bparodi/lezzo.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
17efde8549
lezzo.org/secretwiki/rete.html
Francesco Mecca 17efde8549 secretwiki
2023-05-30 15:37:22 +02:00

194 lines
8.0 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2023-05-30 Tue 15:37 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Lezzo secret wiki</title>
<meta name="author" content="bparodi" />
<meta name="generator" content="Org Mode" />
<link rel="stylesheet" type="text/css" href="./stylesheet.css"/>
</head>
<body>
<div id="content" class="content">
<h2>[ Lezzo secret wiki ]</a></h2>
<div id="outline-container-org60adc6c" class="outline-2">
<h2 id="org60adc6c"><b>~</b> Lezzonet: la configurazione di rete</h2>
<div class="outline-text-2" id="text-org60adc6c">
</div>
<div id="outline-container-orga431ca7" class="outline-3">
<h3 id="orga431ca7">QoS</h3>
<div class="outline-text-3" id="text-orga431ca7">
<p>
There is already a qos script in the forge. It should be self documenting so
check that.
To facilitate qos, we are using two network interfaces:
</p>
<ul class="org-ul">
<li>eth1 (10.0.1.0) where the hosts with higher priorities go</li>
<li>eth2 (10.0.2.0) used by the hosts which traffic is less important and can be deprioritized</li>
</ul>
</div>
</div>
<div id="outline-container-orgedd80af" class="outline-3">
<h3 id="orgedd80af">Firewall</h3>
<div class="outline-text-3" id="text-orgedd80af">
</div>
<div id="outline-container-orgf146da2" class="outline-4">
<h4 id="orgf146da2">Router</h4>
<div class="outline-text-4" id="text-orgf146da2">
<p>
Let's break down the router configuration into two parts: port forwarding (NAT) and blocked ports, protocols, and routes.
</p>
<p>
Port forwarding allows incoming connections from the internet to be redirected
to specific devices or services on your local network. This is typically done
using Network Address Translation (NAT) in the router configuration. NAT is
responsible for translating the IP addresses and ports of incoming packets to
the appropriate internal IP addresses and ports.
</p>
<p>
We use iptables is used to configure the port forwarding rules. The iptables
command, specifically in the nat table (-t nat), is used to set up the rules
that define which incoming ports should be forwarded to which internal IP
addresses and ports.
</p>
<pre class="example">
# iptables -t nat -L -n
# 10.0.1.3 is the client that hosts the main webserver with the reverse proxy
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.1.3:80
DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.1.3:443
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0
</pre>
<p>
Using iptables commands:
</p>
<pre class="example">
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d 10.0.1.3 -j SNAT --to-source 10.0.1.1
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.3
iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
</pre>
<p>
Let's explain this as a list:
</p>
<ol class="org-ol">
<li>add a rule to the NAT table (-t nat). It specifies that
outgoing TCP traffic (-p tcp) with a destination port of 80 (&#x2013;dport 80) and
a destination IP address of 10.0.1.3 (-d 10.0.1.3) should be SNAT (Source
Network Address Translation) translated. The source IP address is changed to
10.0.1.1 (&#x2013;to-source 10.0.1.1). This rule is typically used to rewrite the
source IP address of outgoing traffic to appear as if it's coming from the
router itself</li>
<li>add a rule to the PREROUTING chain of the NAT table. It
specifies that incoming TCP traffic (-p tcp) with a destination port of 80
(&#x2013;dport 80) coming from the eth0 interface (-i eth0) should be DNAT
(Destination Network Address Translation) translated. The destination IP
address is changed to 10.0.1.3 (&#x2013;to-destination 10.0.1.3). This rule is used
to forward incoming traffic from port 80 to the specified internal IP
address</li>
<li>add a rule to the FORWARD chain. It allows traffic from
eth1 interface (-i eth1) to eth0 interface (-o eth0) that is already
established or related (-m conntrack &#x2013;ctstate ESTABLISHED,RELATED). This
rule is used to permit incoming responses or related traffic for connections
initiated from the internal network</li>
<li>add a rule to the FORWARD chain. It allows traffic from eth0 interface (-i
eth0) to eth1 interface (-o eth1) that is already established or related (-m
conntrack &#x2013;ctstate ESTABLISHED,RELATED). This rule is used to permit
incoming responses or related traffic for connections initiated from the
external network.</li>
<li>add a rule to the FORWARD chain. It allows incoming TCP traffic (-p tcp &#x2013;syn
&#x2013;dport 80) from eth0 interface to eth1 interface that is in a NEW state (-m
conntrack &#x2013;ctstate NEW). This rule is used to permit incoming new TCP
connections to port 80 on the internal network.</li>
</ol>
<p>
Alongside port forwarding, we need to block certain ports, protocols, or routes
to enhance security or control network traffic. This is where ufw (Uncomplicated
Firewall) comes into play.
</p>
<pre class="example">
To Action From
-- ------ ----
23185 ALLOW IN Anywhere
22 ALLOW IN Anywhere
1:65535/tcp on eth1 ALLOW IN Anywhere
1:65535/udp on eth1 ALLOW IN Anywhere
1:65535/tcp on eth2 ALLOW IN Anywhere
1:65535/udp on eth2 ALLOW IN Anywhere
1:65535/tcp on lezzonet ALLOW IN Anywhere
1:65535/udp on lezzonet ALLOW IN Anywhere
</pre>
<p>
We use the default rules of ufw for the firewall and in addition we allow all
traffic on the two lan interfaces eth1 and eth2 and the wireguard interface
lezzonet. We also allow the ssh protocol and traffic into the wireguard port 23185.
</p>
</div>
</div>
<div id="outline-container-org75e3150" class="outline-4">
<h4 id="org75e3150">Clients</h4>
<div class="outline-text-4" id="text-org75e3150">
<p>
The piracy machine is the only one directly exposed to the network because of
the vpn. This is the ufw configuration:
</p>
<pre class="example">
# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Anywhere on eth0 ALLOW IN Anywhere
[ 2] Anywhere ALLOW OUT Anywhere on eth0 (out)
[ 3] 11000:12000/tcp ALLOW IN Anywhere
[ 4] 11000:12000/udp ALLOW IN Anywhere
</pre>
<p>
Basically open every port from 11000 to 12000 and have programs listen on those
ports. In addition to that, the main client that is Transmission is very hungry
so I rate limited it using its own configuration options.
</p>
<p>
Some example commands:
</p>
<pre class="example">
ufw allow from any to any port 23185
ufw allow ssh
ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto udb
ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto tcp
</pre>
</div>
</div>
</div>
</div>
</div>
<div id="postamble" class="status">
<p class="author">Author: bparodi</p>
<p class="date">Created: 2023-05-30 Tue 15:37</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink