Run Your Own - User contributions [en]

Larix streams and chats service

2026-06-03T14:59:40Z

Brendan: Created page with "Danny is setting up a new live streams + chatroom thing to run virtual conferences or live stream sessions. Docs to follow…"

Danny is setting up a new live streams + chatroom thing to run virtual conferences or live stream sessions.

Docs to follow…

Wildcard Certificates with acme.sh

2025-03-05T10:31:28Z

Brendan: add cron and icecast stuff

<code>acme.sh</code> is a lightweight shell script based tool to handle Let's Encrypt certificates, etc.

== Install the bash script ==
wget https://get.acme.sh

As root:

sh acme.sh

This will install the script to <code>/root/.acme</code> and add it to path by sourcing a script from root's <code>.bashrc</code>

== Request a wildcard cert for lurk.org ==
We use wildcard certificates with DNS authentification, and we use the DNS server of our registrar, porkbun. It's not great (terrible UI for DNS editing), but it's cheap. Porkbun DNS support was added in recent versions of <code>acme.sh</code>. To make it work, we first need to find our Porkbun API keys and use them to set the following environment variables in root's <code>.bashrc</code>:

export PORKBUN_API_KEY="..."
export PORKBUN_SECRET_API_KEY="..."

When ready and reloaded:

acme.sh --issue --dns dns_porkbun -d lurk.org -d *.lurk.org

result:

* cert is in: <code>/root/.acme.sh/lurk.org_ecc/lurk.org.cer</code>
* cert key is in: <code>/root/.acme.sh/lurk.org_ecc/lurk.org.key</code>
* intermediate CA cert is in: <code>/root/.acme.sh/lurk.org_ecc/ca.cer</code>
* full-chain cert is in: <code>/root/.acme.sh/lurk.org_ecc/fullchain.cer</code>

== Install the certs for nginx ==
The following command will install the certs for nginx, assuming there is a <code>/etc/nginx/certs/</code> directory. Should be set and forget.
acme.sh --install-cert -d lurk.org -d *.lurk.org --key-file /etc/nginx/certs/key.pem --fullchain-file /etc/nginx/certs/cert.pem --reloadcmd "systemctl force-reload nginx"

== Deployment for other services ==
<code>acme.sh</code> can also support custom installs of the certificates. They call this deployment, and all the scripts provided by the project can be found in <code>/root/.acme.sh/deploy</code>.

It's possible to make new deploy scripts quite easily, here is an example for <code>cooldaemon.sh</code>:
<pre>
# this makes accessible as variables all the necessary paths and files
cooldaemon_deploy() {
_cdomain="$1"
_ckey="$2"
_ccert="$3"
_cca="$4"
_cfullchain="$5"

_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"

# make a var for the target location
_ssl_path="/etc/cooldaemon/certs/"

# cooldaemon only needs the fullchain perm and the key so
# we only copy these
cp $_ckey $_ssl_path
cp $_cfullchain $_ssl_path

# any extra commands can be added here for instance
# maybe cooldaemon is picky about cert ownership
chown -R cooldaemon:cooldaemon $_ssl_path

# last but not least we reload cool daemon
# please note that some other daemons may need a restart instead
systemctl reload mumble-server

return 0
}
</pre>

To enable the deployment at every cert renewal:
acme.sh --deploy -d lurk.org -d *.lurk.org --deploy-hook cooldaemon

== set up a cron job ==
24 3 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --reloadcmd "systemctl force-reload nginx" --renew-hook "/root/icecast_certs.sh"

To be fully modern and cool, we should probably switch from cron to a systemd timer but that's for another day. There's also a deploy script for icecast so this could theoretically all be done in one run but there are no docs for --cron so it's not clear how to set this up. For now we use a post renewal hook that smooshes the certs together for icecast:

<pre>
#!/bin/sh
# turn the acme certs in to a certificate chain for icecast streaming
cat /root/.acme.sh/\*.lurk.org/fullchain.cer > /usr/local/share/icecast/icecast.pem
cat /root/.acme.sh/\*.lurk.org/\*.lurk.org.key >> /usr/local/share/icecast/icecast.pem
systemctl restart icecast

</pre>

[[Category:Certificates]]

FilesystemMonitoring

2025-02-22T17:25:31Z

Brendan: /* Filesystem Monitoring */

= Filesystem Monitoring =

If you have applications with a propensity to blow up it can be helpful to have an alert before you run out of disk space.

Thinks like mastodon and certain file-sharing systems can steadily eat up lots of space caching things that you might not need any more. There also the always present danger that logs or backup files can inflate to huge sizes due to unobserved errors or missing clean-ups. So let's make a little script that will send us an alarm email if it looks dicey:

* save this script somewhere useful like disk-monitor.sh in your private bin folder
<pre>
#!/bin/bash
# set -x
# Shell script to monitor or watch the disk space
# It will send an email to $ADMIN, if the (free available) percentage of space is >= 90%.
# --------------------------------------------------------------------------------------------------------
# Set admin email so that you can get email.
ADMIN="admins@example.com"
# set alert level 90% is default
ALERT=90
# Exclude list of unwanted monitoring, if several partions then use "|" to separate the partitions.
# An example: EXCLUDE_LIST="/dev/hdd1|/dev/hdc5"
EXCLUDE_LIST="/auto/ripper|loop|udev"
#
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
main_prog() {
while read -r output;
do
servername=$(hostname)
usep=$(echo "$output" | awk '{ print $1}' | cut -d'%' -f1)
partition=$(echo "$output" | awk '{print $2}')
echo "partition $partition is at $usep% useage"
if [ $usep -ge $ALERT ] ; then
echo "Running out of space \"$partition ($usep%)\" on server $(hostname), $(date)" | \
mail -s "***ALERT*** $servername is almost out of disk space: $usep% on $partition" "$ADMIN"
fi
done
}

if [ "$EXCLUDE_LIST" != "" ] ; then
df -h | grep -vE "^Filesystem|tmpfs|cdrom|${EXCLUDE_LIST}" | awk '{print $5 " " $6}' | main_prog
else
df -h | grep -vE "^Filesystem|tmpfs|cdrom" | awk '{print $5 " " $6}' | main_prog
fi
</pre>

* now create a systemd service in /etc/systemd/system/diskmonitor.service
<pre>
[Unit]
Description=Check filesystems and alert when approaching full

[Service]
Type=oneshot
ExecStart=/home/borf/disk-monitor.sh
</pre>

* then create a systemd timer /etc/systemd/system/diskmonitor.timer - this will run once per hour
<pre>
[Unit]
Description=Check disks are not about to be full

[Timer]
OnBootSec=15m
OnUnitActiveSec=1h

[Install]
WantedBy=diskmonitor.target
</pre>

* enable the timer
sudo systemctl enable diskmonitor.timer

[[Category:Storage]]

Firewall

2025-02-21T10:48:49Z

Brendan: added l4proto and ipv6-icmp

Different ways to handle <code>iptables</code> and <code>nftables</code>.

== Using <code>iptables-persistent</code> on Debian ==

'''Note:''' In use on <code>vrijdagmiddagborrel</code>.

It's basically a set of <code>iptables</code> plugins for <code>netfilter-persistent</code>, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.

=== Installation and config ===
* Installation:
apt install iptables-persistent netfilter-persistent
* Add/change iptables rules located at <code>/etc/iptables/rules.v4</code> and <code>/etc/iptables/rules.v6</code>

=== Usage ===
* Apply new rules after changes made to <code>rules.v*</code> files and check result
netfilter-persistent reload
iptables -L

== <code>iptables</code> oneliners ==
note - for newer setups see nftables below. iptables commands still work but directly using nftables is preferred.

* list all rules from all chains
iptables -L
* block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP
iptables -I OUTPUT -d 192.168.111.111 -j DROP

== nftables ==

''nftables'' is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).

* enable the firewall
systemctl enable nftables

* a basic firewall config you can drop into /etc/nftables.conf
<pre>
#!/usr/sbin/nft -f

flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# open vpn traffic
iifname lurknet accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 655, 999 } accept

# tinc
udp dport { 655, 60000-61000 } accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# vpn interface
iifname lurknet accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept
meta l4proto ipv6-icmp accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 655, 999 } accept

# tinc
udp dport { 655, 60000-61000 } accept
}
}
</pre>

* start the firewall
systemctl start nftables

* see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset

get rich off your NFT!

[[Category:System]]

FilesystemMonitoring

2025-02-19T16:25:51Z

Brendan:

= Filesystem Monitoring =

If you have applications with a propensity to blow up it can be helpful to have an alert before you run out of disk space.

Thinks like mastodon and certain file-sharing systems can steadily eat up lots of space caching things that you might not need any more. There also the always present danger that logs or backup files can inflate to huge sizes due to unobserved errors or missing clean-ups. So let's make a little script that will send us an alarm email if it looks dicey:

* save this script somewhere useful like disk-monitor.sh in your private bin folder
<pre>
#!/bin/bash
# set -x
# Shell script to monitor or watch the disk space
# It will send an email to $ADMIN, if the (free available) percentage of space is >= 90%.
# --------------------------------------------------------------------------------------------------------
# Set admin email so that you can get email.
ADMIN="admins@example.com"
# set alert level 90% is default
ALERT=90
# Exclude list of unwanted monitoring, if several partions then use "|" to separate the partitions.
# An example: EXCLUDE_LIST="/dev/hdd1|/dev/hdc5"
EXCLUDE_LIST="/auto/ripper|loop|udev"
#
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
main_prog() {
while read -r output;
do
#echo "Working on $output ..."
servername=$(hostname)
usep=$(echo "$output" | awk '{ print $1}' | cut -d'%' -f1)
partition=$(echo "$output" | awk '{print $2}')
#echo "alert level is $ALERT"
echo "partition $partition is at $usep% useage"
if [ $usep -ge $ALERT ] ; then
#echo "ALERT $partition is now up to $usep percent utilization!"
echo "Running out of space \"$partition ($usep%)\" on server $(hostname), $(date)" | \
mail -s "***ALERT*** $servername is almost out of disk space: $usep% on $partition" "$ADMIN"
fi
done
}

if [ "$EXCLUDE_LIST" != "" ] ; then
df -h | grep -vE "^Filesystem|tmpfs|cdrom|${EXCLUDE_LIST}" | awk '{print $5 " " $6}' | main_prog
else
df -h | grep -vE "^Filesystem|tmpfs|cdrom" | awk '{print $5 " " $6}' | main_prog
fi
</pre>

* now create a systemd service in /etc/systemd/system/diskmonitor.service
<pre>
[Unit]
Description=Check filesystems and alert when approaching full

[Service]
Type=oneshot
ExecStart=/home/borf/disk-monitor.sh
</pre>

* then create a systemd timer /etc/systemd/system/diskmonitor.timer - this will run once per hour
<pre>
[Unit]
Description=Check disks are not about to be full

[Timer]
OnBootSec=15m
OnUnitActiveSec=1h

[Install]
WantedBy=diskmonitor.target
</pre>

* enable the timer
sudo systemctl enable diskmonitor.timer

[[Category:Storage]]

FilesystemMonitoring

2025-02-19T15:06:29Z

Brendan:

= Filesystem Monitoring =

If you have applications with a propensity to blow up it can be helpful to have an alert before you run out of disk space.

Thinks like mastodon and certain file-sharing systems can steadily eat up lots of space caching things that you might not need any more. There also the always present danger that logs or backup files can inflate to huge sizes due to unobserved errors or missing clean-ups. So let's make a little script that will send us an alarm email if it looks dicey:

* save this script somewhere useful like disk-monitor.sh in your private bin folder
<pre>
#!/bin/bash
# set -x
# Shell script to monitor or watch the disk space
# It will send an email to $ADMIN, if the (free available) percentage of space is >= 90%.
# --------------------------------------------------------------------------------------------------------
# Set admin email so that you can get email.
ADMIN="admins@example.com"
# set alert level 90% is default
ALERT=90
# Exclude list of unwanted monitoring, if several partions then use "|" to separate the partitions.
# An example: EXCLUDE_LIST="/dev/hdd1|/dev/hdc5"
EXCLUDE_LIST="/auto/ripper|loop|udev"
#
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
main_prog() {
while read -r output;
do
#echo "Working on $output ..."
servername=$(hostname)
usep=$(echo "$output" | awk '{ print $1}' | cut -d'%' -f1)
partition=$(echo "$output" | awk '{print $2}')
#echo "alert level is $ALERT"
echo "partition $partition is at $usep% useage"
if [ $usep -ge $ALERT ] ; then
#echo "ALERT $partition is now up to $usep percent utilization!"
echo "Running out of space \"$partition ($usep%)\" on server $(hostname), $(date)" | \
mail -s "***ALERT*** $servername is almost out of disk space: $usep% on $partition" "$ADMIN"
fi
done
}

if [ "$EXCLUDE_LIST" != "" ] ; then
df -h | grep -vE "^Filesystem|tmpfs|cdrom|${EXCLUDE_LIST}" | awk '{print $5 " " $6}' | main_prog
else
df -h | grep -vE "^Filesystem|tmpfs|cdrom" | awk '{print $5 " " $6}' | main_prog
fi
</pre>

* now create a systemd service in /etc/systemd/system/diskmonitor.service
<pre>
[Unit]
Description=Check filesystems and alert when approaching full

[Service]
Type=oneshot
ExecStart=/home/borf/disk-monitor.sh
</pre>

* then create a systemd timer /etc/systemd/system/diskmonitor.timer - this will run once per hour
<pre>
[Unit]
Description=Check disks are not about to be full

[Timer]
OnBootSec=15m
OnUnitActiveSec=1h

[Install]
WantedBy=diskmonitor.target
</pre>

* enable the timer
sudo systemctl enable diskmonitor.timer

FilesystemMonitoring

2025-02-19T15:05:24Z

Brendan: create page documenting a filesystem fill-up email alarm

# Filesystem Monitoring #

If you have applications with a propensity to blow up it can be helpful to have an alert before you run out of disk space.

Thinks like mastodon and certain file-sharing systems can steadily eat up lots of space caching things that you might not need any more. There also the always present danger that logs or backup files can inflate to huge sizes due to unobserved errors or missing clean-ups. So let's make a little script that will send us an alarm email if it looks dicey:

* save this script somewhere useful like disk-monitor.sh in your private bin folder
<pre>
#!/bin/bash
# set -x
# Shell script to monitor or watch the disk space
# It will send an email to $ADMIN, if the (free available) percentage of space is >= 90%.
# --------------------------------------------------------------------------------------------------------
# Set admin email so that you can get email.
ADMIN="admins@example.com"
# set alert level 90% is default
ALERT=90
# Exclude list of unwanted monitoring, if several partions then use "|" to separate the partitions.
# An example: EXCLUDE_LIST="/dev/hdd1|/dev/hdc5"
EXCLUDE_LIST="/auto/ripper|loop|udev"
#
#::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
#
main_prog() {
while read -r output;
do
#echo "Working on $output ..."
servername=$(hostname)
usep=$(echo "$output" | awk '{ print $1}' | cut -d'%' -f1)
partition=$(echo "$output" | awk '{print $2}')
#echo "alert level is $ALERT"
echo "partition $partition is at $usep% useage"
if [ $usep -ge $ALERT ] ; then
#echo "ALERT $partition is now up to $usep percent utilization!"
echo "Running out of space \"$partition ($usep%)\" on server $(hostname), $(date)" | \
mail -s "***ALERT*** $servername is almost out of disk space: $usep% on $partition" "$ADMIN"
fi
done
}

if [ "$EXCLUDE_LIST" != "" ] ; then
df -h | grep -vE "^Filesystem|tmpfs|cdrom|${EXCLUDE_LIST}" | awk '{print $5 " " $6}' | main_prog
else
df -h | grep -vE "^Filesystem|tmpfs|cdrom" | awk '{print $5 " " $6}' | main_prog
fi
</pre>

* now create a systemd service in /etc/systemd/system/diskmonitor.service
<pre>
[Unit]
Description=Check filesystems and alert when approaching full

[Service]
Type=oneshot
ExecStart=/home/borf/disk-monitor.sh
</pre>

* then create a systemd timer /etc/systemd/system/diskmonitor.timer - this will run once per hour
<pre>
[Unit]
Description=Check disks are not about to be full

[Timer]
OnBootSec=15m
OnUnitActiveSec=1h

[Install]
WantedBy=diskmonitor.target
</pre>

* enable the timer
sudo systemctl enable diskmonitor.timer

Firewall

2025-02-18T17:55:21Z

Brendan: /* iptables oneliners */

Different ways to handle <code>iptables</code> and <code>nftables</code>.

== Using <code>iptables-persistent</code> on Debian ==

'''Note:''' In use on <code>vrijdagmiddagborrel</code>.

It's basically a set of <code>iptables</code> plugins for <code>netfilter-persistent</code>, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.

=== Installation and config ===
* Installation:
apt install iptables-persistent netfilter-persistent
* Add/change iptables rules located at <code>/etc/iptables/rules.v4</code> and <code>/etc/iptables/rules.v6</code>

=== Usage ===
* Apply new rules after changes made to <code>rules.v*</code> files and check result
netfilter-persistent reload
iptables -L

== <code>iptables</code> oneliners ==
note - for newer setups see nftables below. iptables commands still work but directly using nftables is preferred.

* list all rules from all chains
iptables -L
* block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP
iptables -I OUTPUT -d 192.168.111.111 -j DROP

== nftables ==

''nftables'' is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).

* enable the firewall
systemctl enable nftables

* a basic firewall config you can drop into /etc/nftables.conf
<pre>
#!/usr/sbin/nft -f

flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# open vpn traffic
iifname lurknet accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 655, 999 } accept

# tinc
udp dport { 655, 60000-61000 } accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# vpn interface
iifname lurknet accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 655, 999 } accept

# tinc
udp dport { 655, 60000-61000 } accept
}
}
</pre>

* start the firewall
systemctl start nftables

* see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset

get rich off your NFT!

[[Category:System]]

Firewall

2025-02-18T17:53:58Z

Brendan: add interface and ports to help tinc

Different ways to handle <code>iptables</code> and <code>nftables</code>.

== Using <code>iptables-persistent</code> on Debian ==

'''Note:''' In use on <code>vrijdagmiddagborrel</code>.

It's basically a set of <code>iptables</code> plugins for <code>netfilter-persistent</code>, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.

=== Installation and config ===
* Installation:
apt install iptables-persistent netfilter-persistent
* Add/change iptables rules located at <code>/etc/iptables/rules.v4</code> and <code>/etc/iptables/rules.v6</code>

=== Usage ===
* Apply new rules after changes made to <code>rules.v*</code> files and check result
netfilter-persistent reload
iptables -L

== <code>iptables</code> oneliners ==
* list all rules from all chains
iptables -L
* block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP
iptables -I OUTPUT -d 192.168.111.111 -j DROP

== nftables ==

''nftables'' is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).

* enable the firewall
systemctl enable nftables

* a basic firewall config you can drop into /etc/nftables.conf
<pre>
#!/usr/sbin/nft -f

flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# open vpn traffic
iifname lurknet accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 655, 999 } accept

# tinc
udp dport { 655, 60000-61000 } accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# vpn interface
iifname lurknet accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 655, 999 } accept

# tinc
udp dport { 655, 60000-61000 } accept
}
}
</pre>

* start the firewall
systemctl start nftables

* see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset

get rich off your NFT!

[[Category:System]]

Tinc Settings for LURK

2025-02-18T17:16:41Z

Brendan:

== LURK specific settings ==

Tinc is currently installed to connect nodes in the lurk network

agnesbaxter = 10.0.1.3
skattkista = 10.0.1.2 (currently dead)
vrijdagmiddagborrel = 10.0.1.4
manis = 10.0.1.5
poplar = 10.0.1.6
ns334441 = 10.0.1.7
tilia = 10.0.1.8
larix = 10.0.1.9

all clients that connect via server agnesbaxter

[[Category: VPN]]

Tinc Settings for LURK

2025-02-18T17:15:25Z

Brendan: add larix

== LURK specific settings ==

Tinc is currently installed to connect nodes in the lurk network

agnesbaxter = 10.0.1.3
skattkista = 10.0.1.2 (currently dead)
vrijdagmiddagborrel = 10.0.1.4
manis = 10.0.1.5
poplar = 10.0.1.6
ns334441 = 10.0.1.7
tilia = 10.0.1.8
larix = 10.0.1.9

skattkista, vmb, manis and poplar connect to agnesbaxter

[[Category: VPN]]

Firewall

2025-02-18T12:40:58Z

Brendan:

Different ways to handle <code>iptables</code> and <code>nftables</code>.

== Using <code>iptables-persistent</code> on Debian ==

'''Note:''' In use on <code>vrijdagmiddagborrel</code>.

It's basically a set of <code>iptables</code> plugins for <code>netfilter-persistent</code>, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.

=== Installation and config ===
* Installation:
apt install iptables-persistent netfilter-persistent
* Add/change iptables rules located at <code>/etc/iptables/rules.v4</code> and <code>/etc/iptables/rules.v6</code>

=== Usage ===
* Apply new rules after changes made to <code>rules.v*</code> files and check result
netfilter-persistent reload
iptables -L

== <code>iptables</code> oneliners ==
* list all rules from all chains
iptables -L
* block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP
iptables -I OUTPUT -d 192.168.111.111 -j DROP

== nftables ==

''nftables'' is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).

* enable the firewall
systemctl enable nftables

* a basic firewall config you can drop into /etc/nftables.conf
<pre>
#!/usr/sbin/nft -f

flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept

# tinc
udp dport { 60000-61000 } accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept

# tinc
udp dport { 60000-61000 } accept
}
}
</pre>

* start the firewall
systemctl start nftables

* see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset

get rich off your NFT!

[[Category:System]]

Firewall

2025-02-18T12:40:02Z

Brendan: aha. need to use PRE tags for code blocks (and ascii art I suppose)

Different ways to handle <code>iptables</code> and <code>nftables</code>.

== Using <code>iptables-persistent</code> on Debian ==

'''Note:''' In use on <code>vrijdagmiddagborrel</code>.

It's basically a set of <code>iptables</code> plugins for <code>netfilter-persistent</code>, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.

=== Installation and config ===
* Installation:
apt install iptables-persistent netfilter-persistent
* Add/change iptables rules located at <code>/etc/iptables/rules.v4</code> and <code>/etc/iptables/rules.v6</code>

=== Usage ===
* Apply new rules after changes made to <code>rules.v*</code> files and check result
netfilter-persistent reload
iptables -L

== <code>iptables</code> oneliners ==
* list all rules from all chains
iptables -L
* block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP
iptables -I OUTPUT -d 192.168.111.111 -j DROP

== nftables ==

''nftables'' is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).

* enable the firewall
systemctl enable nftables

* a basic firewall config you can drop into /etc/nftables.conf
<pre>
#!/usr/sbin/nft -f

flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept

# tinc
udp dport { 60000-61000 } accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept

# tinc
udp dport { 60000-61000 } accept
}
}
</pre>

* start the firewall
systemctl start nftables

* see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset

get rich off your NFT!

[[Category:System]]

Firewall

2025-02-18T12:36:58Z

Brendan:

Different ways to handle <code>iptables</code> and <code>nftables</code>.

== Using <code>iptables-persistent</code> on Debian ==

'''Note:''' In use on <code>vrijdagmiddagborrel</code>.

It's basically a set of <code>iptables</code> plugins for <code>netfilter-persistent</code>, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.

=== Installation and config ===
* Installation:
apt install iptables-persistent netfilter-persistent
* Add/change iptables rules located at <code>/etc/iptables/rules.v4</code> and <code>/etc/iptables/rules.v6</code>

=== Usage ===
* Apply new rules after changes made to <code>rules.v*</code> files and check result
netfilter-persistent reload
iptables -L

== <code>iptables</code> oneliners ==
* list all rules from all chains
iptables -L
* block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP
iptables -I OUTPUT -d 192.168.111.111 -j DROP

== nftables ==

''nftables'' is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).

* enable the firewall
systemctl enable nftables

* a basic firewall config you can drop into /etc/nftables.conf
{{Codesample |
#!/usr/sbin/nft -f

flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept

# tinc
udp dport { 60000-61000 } accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept

# tinc
udp dport { 60000-61000 } accept
}
}
}}

* start the firewall
systemctl start nftables

* see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset

get rich off your NFT!

[[Category:System]]

Firewall

2025-02-18T12:35:32Z

Brendan:

Different ways to handle <code>iptables</code> and <code>nftables</code>.

== Using <code>iptables-persistent</code> on Debian ==

'''Note:''' In use on <code>vrijdagmiddagborrel</code>.

It's basically a set of <code>iptables</code> plugins for <code>netfilter-persistent</code>, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.

=== Installation and config ===
* Installation:
apt install iptables-persistent netfilter-persistent
* Add/change iptables rules located at <code>/etc/iptables/rules.v4</code> and <code>/etc/iptables/rules.v6</code>

=== Usage ===
* Apply new rules after changes made to <code>rules.v*</code> files and check result
netfilter-persistent reload
iptables -L

== <code>iptables</code> oneliners ==
* list all rules from all chains
iptables -L
* block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP
iptables -I OUTPUT -d 192.168.111.111 -j DROP

== nftables ==

''nftables'' is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).

* enable the firewall
systemctl enable nftables

* a basic firewall config you can drop into /etc/nftables.conf
{{code |
#!/usr/sbin/nft -f

flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept

# tinc
udp dport { 60000-61000 } accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept

# tinc
udp dport { 60000-61000 } accept
}
}
}}

* start the firewall
systemctl start nftables

* see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset

get rich off your NFT!

[[Category:System]]

Firewall

2025-02-18T12:30:23Z

Brendan: add docs for nftables firewall

Different ways to handle <code>iptables</code> and <code>nftables</code>.

== Using <code>iptables-persistent</code> on Debian ==

'''Note:''' In use on <code>vrijdagmiddagborrel</code>.

It's basically a set of <code>iptables</code> plugins for <code>netfilter-persistent</code>, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.

=== Installation and config ===
* Installation:
apt install iptables-persistent netfilter-persistent
* Add/change iptables rules located at <code>/etc/iptables/rules.v4</code> and <code>/etc/iptables/rules.v6</code>

=== Usage ===
* Apply new rules after changes made to <code>rules.v*</code> files and check result
netfilter-persistent reload
iptables -L

== <code>iptables</code> oneliners ==
* list all rules from all chains
iptables -L
* block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP
iptables -I OUTPUT -d 192.168.111.111 -j DROP

== nftables ==

''nftables'' is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).

* enable the firewall
systemctl enable nftables

* a basic firewall config you can drop into /etc/nftables.conf
<code>
#!/usr/sbin/nft -f

flush ruleset

table firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# loopback interface
iifname lo accept

# icmp
icmp type echo-request accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept

# tinc
udp dport { 60000-61000 } accept
}
}

table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;

# established/related connections
ct state established,related accept

# invalid connections
ct state invalid drop

# loopback interface
iifname lo accept

# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept

# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept

# tinc
udp dport { 60000-61000 } accept
}
}
</code>

* start the firewall
systemctl start nftables

* see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset

get rich off your NFT!

[[Category:System]]

Tinc Settings for LURK

2024-07-17T19:26:26Z

Brendan: add ns334441

== LURK specific settings ==

Tinc is currently installed to connect nodes in the lurk network

agnesbaxter = 10.0.1.3
skattkista = 10.0.1.2 (currently dead)
vrijdagmiddagborrel = 10.0.1.4
manis = 10.0.1.5
poplar = 10.0.1.6
ns334441 = 10.0.1.7
tilia = 10.0.1.8

skattkista, vmb, manis and poplar connect to agnesbaxter

[[Category: VPN]]

Tinc Settings for LURK

2024-07-17T16:30:40Z

Brendan: add tilia

== LURK specific settings ==

Tinc is currently installed to connect nodes in the lurk network

agnesbaxter = 10.0.1.3
skattkista = 10.0.1.2 (currently dead)
vrijdagmiddagborrel = 10.0.1.4
manis = 10.0.1.5
poplar = 10.0.1.6
tilia = 10.0.1.7

skattkista, vmb, manis and poplar connect to agnesbaxter

[[Category: VPN]]

Tinc Settings for LURK

2023-09-13T12:01:36Z

Brendan: update

== LURK specific settings ==

Tinc is currently installed to connect nodes in the lurk network

agnesbaxter = 10.0.1.3
skattkista = 10.0.1.2 (currently dead)
vrijdagmiddagborrel = 10.0.1.4
manis = 10.0.1.5
poplar = 10.0.1.6

skattkista, vmb, manis and poplar connect to agnesbaxter

[[Category: VPN]]