Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lokinet Only Firewall (Add Documentation) if possible #2152

Open
ghost opened this issue Apr 1, 2023 · 11 comments
Open

Lokinet Only Firewall (Add Documentation) if possible #2152

ghost opened this issue Apr 1, 2023 · 11 comments
Labels
community-supported documentation related to documentation duplicate This issue or pull request already exists question Further information is requested vpn mode relating to running lokinet in vpn mode

Comments

@ghost
Copy link

ghost commented Apr 1, 2023

Add Documentation
To firewall system to have Lokinet only traffic similar to a VPN or Tor only Firewall rules to prevent leaks. Also if its possible add documentation on how set system environment to go through Loki and config wget and curl to use lokinet only.

Device and Operating system:

  • OS: Linux

P.S. - Will the RESTRICT Act if passed effect projects like Lokinet?

@ghost ghost added the bug Something isn't working label Apr 1, 2023
@majestrate
Copy link
Contributor

majestrate commented Apr 1, 2023

see #2140 on the topic of improvements i want to do.

on the topic of that law, the technical details of lokinet or any other software are irrelevant as the usa federal government asserts they are competent enough to decide whether or not anyone is applicable to it. with the status quo in the usa, they decide who to smack down, who is guilty and who is exempt. everyone else's opinions are irrelevant as the blunt object they are building is too easy to use to smack everything that dares move with great prejudice. it is a sign of an irrefutably broken political leadership when they submit these "just do something" bills. if they really want to "just do something" the first item of the something they should try is jumping off a cliff. you should consider actively vocally shunning and publicly shaming any entity who entertains such legislation regardless of their political affinity or public office. i am not a fan of idiot politicians and thier pet NGOs. but i digress such discussion is out of scope of this issue tracker.

@majestrate majestrate added duplicate This issue or pull request already exists question Further information is requested community-supported documentation related to documentation and removed bug Something isn't working labels Apr 1, 2023
@hashmap0x01
Copy link

To configure your firewall system to allow only Lokinet traffic, you can use the following firewall rules:

Allow traffic on port 1194/udp: Lokinet uses port 1194/udp to communicate with other nodes in the network. You should allow traffic on this port.

Block all other traffic: To prevent leaks, you should block all other traffic. This will ensure that only Lokinet traffic is allowed through the firewall.

Here is an example of how to implement these rules using iptables:

iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -j DROP

To configure your system environment to go through Lokinet, you can set the http_proxy and https_proxy environment variables to point to your Lokinet SOCKS proxy. Here is an example:

export http_proxy=socks5://127.0.0.1:1090
export https_proxy=socks5://127.0.0.1:1090

To configure wget and curl to use Lokinet only, you can use the --socks5 option to specify the Lokinet SOCKS proxy. Here are some examples:

wget --socks5 127.0.0.1:1090 http://example.com
curl --socks5 127.0.0.1:1090 http://example.com

Note that you will need to have Lokinet running and listening on port 1090 for these commands to work.

@majestrate
Copy link
Contributor

majestrate commented Apr 2, 2023

lokinet does not use udp/1194 for all wire proto traffic. it can be any udp port on the service node that they use.

you should pin the outbound udp port you use locally instead and firewall based on that.

@ghost
Copy link
Author

ghost commented Apr 3, 2023

but i digress such discussion is out of scope of this issue tracker.

@majestrate I agree with your response about the RESTRICT Act. Just worried about future for certain projects if passed.

@hashmap0x012
Great what about this for SSH:

export SOCKS_SERVER="127.0.0.1:1090"
export SOCKS5_SERVER="127.0.0.1:1090"

Then setting in wget /usr/bin/wget:

set http_proxy=socks5://127.0.0.1:1090
set HTTP_PROXY=socks5://127.0.0.1:1090
set https_proxy=socks5://127.0.0.1:1090
set HTTPS_PROXY=socks5://127.0.0.1:1090

or this:

exec /usr/lib/wget/wget --proxy "socks5://127.0.0.1:1090" --passive-ftp "$@"

and then curl
touch ~/.curlrc
add this line proxy=socks5://127.0.0.1:1090

or set an alias for curl in ~./bashrc
alias curl="curl --proxy 'socks5://127.0.0.1:1090'"

Would Stream isolation be possible with Lokinet? @majestrate

export SOCKS_SERVER="$$:[email protected]:1090"
export SOCKS5_SERVER="$$:[email protected]:1090"

or

export HTTP_PROXY="socks5://$$:[email protected]:1090"
export HTTPS_PROXY="socks5://$$:[email protected]:1090"

@majestrate
Copy link
Contributor

stream isolation should be in with #2119

@ghost
Copy link
Author

ghost commented Apr 3, 2023

stream isolation should be in with #2119

So no need to set in the /etc/environment to isolate?

@majestrate
Copy link
Contributor

majestrate commented Apr 4, 2023

isolation metric is ipv6 flow label. see the sysfs tunable for linux that controls how the kernel determines the defaults, sysctl net.ipv6.auto_flowlabels=3 or IPV6_FLOWINFO socket option from man 7 ip or your os's equiv

@majestrate
Copy link
Contributor

i'll review what we can do for windows next week.

@majestrate
Copy link
Contributor

note to self: we also need to do docs for win32 and macos on this front.

@majestrate
Copy link
Contributor

note: the proper term here isn't stream isolation, it's flow isolation since it's not done JUST on tcp, but on unicast ip flows.

@majestrate
Copy link
Contributor

majestrate commented Apr 8, 2023

To configure your firewall system to allow only Lokinet traffic, you can use the following firewall rules:

Allow traffic on port 1194/udp: Lokinet uses port 1194/udp to communicate with other nodes in the network. You should allow traffic on this port.

Block all other traffic: To prevent leaks, you should block all other traffic. This will ensure that only Lokinet traffic is allowed through the firewall.

Here is an example of how to implement these rules using iptables:

iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -j DROP

To configure your system environment to go through Lokinet, you can set the http_proxy and https_proxy environment variables to point to your Lokinet SOCKS proxy. Here is an example:

export http_proxy=socks5://127.0.0.1:1090
export https_proxy=socks5://127.0.0.1:1090

To configure wget and curl to use Lokinet only, you can use the --socks5 option to specify the Lokinet SOCKS proxy. Here are some examples:

wget --socks5 127.0.0.1:1090 http://example.com
curl --socks5 127.0.0.1:1090 http://example.com

Note that you will need to have Lokinet running and listening on port 1090 for these commands to work.

this is not correct. if you want to do this with a firewall, you'll want to pin your outbound udp port that lokinet uses, replace N with your non zero port.

[bind]
outbound=0.0.0.0:N

then you'll want to do a rule that allows udp on that source port, where $lokinet_udp is N and $outif is the network interface you use to connect to the internet.

iptables -A OUTPUT -p udp --sport $lokinet_udp -j ACCEPT -i $outif
iptables -A INPUT -p udp --sport $lokinet_udp -j ACCEPT -o $outif

then the remaining firewall rules you care for go here.

@majestrate majestrate added the vpn mode relating to running lokinet in vpn mode label May 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community-supported documentation related to documentation duplicate This issue or pull request already exists question Further information is requested vpn mode relating to running lokinet in vpn mode
Projects
None yet
Development

No branches or pull requests

2 participants