance security or control network traffic. This is where ufw (Uncomplicated Firewall) comes into play. #+begin_src To Action From -- ------ ---- 23185 ALLOW IN Anywhere 22 ALLOW IN Anywhere 1:65535/tcp on eth1 ALLOW IN Anywhere 1:65535/udp on eth1 ALLOW IN Anywhere 1:65535/tcp on eth2 ALLOW IN Anywhere 1:65535/udp on eth2 ALLOW IN Anywhere 1:65535/tcp on lezzonet ALLOW IN Anywhere 1:65535/udp on lezzonet ALLOW IN Anywhere #+end_src We use the default rules of ufw for the firewall and in addition we allow all traffic on the two lan interfaces eth1 and eth2 and the wireguard interface lezzonet. We also allow the ssh protocol and traffic into the wireguard port 23185. *** Clients The piracy machine is the only one directly exposed to the network because of the vpn. This is the ufw configuration: #+begin_src # ufw status numbered Status: active To Action From -- ------ ---- [ 1] Anywhere on eth0 ALLOW IN Anywhere [ 2] Anywhere ALLOW OUT Anywhere on eth0 (out) [ 3] 11000:12000/tcp ALLOW IN Anywhere [ 4] 11000:12000/udp ALLOW IN Anywhere #+end_src Basically open every port from 11000 to 12000 and have programs listen on those ports. In addition to that, the main client that is Transmission is very hungry so I rate limited it using its own configuration options. Some example commands: #+begin_src ufw allow from any to any port 23185 ufw allow ssh ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto udb ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto tcp #+end_src