bparodi/lezzo.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
52639410e5
lezzo.org/secretwiki/rete.org
Francesco Mecca 52639410e5 secret wiki
2023-05-25 18:39:20 +02:00

6.0 KiB
Raw Blame History

Lezzonet: la configurazione di rete

QoS

There is already a qos script in the forge. It should be self documenting so check that.

Firewall

Router

Let's break down the router configuration into two parts: port forwarding (NAT) and blocked ports, protocols, and routes.

Port forwarding allows incoming connections from the internet to be redirected to specific devices or services on your local network. This is typically done using Network Address Translation (NAT) in the router configuration. NAT is responsible for translating the IP addresses and ports of incoming packets to the appropriate internal IP addresses and ports.

We use iptables is used to configure the port forwarding rules. The iptables command, specifically in the nat table (-t nat), is used to set up the rules that define which incoming ports should be forwarded to which internal IP addresses and ports.

# iptables -t nat -L -n
# 10.0.1.3 is the client that hosts the main webserver with the reverse proxy
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.0.1.3:80
DNAT       6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:10.0.1.3:443

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0

Using iptables commands:

iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d 10.0.1.3 -j SNAT --to-source 10.0.1.1
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.3
iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT

Let's explain this as a list:

  1. add a rule to the NAT table (-t nat). It specifies that outgoing TCP traffic (-p tcp) with a destination port of 80 (dport 80) and a destination IP address of 10.0.1.3 (-d 10.0.1.3) should be SNAT (Source Network Address Translation) translated. The source IP address is changed to 10.0.1.1 (to-source 10.0.1.1). This rule is typically used to rewrite the source IP address of outgoing traffic to appear as if it's coming from the router itself
  2. add a rule to the PREROUTING chain of the NAT table. It specifies that incoming TCP traffic (-p tcp) with a destination port of 80 (dport 80) coming from the eth0 interface (-i eth0) should be DNAT (Destination Network Address Translation) translated. The destination IP address is changed to 10.0.1.3 (to-destination 10.0.1.3). This rule is used to forward incoming traffic from port 80 to the specified internal IP address
  3. add a rule to the FORWARD chain. It allows traffic from eth1 interface (-i eth1) to eth0 interface (-o eth0) that is already established or related (-m conntrack ctstate ESTABLISHED,RELATED). This rule is used to permit incoming responses or related traffic for connections initiated from the internal network
  4. add a rule to the FORWARD chain. It allows traffic from eth0 interface (-i eth0) to eth1 interface (-o eth1) that is already established or related (-m conntrack ctstate ESTABLISHED,RELATED). This rule is used to permit incoming responses or related traffic for connections initiated from the external network.
  5. add a rule to the FORWARD chain. It allows incoming TCP traffic (-p tcp syn dport 80) from eth0 interface to eth1 interface that is in a NEW state (-m conntrack ctstate NEW). This rule is used to permit incoming new TCP connections to port 80 on the internal network.

Alongside port forwarding, we need to block certain ports, protocols, or routes to enhance security or control network traffic. This is where ufw (Uncomplicated Firewall) comes into play.

     To                         Action      From
     --                         ------      ----
23185                      ALLOW IN    Anywhere                  
22                         ALLOW IN    Anywhere                  
1:65535/tcp on eth1        ALLOW IN    Anywhere                  
1:65535/udp on eth1        ALLOW IN    Anywhere                  
1:65535/tcp on eth2        ALLOW IN    Anywhere      
1:65535/udp on eth2        ALLOW IN    Anywhere                  
1:65535/tcp on lezzonet    ALLOW IN    Anywhere                  
1:65535/udp on lezzonet    ALLOW IN    Anywhere

We use the default rules of ufw for the firewall and in addition we allow all traffic on the two lan interfaces eth1 and eth2 and the wireguard interface lezzonet. We also allow the ssh protocol and traffic into the wireguard port 23185.

Clients

The piracy machine is the only one directly exposed to the network because of the vpn. This is the ufw configuration:

# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] Anywhere on eth0           ALLOW IN    Anywhere                  
[ 2] Anywhere                   ALLOW OUT   Anywhere on eth0           (out)
[ 3] 11000:12000/tcp            ALLOW IN    Anywhere                  
[ 4] 11000:12000/udp            ALLOW IN    Anywhere

Basically open every port from 11000 to 12000 and have programs listen on those ports. In addition to that, the main client that is Transmission is very hungry so I rate limited it using its own configuration options.

Some example commands:

ufw allow from any to any port 23185
ufw allow ssh
ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto udb
ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto tcp