Made a few hosts accessible from the outside
In particular, I made Bacon, Prometheus and Hydra accessible. SSH should not be accessible to outside world on any of the 655334 possible ports unless there is a good reason for them to be so.
|2 months ago|
|.gitignore||3 years ago|
|README.md||2 years ago|
|rules.temp.v4||10 months ago|
|rules.v4||2 months ago|
|rules.v6||2 months ago|
This is the iptables firewall rules for Ziltoid (the firewall)
The way that you update the configuration file is as follows:
Port: ####directive), so that it listens on 22 and 13699 in the labs, and just 13699 from externally. You can also use the VPN or Ziltoid.
# Device Name (IPv4 address) # External Access: [List of Service (port number if unusual port or uncommon service) [list of the iptables rules]
cd /etc/iptables. Once you do that, run
make. Make will do the following things:
git pullto pull the repository. Typically, this will request your Git server creds.
sudo iptables-restore < rules.v4. This will ask for your sudo password.
iptables -S Shows config (ish)
iptables -L Lists rules
iptables -D <rule> Deletes a rule
iptables -A <rule> Adds a rule
iptables -F Clears the entire table USE WITH CAUTION
Currently, we don’t have a failure mode protection system. If you push a bad config, there is no rollback mechanism other than rolling back the commit, and if you loose connection, that’s it.
This could be implemented better in the future. In the past, we have just been very careful to know exactly what to apply, but not all people are god-tier at iptables configs, so this would probably be beneficial in the future.
Presumably, a way to do this would be as follows:
make syncPull down the latest config
make testApply the latest config, but do not write it out to rules.v4, but rather a different file, and to resync from the existing config if
make applyis not run within 5 minutes`.
make applyApply the latest config, and set it to be applied on reboot.
make sync testequivelant.