Should I learn iptables or is it more sane to use a front end like ufw?
I have an RPI with dual Ethernet between my modem and consumer router so I don’t have to depend on the obsolete and limited consumer router software. I’m using OpenWRT at the moment but curious if you have other recommendations. I like the Luci gui so if I switched to headless Debian or something then I’d still want a luci equivalent.
I’m self hosting with docker and I want to set up a wireguard vpn container that joins a network with a select set of containers. So I’d have containers that are accessible only by actual LAN users and then others that are in this isolated group that only the VPN (i.e. WAN people) can access. I thought that’s what docker was all about! But by default it seems all authenticated VPN peers just get to be on the LAN. Sure, they can’t get at containers on a different docker bridge network, but they get to access the host itself! This is why I asked about iptables above, but it’s daunting. Any ideas on how to achieve “two levels of trust” for self hosted services?
I’m hoping that not all of that is running on a single pi. I mean, it can, but you might hit limitations when everything is engaged with doing things. I just feel like, that’s a lot for one raspberry Pi…
Anyways, iptables are good to have a general grasp of, but they’re generally GNU/Linux specific. There’s other routing implementations that run on Linux, and hardware appliances generally have their own bespoke, vendor specific stuff. One project I’m aware of is free range routing. There’s a lot more, but this is one that I know of. Using FRR, vs iptables, they’re very different beasts. But you shouldn’t need FRR, it’s a monster in terms of memory use and designed to operate in ISP class networks. You don’t need it. I’m just using it as an example of what is out there.
The best advice I can give about this is that learning the concepts behind routing is more valuable than any specific product. Knowing the difference between an RIB and FIB, and how to structure routes, priorities, costs, etc… All very important. Can you learn that with iptables? Sure, and probably more, since iptables can also function as a low end firewall.
The important thing is that you learn the meaning behind what you’re doing in whatever routing platform you are working with.
I’ve worked with so many different ways of handling routing and firewall work that I get annoyed when vendors come up with dumb marketing terms that leak into the device user interface, for a very common routing, firewall, or VPN technology. I don’t care whether I’m on a router or firewall that’s custom and running open WRT, ddwrt, opnsense, or one from Cisco, Sonic wall, watchguard, Fortinet, Palo Alto, or any of the dozens of other vendors. A VPN is a VPN. IKE and IPsec don’t change because it’s vendor x or y. Don’t start calling the IKE identifier something else.
… Sorry, rant.
Anyways, I don’t really see the vendor’s interface as anything more than a code I have to convert into the industry standard protocol information that everyone uses. It’s a filter by which that vendor portrays the same options that everything else has. Some have quirks. Some are more straight forward. But they all have the same options in the end. Allow the traffic or don’t, do it by port and protocol or by IP. Apply content filters or don’t, use Ethernet, DHCP, pppoe, or something else like ATM or ipx/SPX for signaling. Who cares.
If you understand the concepts, the skills are transferable, no matter what platform you end up using, you’ll know what needs to be done, you’ll just be stuck figuring out how you do it on this platform.
Yay!
Should I learn iptables or is it more sane to use a front end like ufw?
I have an RPI with dual Ethernet between my modem and consumer router so I don’t have to depend on the obsolete and limited consumer router software. I’m using OpenWRT at the moment but curious if you have other recommendations. I like the Luci gui so if I switched to headless Debian or something then I’d still want a luci equivalent.
I’m self hosting with docker and I want to set up a wireguard vpn container that joins a network with a select set of containers. So I’d have containers that are accessible only by actual LAN users and then others that are in this isolated group that only the VPN (i.e. WAN people) can access. I thought that’s what docker was all about! But by default it seems all authenticated VPN peers just get to be on the LAN. Sure, they can’t get at containers on a different docker bridge network, but they get to access the host itself! This is why I asked about iptables above, but it’s daunting. Any ideas on how to achieve “two levels of trust” for self hosted services?
Sorry this took me a bit to get to. Hello!
I’m hoping that not all of that is running on a single pi. I mean, it can, but you might hit limitations when everything is engaged with doing things. I just feel like, that’s a lot for one raspberry Pi…
Anyways, iptables are good to have a general grasp of, but they’re generally GNU/Linux specific. There’s other routing implementations that run on Linux, and hardware appliances generally have their own bespoke, vendor specific stuff. One project I’m aware of is free range routing. There’s a lot more, but this is one that I know of. Using FRR, vs iptables, they’re very different beasts. But you shouldn’t need FRR, it’s a monster in terms of memory use and designed to operate in ISP class networks. You don’t need it. I’m just using it as an example of what is out there.
The best advice I can give about this is that learning the concepts behind routing is more valuable than any specific product. Knowing the difference between an RIB and FIB, and how to structure routes, priorities, costs, etc… All very important. Can you learn that with iptables? Sure, and probably more, since iptables can also function as a low end firewall.
The important thing is that you learn the meaning behind what you’re doing in whatever routing platform you are working with.
I’ve worked with so many different ways of handling routing and firewall work that I get annoyed when vendors come up with dumb marketing terms that leak into the device user interface, for a very common routing, firewall, or VPN technology. I don’t care whether I’m on a router or firewall that’s custom and running open WRT, ddwrt, opnsense, or one from Cisco, Sonic wall, watchguard, Fortinet, Palo Alto, or any of the dozens of other vendors. A VPN is a VPN. IKE and IPsec don’t change because it’s vendor x or y. Don’t start calling the IKE identifier something else.
… Sorry, rant.
Anyways, I don’t really see the vendor’s interface as anything more than a code I have to convert into the industry standard protocol information that everyone uses. It’s a filter by which that vendor portrays the same options that everything else has. Some have quirks. Some are more straight forward. But they all have the same options in the end. Allow the traffic or don’t, do it by port and protocol or by IP. Apply content filters or don’t, use Ethernet, DHCP, pppoe, or something else like ATM or ipx/SPX for signaling. Who cares.
If you understand the concepts, the skills are transferable, no matter what platform you end up using, you’ll know what needs to be done, you’ll just be stuck figuring out how you do it on this platform.