Drogueship 🜨

Further Forward

Category: linux

Nftables examples

Nftables examples

Posted on by Gus

These nftables firewall examples are from my previous house and all require ipv4.forward to be enabled in /etc/sysctl.conf as well as runing a dhcp server when plugging into an existing routers WAN port.

This allowed me to use raspberry pi’s and usb network adaptors instead of more permanent hardware

The first and last examples were between the nbn box and the internet service providers supplied router. It ended up with some ipv6 and nftables rules in the final one

There are some port forwards, with a few different conditions explained in the comments

There are rules for a few dodgy packets but this is possibly not the ideal way of doing it all but are provided as samples for those googling the subject, hi

This one was for going between the router and nbn box using a usb network card for the wan connection.


#!/sbin/nft -f

flush ruleset

table ip filter {
# allow all packets sent by the firewall machine itself
       chain output {
              type filter hook output priority 100; policy accept;
       }
# allow LAN to firewall, disallow WAN to firewall
       chain input { type filter hook input priority 0; policy drop;
              iifname “eth0” counter accept comment “accept eth0”
              iifname “eth1” ct state established,related counter accept comment “accept traffic from us”
              iifname “wlan0” counter accept comment “accept wlan0”
              iif lo counter accept comment “accept loopback”
              iif != lo ip daddr 127.0.0.1/8 counter drop comment “drop connections to loopback not coming from loopback”
              ip protocol icmp counter accept comment “accept all ICMP types”
              iifname “eth1” tcp dport 22 counter accept comment “accept SSH”
              counter comment “count dropped packets”
       }
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
       chain forward {
              type filter hook forward priority 0; policy drop;
              iifname “eth0” oifname “eth1” counter accept comment “eth0 to eth1”
              iifname “eth0” oifname “wlan0” counter accept comment “eth0 to wlan0”
              iifname “eth1” oifname “eth0” ct state related,established counter accept comment “external to eth0”
              counter comment “count dropped packets”
       }
}
table ip nat {
       chain early_packet_filter {
               # prio -150 is before pre routing in nat table and after connection tracking (-200)}
              type filter hook prerouting priority -150; policy accept;
               # drop badly formed packets
               ct state invalid drop
              tcp flags & (fin|syn|rst|ack) != syn ct state new drop
              tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop
         tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 drop
       tcp flags syn tcp option maxseg size 1-536 drop
        }
chain prerouting {
       type nat hook prerouting priority 0; policy accept;
       # exceptions
        iifname “eth1” tcp dport 23 dnat to 192.168.4.80:22 comment “port forward 23 to router ssh”
        iifname “eth1” tcp dport 443 dnat to 192.168.4.80:443 comment “port forward 443 to router”
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname “eth1” counter masquerade comment “masquerade”
        }
}

butles was using a usb WiFi adaptor for the internet (wlan1) on board WiFi for a gopro network (wlan0) and wired connection to the garages router’s wan port (eth0)

#!/sbin/nft -f

flush ruleset

table ip filter {
        # allow all packets sent by the firewall machine itself
        chain output {
                 type filter hook output priority 100; policy accept;
         }
         # allow LAN to firewall, disallow WAN to firewall
        chain input {
                 type filter hook input priority 0; policy drop;
                 iifname “wlan0” counter accept comment “accept wlan0”
                 iifname “wlan1” ct state established,related counter accept comment “accept traffic from us”
                 iifname “eth0” counter accept comment “accept eth0”
                 iif lo counter accept comment “accept loopback”
                 iif != lo ip daddr 127.0.0.1/8 counter drop comment “drop connections to loopback not coming from loopback”
                 ip protocol icmp counter accept comment “accept all ICMP types”
                 iifname “wlan1” ip saddr 192.168.1.0/24 tcp dport 22 counter accept comment “accept SSH from garage”
                 iifname “wlan1” ip saddr 192.168.1.0/24 tcp dport 5000 counter accept comment “accept OCTOPRINT”
                 iifname “wlan1” ip saddr 192.168.1.0/24 tcp dport 8080 counter accept comment “accept WEBCAM”
                 iifname “wlan1” ip saddr 192.168.2.0/24 tcp dport 24800 counter accept comment “accept SYNERGY from routers wan port”
                 counter comment “count dropped packets”
         }
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
         chain forward {
                type filter hook forward priority 0; policy drop;
                 iifname “wlan0” oifname “wlan1” counter accept comment “eth0 to wlan1”
                 iifname “eth0” oifname “wlan1” counter accept comment “eth0 to wlan1”
                 iifname “eth0” oifname “wlan0” counter accept comment “eth0 to wlan0”
                 iifname “wlan1” oifname “wlan0” ct state related,established counter accept comment “external to wlan0”
                 iifname “wlan1” oifname “eth0” ct state related,established counter accept comment “external to eth0”
                counter comment “count dropped packets”
         }
}
table ip nat {
         chain early_packet_filter {
                 # prio -150 is before pre routing in nat table and after connection tracking (-200)}
                 type filter hook prerouting priority -150; policy accept;
                 # drop badly formed packets
                 ct state invalid drop
                 tcp flags & (fin|syn|rst|ack) != syn ct state new drop
                 tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop
                 tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 drop
                 tcp flags syn tcp option maxseg size 1-536 drop
         }
        chain prerouting {
                 type nat hook prerouting priority 0; policy accept;
         }

         # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
         chain postrouting {
                 type nat hook postrouting priority 100; policy accept;
                 oifname “wlan1” counter masquerade comment “masquerade”
         }
}


backup of pppoe nbn. Needed a vlan id and authentication copied from supplied routers admin page. Also includes fail2ban and ipv6

#!/sbin/nft -f

flush ruleset
include “/etc/nftables/fail2ban.conf”

table ip fail2ban {
    chain input {
        type filter hook input priority 100;
    }
}

table ip filter {
    # allow all packets sent by the firewall machine itself
    chain output {
        type filter hook output priority 100; policy accept;
    }

    # allow LAN to firewall, disallow WAN to firewall
    chain input { type filter hook input priority 0; policy drop;
    iifname “eth0” counter accept comment “accept eth0”
    iifname “eth1” counter accept comment “accept eth1”
    iifname “ppp0” ct state established,related counter accept comment “accept traffic back from us”
    #iifname “ppp0” counter accept comment “accept traffic from us”
    iifname “wlan0” counter accept comment “accept wlan0”
    iif lo counter accept comment “accept loopback”
    iif != lo ip daddr 127.0.0.1/8 counter drop comment “drop connections to loopback not coming from loopback”
    ip protocol icmp counter accept comment “accept all ICMP types”
    iifname “ppp0” tcp dport 22 counter accept comment “accept SSH”
    iifname “ppp0” tcp dport 23 counter accept comment “accept SSH to slab”
    iifname “ppp0” tcp dport 443 counter accept comment “accept HTTPS to slab”
    counter comment “count dropped packets”
}
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
    type filter hook forward priority 0; policy drop;
    iifname “eth0” oifname “ppp0” counter accept comment “eth0 to eth1”
    iifname “eth0” oifname “wlan0” counter accept comment “eth0 to wlan0”
    iifname “ppp0” oifname “eth0” ct state related,established counter accept comment “external to eth0”
    counter comment “count dropped packets”
    }
}
table ip nat {
    chain early_packet_filter {
        # prio -150 is before pre routing in nat table and after connection tracking (-200)}
        type filter hook prerouting priority -150; policy accept;
        # drop badly formed packets
        ct state invalid drop
        tcp flags & (fin|syn|rst|ack) != syn ct state new drop
        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg drop
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 drop
        tcp flags syn tcp option maxseg size 1-536 drop
    }
    chain prerouting {
        type nat hook prerouting priority 0; policy accept;
        # exceptions
        iifname “ppp0” tcp dport 23 dnat to 192.168.4.80:22 comment “port forward 23 to router ssh”
        iifname “ppp0” tcp dport 443 dnat to 192.168.4.80:443 comment “port forward 443 to router”
    }

# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname “ppp0” counter masquerade comment “masquerade”
    }
}

table ip6 firewall {
  chain incoming {
    type filter hook input priority 0;

    # established/related connections
    ct state established,related accept

    # invalid connections
    ct state invalid drop

    # loopback interface
    iifname lo accept

    # icmp
    icmpv6 type {echo-request,nd-neighbor-solicit,nd-router-solicit,mld-listener-query} accept

    # drop everything else
    drop
  }
}

Self hosted web sites for older browsers with the Raspberry Pi

Self hosted web sites for older browsers with the Raspberry Pi

Posted on by Gus
The modern internet is too much for the old ipad. Secure sites and the latest javascript features render most of the internet unusable

The solution for this was to use self hosted sites to make the early 2000’s versions of safari and chrome usefull again, but it could also be usefull on other devices

  • 210gb of a portion of the internet
  • Wikipedia images were a little slow to load, perfect for the period
  • There are a few forums available
  • More ebooks than you could poke a stick at
  • Opened in the books app too
  • Video plays great, no sound though
Kiwix
https://www.kiwix.org/en/
allows you to download and serve portions of the internet offline and works well, except for the audio in video playback on TED backups on an ipad1 running ios 5.1.1

Keep in mind you will need a fair bit of storage for kiwix, 53gb for Project Gutenberg ebooks or 78gb for wikipedia with no video’s. There are quite a few sites available that are a lot smaller

  • Due to limited space on the device, it is nice to have access to music streaming
  • There are heaps of old productivity and collaboration tools out there
  • It wouldn’t be an offline internet party without access to a database
The workaround I used for other internal sites was to go digging through the old linux package mirrors and use self hosed sites prior to december 2009 at first. The catch is that you have to run php5.6 or earlier to get them to work

The following command will add a repository on the pi, enabling you to use apt to grab whatever php modules you need

wget -q https://packages.sury.org/php/apt.gpg -O- | apt-key add – echo “deb https://packages.sury.org/php/ buster main” > /etc/apt/sources.list.d/php.list

On the pi zero and pi1 A and B this won’t work, you will need to compile php from source as I couldn’t find a package for ARMv6 architecture

I used mariadb-server-10.0 for older ampache versions to support obsolete features but I did have to edit a few SQL files and replace instances of TYPE= with ENGINE= to get them going

And remember…

Do not host these on the internet. This is for internal use only due to vulnerabilities in old software versions

Writing ISO’s to USB Hard Disks in Windows the wrong way

Writing ISO’s to USB Hard Disks in Windows the wrong way

Posted on by Gus

After creating a hand full of Windows installation USB Drives over the years, I wanted to make a Ubuntu installation USB Hard disk rather than burn the image to a DVD. The main benefit from installing from a USB Hard Disk is the speed the OS installs, it is considerably faster than a DVD installation and older flash drives. Plus you don’t need a working optical drive which isn’t always available.

There are many other ways of writing linux images and all of them are better. The ideal way to do this is using Rufus (https://rufus.ie/) which is much easier to use, gives you more options and is a lot safer to use.

I was feeling difficult and decided to try a different way

First stop was to try Win32Diskimager but it was unable to see USB Hard drives, only SD Cards and Flash Drives

So the next step was to grab a copy of dd, a linux tool that has been ported to Windows (chrysocome.net – download)

Although not very pretty, dd on windows is similar to how you use it on linux, with the exception of the paths for your physical drives and partitions

It is not quicker

It is not better

It is much harder

But it works

Theme: Overlay by Kaira