search

oxen-io / lokinet

Lokinet is an anonymous, decentralized and IP based overlay network for the internet.
https://lokinet.org/
GNU General Public License v3.0
1.71k stars 221 forks source link

Lokinet Only Firewall (Add Documentation) if possible #2152

Open ghost opened 1 year ago

ghost commented 1 year ago

Add Documentation To firewall system to have Lokinet only traffic similar to a VPN or Tor only Firewall rules to prevent leaks. Also if its possible add documentation on how set system environment to go through Loki and config wget and curl to use lokinet only.

Device and Operating system:

P.S. - Will the RESTRICT Act if passed effect projects like Lokinet?

majestrate commented 1 year ago

see #2140 on the topic of improvements i want to do.

on the topic of that law, the technical details of lokinet or any other software are irrelevant as the usa federal government asserts they are competent enough to decide whether or not anyone is applicable to it. with the status quo in the usa, they decide who to smack down, who is guilty and who is exempt. everyone else's opinions are irrelevant as the blunt object they are building is too easy to use to smack everything that dares move with great prejudice. it is a sign of an irrefutably broken political leadership when they submit these "just do something" bills. if they really want to "just do something" the first item of the something they should try is jumping off a cliff. you should consider actively vocally shunning and publicly shaming any entity who entertains such legislation regardless of their political affinity or public office. i am not a fan of idiot politicians and thier pet NGOs. but i digress such discussion is out of scope of this issue tracker.

hashmap0x01 commented 1 year ago

To configure your firewall system to allow only Lokinet traffic, you can use the following firewall rules:

Allow traffic on port 1194/udp: Lokinet uses port 1194/udp to communicate with other nodes in the network. You should allow traffic on this port.

Block all other traffic: To prevent leaks, you should block all other traffic. This will ensure that only Lokinet traffic is allowed through the firewall.

Here is an example of how to implement these rules using iptables:

iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -j DROP

To configure your system environment to go through Lokinet, you can set the http_proxy and https_proxy environment variables to point to your Lokinet SOCKS proxy. Here is an example:

export http_proxy=socks5://127.0.0.1:1090
export https_proxy=socks5://127.0.0.1:1090

To configure wget and curl to use Lokinet only, you can use the--socks5 option to specify the Lokinet SOCKS proxy. Here are some examples:

wget --socks5 127.0.0.1:1090 http://example.com
curl --socks5 127.0.0.1:1090 http://example.com

Note that you will need to have Lokinet running and listening on port 1090 for these commands to work.

majestrate commented 1 year ago

lokinet does not use udp/1194 for all wire proto traffic. it can be any udp port on the service node that they use.

you should pin the outbound udp port you use locally instead and firewall based on that.

ghost commented 1 year ago

but i digress such discussion is out of scope of this issue tracker.

@majestrate I agree with your response about the RESTRICT Act. Just worried about future for certain projects if passed.

@hashmap0x012 Great what about this for SSH:

export SOCKS_SERVER="127.0.0.1:1090"
export SOCKS5_SERVER="127.0.0.1:1090"

Then setting in wget /usr/bin/wget: 

set http_proxy=socks5://127.0.0.1:1090
set HTTP_PROXY=socks5://127.0.0.1:1090
set https_proxy=socks5://127.0.0.1:1090
set HTTPS_PROXY=socks5://127.0.0.1:1090

or this:

exec /usr/lib/wget/wget --proxy "socks5://127.0.0.1:1090" --passive-ftp "$@"

and then curl touch ~/.curlrc add this line proxy=socks5://127.0.0.1:1090

or set an alias for curl in ~./bashrc alias curl="curl --proxy 'socks5://127.0.0.1:1090'"

Would Stream isolation be possible with Lokinet? @majestrate

export SOCKS_SERVER="$$:$$@127.0.01:1090"
export SOCKS5_SERVER="$$:$$@127.0.01:1090"

or

export HTTP_PROXY="socks5://$$:$$@127.0.01:1090"
export HTTPS_PROXY="socks5://$$:$$@127.0.01:1090"
majestrate commented 1 year ago

stream isolation should be in with #2119

ghost commented 1 year ago

stream isolation should be in with #2119

So no need to set in the /etc/environment to isolate?

majestrate commented 1 year ago

isolation metric is ipv6 flow label. see the sysfs tunable for linux that controls how the kernel determines the defaults, sysctl net.ipv6.auto_flowlabels=3 or IPV6_FLOWINFO socket option from man 7 ip or your os's equiv

majestrate commented 1 year ago

i'll review what we can do for windows next week.

majestrate commented 1 year ago

note to self: we also need to do docs for win32 and macos on this front.

majestrate commented 1 year ago

note: the proper term here isn't stream isolation, it's flow isolation since it's not done JUST on tcp, but on unicast ip flows.

majestrate commented 1 year ago

To configure your firewall system to allow only Lokinet traffic, you can use the following firewall rules:

Allow traffic on port 1194/udp: Lokinet uses port 1194/udp to communicate with other nodes in the network. You should allow traffic on this port.

Block all other traffic: To prevent leaks, you should block all other traffic. This will ensure that only Lokinet traffic is allowed through the firewall.

Here is an example of how to implement these rules using iptables:

iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -j DROP

To configure your system environment to go through Lokinet, you can set the http_proxy and https_proxy environment variables to point to your Lokinet SOCKS proxy. Here is an example:

export http_proxy=socks5://127.0.0.1:1090
export https_proxy=socks5://127.0.0.1:1090

To configure wget and curl to use Lokinet only, you can use the--socks5 option to specify the Lokinet SOCKS proxy. Here are some examples:

wget --socks5 127.0.0.1:1090 http://example.com
curl --socks5 127.0.0.1:1090 http://example.com

Note that you will need to have Lokinet running and listening on port 1090 for these commands to work.

this is not correct. if you want to do this with a firewall, you'll want to pin your outbound udp port that lokinet uses, replace N with your non zero port.

[bind]
outbound=0.0.0.0:N

then you'll want to do a rule that allows udp on that source port, where $lokinet_udp is N and $outif is the network interface you use to connect to the internet.

iptables -A OUTPUT -p udp --sport $lokinet_udp -j ACCEPT -i $outif
iptables -A INPUT -p udp --sport $lokinet_udp -j ACCEPT -o $outif

then the remaining firewall rules you care for go here.