So I got the job. Here's a story, never let anyone stop you from accomplishing your dreams!

It all started in 2010. Windows just crashed unrecoverably for the 3rd time in two years. Back then I wasn't good with computers yet so we got our tech guy to look at it and he said: "either pay for a windows license again (we nearly spend 1K on licenses already) or try another operating system which is free: Ubuntu. If you don't like it anyways, we can always switch back to Windows!"

Oh well, fair enough, not much to lose, right! So we went with Ubuntu. Within about 2 hours I could find everything. From the software installer to OpenOffice, browsers, email things and so on. Also I already got the basics of the Linux terminal (bash in this case) like ls, cd, mkdir and a few more.

My parents found it very easy to work with as well so we decided to stick with it.

I already started to experiment with some html/css code because the thought of being able to write my own websites was awesome! Within about a week or so I figured out a simple html site.

Then I started to experiment more and more.

After about a year of trial and error (repeat about 1000+ times) I finally got my first Apache server setup on a VirtualBox running Ubuntu server. Damn, it felt awesome to see my own shit working!

From that moment on I continued to try everything I could with Linux because I found the principle that I basically could do everything I wanted (possible with software solutions) without any limitations (like with Windows/Mac) very fucking awesome. I owned the fucking system.

Then, after some years, I got my first shared hosting plan! It was awesome to see my own (with subdomain) website online, functioning very well!

I started to learn stuff like FTP, SSH and so on.

Went on with trial and error for a while and then the thought occured to me: what if I'd have a little server ONLINE which I could use myself to experiment around?

First rented VPS was there! Couldn't get enough of it and kept experimenting with server thingies, linux in general aaand so on.

Started learning about rsa key based login, firewalls (iptables), brute force prevention (fail2ban), vhosts (apache2 still), SSL (damn this was an interesting one, how the fuck do you do this yourself?!), PHP and many other things.

Then, after a while, the thought came to mind: what if I'd have a dedicated server!?!?!?!

I ordered my first fucking dedicated server. Damn, this was awesome! Already knew some stuff about defending myself from brute force bots and so on so it went pretty well.

Finally made the jump to NginX and CentOS!

Made multiple VPS's for shitloads of purposes and just to learn. Started working with reverse proxies (nginx), proxy servers, SSL for everything (because fuck basic http WITHOUT SSL), vhosts and so on.

Started with simple, one screen linux setup with ubuntu 10.04.

Running a five monitor setup now with many distro's, running about 20 servers with proxies/nginx/apache2/multiple db engines, as much security as I can integrate and this fucking passion just got me my first Linux job!

It's not just an operating system for me, it's a way of life. And with that I don't just mean the operating system, but also the idea behind it :).

My mentor/guider at my last internship.

He was great at guiding, only 1-2 years older than me, brought criticism in a constructive way (only had a very tiny thing once in half a year though) and although they were forced to use windows in a few production environments, when it came to handling very sensitive data and they asked me for an opinion before him and I answered that closed source software wasn't a good idea and they'd all go against me, this guy quit his nice-guy mode and went straight to dead-serious backing me up.
I remember a specific occurrence:
Programmers in room (under him technically): so linuxxx, why not just use windows servers for this data storage?
Me: because it's closed source, you know why I'd say that that's bad for handling sensitive data
Programmers: oh come on not that again...
Me: no but really look at it from my si.....
Programmers: no stop it. You're only an intern, don't act like you know a lot about thi....
Mentor: no you shut the fuck up. We. Are. Not. Using. Proprietary. Bullshit. For. Storing. Sensitive. Data.
Linuxxx seems to know a lot more about security and privacy than you guys so you fucking listen to what he has to say.
Windows is out of the fucking question here, am I clear?

Yeah that felt awesome.

Also that time when a mysql db in prod went bad and they didn't really know what to do. Didn't have much experience but knew how to run a repair.
He called me in and asked me to have a look.
Me: *fixed it in a few minutes* so how many visitors does this thing get, few hundred a day?
Him: few million.
Me: 😵 I'm only an intern! Why did you let me access this?!
Him: because you're the one with the most Linux knowledge here and I trust you to fix it or give a shout when you simply can't.

Lastly he asked me to help out with iptables rules. I wasn't of much help but it was fun to sit there debugging iptables shit with two seniors 😊

He always gave good feedback, knew my qualities and put them to good use and kept my motivation high.

Awesome guy!

Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

So that high level prank from yesterday.

Senior Linux engineer, the fucker.

He somehow installed shitloads of cron jobs onto my system.

Every few minutes it would create a new user with a freaking complicated password. Then it would install openssh server in case it wasn't installed yet. After that it'd set all iptables rules to allow incoming AND outgoing connections on port 22.

That was one badass ansible script though!

I'm not sure what more there's to it because sometimes when i removed crons, they'd magically appear again later AND i forgot to check the boot scripts so i might be fucked again when I get to work today!

Plus side, i finally fully understand cron 😅

Funny story about the first time two of my servers got hacked. The fun part is how I noticed it.
So I purchased two new vps's for proxy server goals and thought like 'I can setup fail2ban tomorrow, I'll be fine.'

Next day I wanted to install NginX so I ran the command and it said that port 80 was already in use!

I was sitting there like no that's not possible I didn't install any server software yet. So I thought 'this can't be possible' but I ran 'pidof apache2' just to confirm. It actually returned a PID! It was a barebones Debian install so I was sure it was not installed yet by ME. Checked the auth logs and noticed that an IP address had done a huge brute force attack and managed to gain root access. Simply reinstalled debian and I put fail2ban on it RIGHT AWAY.

Checked about two seconds later if anyone tried to login again (iptables -L and keep in mind that fail2ban's default config needs six failed attempts within I think five minutes to ban an ip) and I already saw that around 8-10 addresses were banned.

Was pretty shaken up but damn I learned my lesson!

I have just concluded a post-mortem on one of my servers.
Cause of death: out of memory due to a tiny memory leak in a VPN service triggered by 66 different IPs brute-forcing the creds at the same time. Mostly from China, of course.

Dear bot writers: you made me put aside my spaghetti and write iptables rules. I hate iptables. And I love spaghetti. You should be ashamed of yourself! Did momma not teach you basic OpSec? Don't crash the target and never, ever, interrupt the sysadmin during dinner!

And BAM. Wrote a quick'n dirty little php script which works with loads of shell_exec calls to block all ip addresses belonging to an ASN number.

For example: If I get Facebook's ASN number and use it as parameter for this script with a custom name (for the iptables chain), the script creates a chain called the custom name, adds all ip addresses/ranges it got from the whois lookup (on the ASN number) with DROP to iptables and then it adds that chain to the INPUT and OUTPUT chains.

I've done some tests and can indeed genuinely not reach Facebook at all anymore, Microsoft is entirely blocked out as well already 💜

Security tips guys :
use iptables -A INPUT -j DROP to secure your servers.
NO ONE can access your servers now... NO ONE...

The perks of learning iptables through practice:

Suddenly losing Internet connection on le entire computer and then realizing that you added a DROP EVERYTHING on the input chain through a referenced chain 😅

Setup my port honeypot today finally, including port 22, then wrote a custom dashboard for some data tracking, feels great to have it open on my screen seeing the bans just roll in every 2 seconds of refresh, the highest hits are as expected from china, russia and india, also filed ~700 reports and already got 300 banned from their service. (mainly Microsoft Azure for whatever reason)

I wanted to first automate that (or atleast blacklist report to various IP lists via API), but then I was afraid that I'll be one day stupid enough to somehow get banned - don't want myself to get reported lol

So my previous alma mater's IT servers are really hacked easily. They run mostly in Microsoft Windows Server and Active Directory and only the gateway runs in Linux. When I checked the stationed IT's computer he was having problems which I think was another intrusion.

I asked the guy if I can get root access on the Gateway server. He was hesitant at first but I told him I worked with a local Linux server before. He jested, sent me to the server room with his supervision. He gave me the credentials and told me "10 minutes".

What I did?

I just installed fail2ban, iptables, and basically blocked those IP ranges used by the attacker. The attack quickly subsided.

Later we found out it was a local attack and the attacker was brute forcing the SSH port. We triaged it to one kid in the lobby who was doing the brute forcing connected in the lobby WiFi. Turns out he was a script kiddie and has no knowledge I was tracking his attacks via fail2ban logs.

Moral of lesson: make sure your IT secures everything in place.

Holy shit my server survived a DNS amplification attack!

I thought my iptables rules were not very effective, since I kept seeing 1-2 ANY requests getting through my pihole (only to be ignored by the upstream cloudflare server).
Turns out, they never actually *kicked in*, until now.

The craziest part is that one ip belongs to the Ministry of a country!! :O

Eat that, motherfuckers! God I love it when this shit actually works!

TLDR: Small family owned finance business woes as the “you-do-everything-now” network/sysadmin intern

Friday my boss, who is currently traveling in Vegas (hmmm), sends me an email asking me to punch a hole in our firewall so he can access our locally hosted Jira server that we use for time logging/task management.

Because of our lack of proper documentation I have to refer to my half completed network map and rely on some acrobatic cable tracing to discover that we use a SonicWall physical firewall. I then realize asking around that I don’t have access to the management interface because no one knows the password.

Using some lucky guesses and documentation I discover on a file share from four years ago, I piece together the username and password to log in only to discover that the enterprise support subscription is two years expired. The pretty and useful interface that I’m expecting has been deactivated and instead of a nice overview of firewall access rules the only thing I can access is an arcane table of network rules using abbreviated notation and five year old custom made objects representing our internal network.

An hour and a half later I have a solid understanding of SonicWallOS, its firewall rules, and our particular configuration and I’m able to direct external traffic from the right port to our internal server running Jira. I even configure a HIDS on the Jira server and throw up an iptables firewall quickly since the machine is now connected to the outside world.

After seeing how many access rules our firewall has, as a precaution I decide to run a quick nmap scan to see what our network looks like to an attacker.

The output doesn’t stop scrolling for a minute. Final count we have 38 ports wide open with a GOLDMINE of information from every web, DNS, and public server flooding my terminal. Our local domain controller has ports directly connected to the Internet. Several un-updated Windows Server 2008 machines with confidential business information have IIS 7.0 running connected directly to the internet (versions with confirmed remote code execution vulnerabilities). I’ve got my work cut out for me.

It looks like someone’s idea of allowing remote access to the office at some point was “port forward everything” instead of setting up a VPN. I learn the owners close personal friend did all their IT until 4 years ago, when the professional documentation stops. He retired and they’ve only invested in low cost students (like me!) to fill the gap. Some kid who port forwarded his home router for League at some point was like “let’s do that with production servers!”

At this point my boss emails me to see what I’ve done. I spit him back a link to use our Jira server. He sends me a reply “You haven’t logged any work in Jira, what have you been doing?”

Facepalm.

Often I hear that one should block spam email based on content match rather than IP match. Sometimes even that blocking Chinese ranges in particular is prejudiced and racist. Allow me to debunk that after I've been looking at traffic on port 25 with tcpdump for several weeks now, and got rid of most of my incoming spam too.

There are these spamhausen that communicate with my mail server as much as every minute.
- biz-smtp.com
- mailing-expert.com
- smtp-shop.com

All of them are Chinese. They make up - rough guess - around 90% of the traffic that hits my edge nodes, if not more.

The network ranges I've blocked are apparently as follows:
- 193.106.175.0/24 (Russia)
- 49.64.0.0/11 (China)
- 181.39.88.172 (Ecuador)
- 188.130.160.216 (Russia)
- 106.75.144.0/20 (China)
- 183.227.0.0/16 (China)
- 106.75.32.0/19 (China)
.. apparently I blocked that one twice, heh
- 116.16.0.0/12 (China)
- 123.58.160.0/19 (China)

It's not all China but holy hell, a lot of spam sure comes from there, given how Golden Shield supposedly blocks internet access to the Chinese citizens. A friend of mine who lives in China (how he got past the firewall is beyond me, and he won't tell me either) told me that while incoming information is "regulated", they don't give half a shit about outgoing traffic to foreign countries. Hence all those shitty filter bag suppliers and whatnot. The Chinese government doesn't care.

So what is the alternative like, that would block based on content? Well there are a few solutions out there, namely SpamAssassin, ClamAV and Amavis among others. The problem is that they're all very memory intensive (especially compared to e.g. Postfix and Dovecot themselves) and that they must scan every email, and keep up with evasion techniques (such as putting the content in an image, or using characters from different character sets t̾h̾a̾t̾ ̾l̾o̾o̾k̾ ̾s̾i̾m̾i̾l̾a̾r̾).

But the thing is, all of that traffic comes from a certain few offending IP ranges, and an iptables rule that covers a whole range is very cheap. China (or any country for that matter) has too many IP ranges to block all of them. But the certain few offending IP ranges? I'll take a cheap IP-based filter over expensive content-based filters any day. And I don't want to be shamed for that.

//little Story of a sys admin

Wondered why a Server on my Linux Root couldn't build a network connection, even when it was running.

Checked iptables and saw, that the port of the Server was redirected to a different port.

I never added that rule to the firewall. Checked and a little script I used from someone else generated traffic for a mobile game.

OK beginn the DDoS Penetration. Over 10 Gbit/s on some small servers.

Checked Facebook and some idiot posted on my site:
Stop you little shithead or I will report you to the police!!!

Checked his profile page and he had a small shitty android game with a botnet.

Choose one:
1. let him be
2. Fuck him up for good

Lets Sudo with 2.

I scaled up my bandwith to 25 Gbit/s and found out that guys phone number.

Slowly started to eat away his bandwith for days. 3 days later his server was unreachable.

Then I masked my VoIP adress and called him:

Me: Hi, you know me?
He: No WTF! Why are you calling me.
Me: I love your're game a lot, I really love it.
He: What's wrong with you? Who are you?
Me: I'm teach
He: teach?
Me: Teach me lesson
He: Are you crazy I'm hanging up!
Me: I really love you're game. I even took away all your bandwith. Now you're servers are blocked, you're game banned on the store.
He: WHAT, WHAT? (hearing typing)

Me: Don't fuck with the wrong guys. I teached you a lesson, call me EL PENETRATO

He: FUCK Fuck Fuck you! Who are you???!!! I'm going to report you!
Me: How?
He: I got you're logs!
Me: Check it at Utrace...
He: Holy shit all around the world

Me: Lemme Smash Bitch
*hung up*

That's what I call a good documentation. Not boring to read!

Identified the origin of the DDoS attack. Apparently, the person was just hopping through 3 IPs so looked like a targeted attack likely from a competitor. I sent the logs with incident notification to the abuse@hostprovider.com to ask them to suspend them.

Got a prompt response but took them a week to suspend this.

We were a very small team and had to stop everything to fix this-iptables and firewall etc.

We had not even launched the product and was still under development.

## Building my own router

IT HAS ALREADY PAID OFF!!!!!

So I (with my fam) have evacuated from the capital of Lithuania into a distant place - much smaller, where average age is prolly >30 or even >40 years. I live in a village now. In a house with very good neighbours. In fact these neighbours own that house :D

Back to the point.

So these neighbours used to share their wifi (w/ internet) between the two houses. They have the line, the mian router has quite a strong antenna and that other house has 2 repeaters: 1 on the outside wall and another one -- indoors. Sepeaters are connected sequentially, i.e. the indoors one is repeating the outdoors one. ikr....?

The first day was alright. We settled in, got everything set up wifi-wise. Peachy.

The second day repeaters refused to issue a DHCP IP. That's something, right? Alright, nvm - I don't mind setting up static IPs. In fact I prefer them over the DHCP magic!

And by the noon both repeaters were connectable but neither of them could provide internet connection... We that sucks! I restarted both of them a few times, neighbours restarted their main router -- still no luck.

Here comes my router [God am I happy with this purchase and the whole idea of a customized router!!! Thanks @hakx20!].

I brought it outside, plugged it in. Connected to it through it's hotspot, used nmcli to connect to neighbours' main router with an internal wifi card (that shitty mPCIe operating in USB mode. yes, the same one, manufactured in 2003. Yes, in g mode.). A couple of iptables rules for traffic forwarding et voila! I have built my own repeater! And tomorrow I can WFH w/o any issues.

Yes, hardware routers are faster and easier to maintain. Yes, hardware routers are cheaper and usually have nicer bells and whistles. But when hardware fails you and the last thing you want is going to the public (shop), soldering rod won't help you. A software solution becomes the easiest to set up, considering you know how to.

Boi am I so happy about my purchase! CentOS router FTW!

P.S. even though we've fled the city we are responsible citizens and we've self-quarantined ourselves for the 14 days period. No local person any closer than 10 meters for the whole period until we're cleared. Being away from the city gives us sooo much freedom! Especialy now, when cities are shitting bricks in fear.

that awesome feeling when you run

iptables -F

and ssh just freezes.. And then you notice that last iptables -S printed: -P INPUT DROP

And it's someone else's server you have borrowed :D

+10 points to iptables
XD

GOD DAMN THE STUPID IPTABLES, aaaaah!

Today I learned that
iptables -I INPUT -i !lo -j DROP
and
iptables -I INPUT ! -i lo -j DROP

are two completely different rules, the first of which doesn't work (in ~99.9% of cases)

yet both pass and get added to the firewall. And both rules show exactly the same in the state listing (iptables -L -n -v).

And I was wondering why the hell the firewall wasn't working...

Betafence,

a firewall that never got into production.

/badumts

sometimes you just can't deal with that messy piece of shit iptables frontend

I just fucked myself big time with iptable rules and blocked all incoming connections to my WiFi-AP. No SSH, can't go back, time for a factory-reset...

I remember someday from a few years ago, because i just got off the phone with a customer calling me way too early! (meaning i still was in my pyjamas)

C:"Hey NNP, why si that software not available (He refers to fail2ban on his server)
Me: "It's there" (shows him terminal output)
C: " But i cannot invoke it, there is no fail2ban command! you're lieing"
Me: "well, try that sudoers command i gave you (basically it just tails all the possible log files in /var/log ) , do you see that last part with fail2ban on it?
C: "Yeah, but there is only a file descriptor! nothing is showing! It doesnt do anything.
Me: "That's actually good, it means that fail2ban does not detect any anomalies so it does not need to log it"
C:" How can you be sure!?"
Me: "Shut up and trust me, i am ROOT"

(Fail2ban is a software service that checks log files like your webserver or SSH to detect floods or brute force attempts, you set it up by defining some "jails" that monitor the things you wish to watch out for. A sane SSH jail is to listen to incoming connection attempts and after 5 or 10 attempts you block that user's IP address on firewall level. It uses IPtables. Can be used for several other web services like webservers to detect and act upon flooding attempts. It uses the logfiles of those services to analyze them and to take the appropriate action. One those jails are defined and the service is up, you should see as little log as possible for fail2ban.)

I deployed docker on a VPS a few weeks ago as a sort of learning experience since I haven't really worked with containers much before. Today I learned that docker doesn't like firewalls.

Or, to be more specific, it adds rules to iptables that are applied prior to ufw rules, allowing external connections that I really didn't want to allow. If I don't explicitly specify that a port is to be published only to localhost, then it punches a hole through my firewall without telling me.

Which means that all of my containers running behind an nginx reverse proxy that auto-redirects to HTTPS... were also accessible directly via HTTP.

I'm... trying to think of a reason why this kind of default behavior was a good idea, but I'm drawing a blank.

Fucking Docker.

IDK man, it took me a while to finally learn iptables and now switch to firewalld? Oh come on. It's not that I'm against learning new things, no. It's just that firewalld looks a bit.. crappy. If I get a server provisioned and run

firewall-cmd --add-port=53/udp --permanent
firewall-cmd --reload

and I get my ssh connection killed that's no good news, no sir! I mean come on, how can I rely on a tool this critical when a single line in its config file can make my machine inaccessible. Even better -- this config file is managed by that tool entirely!!! My commands passed all the tool's checks and they worked, but when I wanted to make those commands permanent and reload state from the config -- the tool starts spitting bile and blood and says "fuck off, it's my server now!"

IDK man.. It's just way too fishy. The good ol' iptables works very well and I'm kicking its retard younger brother out of the server.

shoosh you dirty pig firewalld, shoosh!

At this point of my side project I wanted to check out openresty for dynamic proxy creation in nginx.

Happy to check it out I installed centos 7 as guest using new command I just learned virt-builder that would automate vm creation.

Spend 10 hours debugging why I can ping and ssh but cannot get to application port from any network.

Checked iptables, restarted network, reinstalled vm again 3 times with different methods.
Scrolled trough whole internet and it’s mostly outdated problems.
Learned bunch of new commands without new results.

Results were always the same:
No route to host.

Turned out firewalld is fucking thing now.

systemctl firewalld stop helped

Now I know that systemd would kill me at some point for sure.

What I can add at this point ?

Please add more distros, differences, standards and programming languages so world definitely would be better place.
I need a short break now to actually start making shit that I wanted to start at 4-5pm on Saturday.
It’s Sunday 3:30am and time for breakfast.
At least I am happy it started working.

## Learning k8s

Sooo yeah, 2 days have been wasted only because I did not reset my cluster correctly the first time. Prolly some iptables rules were left that prevented me from using DNS. Nothing worked...

2 fucking days..

2 FUCKING DAYS!!! F!!!

Hi guys, i have a serious question

I have added port 22777 to UFW to allow ssh through that port then i notice that it wouldn't work, after some time wasting, i added the same rule to iptables, then it worked, why do I have to add the same rules here and there twice? Is Ufw just a decorative app? WTF is going on? How to get rid of iptables and use only ufw? why should i allow the port twice, I need your answers please

I think I am too stupid to get fail2ban working...
It's installed, configured, it reads from the logs, testcases work, regex works, manual banning works, BUT IT DOES NOT BAN AUTOMATICALLY!
WHY THE FUCK
I litterally tried every tutorial to set it up on the first 3 Pages of ddg.
Well now I blocked those two aggressive ips just with iptables...

## Learning k8s

Interesting. So sometimes k8s network goes down. Apparently it's a pitfall that has been logged with vendor but not yet fixed. If on either of the nodes networking service is restarted (i.e. you connect to VPN, plug in an USB wifi dongle, etc..) -- you will lose the flannel.1 interface. As a result you will NOT be able to use kube-dns (because it's unreachable) not will you access ClusterIPs on other nodes. Deleting flannel and allowing it to restart on control place brings it back to operational.

And yet another note.. If you're making a k8s cluster at home and you are planning to control it via your lappy -- DO NOT set up control plane on your lappy :) If you are away from home you'll have a hard time connecting back to your cluster.
A raspberry pi ir perfectly enough for a control place. And when you are away with your lappy, ssh'ing home and setting up a few iptables DNATs will do the trick

netikras@netikras-xps:~/skriptai/bin$ cat fw_kubeadm
#!/bin/bash

FW_LOCAL_IP=127.0.0.15
FW_PORT=6443
FW_PORT_INTERMED=16443
MASTER_IP=192.168.1.15
MASTER_USER=pi

FW_RULE="OUTPUT -d ${MASTER_IP} -p tcp -j DNAT --to-destination ${FW_LOCAL_IP}"

sudo iptables -t nat -A ${FW_RULE}

ssh home -p 4522 -l netikras -tt \
-L ${FW_LOCAL_IP}:${FW_PORT}:${FW_LOCAL_IP}:${FW_PORT_INTERMED} \
ssh ${MASTER_IP} -l ${MASTER_USER} -tt \
-L ${FW_LOCAL_IP}:${FW_PORT_INTERMED}:${FW_LOCAL_IP}:${FW_PORT} \
/bin/bash
# 'echo "Tunnel is open. Disconnect from this SSH session to close the tunnel and remove NAT rules" ; bash'

sudo iptables -t nat -D ${FW_RULE}

And ofc copy control plane's ~/.kube to your lappy :)

iptables -I INPUT -p tcp --dport 22 ! -s 192.168.1.0/24 -j RUSSIAN_WARSHIP_GO_F_URSELF

Is it weird that I am listening to Final Masquerade by LP while configuring iptables for NAT? :D

Firewall for Beginners:

iptables -t raw -A INPUT -j DROP

Goddammit,
today, my laptop crashed while shutting down.
I just switched it in again, and boom, Hostname-Resolution isn't working anymore.
I also already checked UFW, iptables and the hosts-file.
Guess I'll reinstall it tomorrow.

I just spent nearly 4 straight hours dealing with iptables and RancherOS. First the system resets got me, then the config format got me, then netmasks, then gateways, then iptables. Now I'm just relieved to have it all working and a bit happy I understand iptables much better.

So I'm trying to port forward my PS4. But the problem is, I'm on boingo wireless. You can't access router settings because of "security reasons". I do have Linux and wondering if there's a way to do it using the terminal. Maybe ssh? Already tried iptables, but also could have just done it wrong. I'm not sure how I could do this considering we're not supposed to be able to.

So today was going to be the Sunday when I finally connected my smart TV though my raspberry pi to access my network and have it connect to the internet.
My TV is 6 years old, so it doesn't have built in wireless, it does not recognize normal Wifi dongles so you have to buy a LG special one for ~120$ to get hat to work, so my previos solution: screw that, one chromecast + 1 osmc raspberry pi3 and I can do more than what the software build in the TV could do.

But my wife really wanted to be able to play netflix directly on the TV without using her phone so I thought:
If I connect my TV via LAN cable to my raspberry pi it should be able to forward traffic via the built in wireless on the raspberry and be able to have internet connection.
OK, its Sunday, my wife it out, I haven't done anything with iptables in the last 5+ years but I have google and should be able to figure it out eventually:) time to start this home improvement project!!!
OK, lets just check online if there is someone else who had similar idea as a place to start.
... quick google search:

Hmm, in your OSMC, go to teathering, "wifi to ethernet" and enable.
I try it and it works!
5 min and one short ethernet cable was all that were required.

It feels like I cheated and won the game without any effort, and what should I now do with the rest of the day?

iptables -L -n

Attempts against SSH

What did SSH ever do to you?

iptables is dark magic

P.S. I am lost in how to setup the needed things.

Question about linux iptables. I am currently blocking all access and whitelisting only when my users launch my software. When software is launched a socket client is also launched, it connects to socket server, identifies itself with a password and disconnects. If given password by socket client is correct, then socket server whitelists the users IP by executing the following command: " iptables -I INPUT -s userIP -j ACCEPT".

My problem is that now I have lots of duplicates of IP's whitelisted and as far as I've heard I should not go over 25k iptable rules.

So my question is how to check if ip is already whitelisted, in order to avoid duplicate iptable rules for for same IP?

Obvious solution would be to store whitelist somewhere (mysql/txt) and double check before whitelisting ip, but maybe there is an easier way to do this?

Need advice about protecting ddos via iptables and whitelisting. Currently I launched my gameserver and am fighting against a massive attack of botnets. Problem was solved by closing all ports on my gameserver linux machine and shipping game.exe with injected c++ socket client. So basically only gamers who launch my game exe are being added to firewall iptables via the socket client that is provided in the game exe. If some ddosers still manage to get inside and ddos then my protection is good enough to handle attacks from whitelisted ips from inside. Now I have another problem. Lots of players have problems and for some reason shipped c++ client fails to connect to my socketserver. Currently my solution was to provide support in all contact channels (facebook,skype,email) and add those peoples ips to whitelist manually. My best solution would be to make a button in website which you can click and your ip is whitelisted auromatically. However if it will be so easy then botnets can whitelist themselves as well. Can you advice me how I could handle whitelisting my players through web or some other exe in a way that it cant be replicated by botnets?

Does someone have an idea how to use synproxy and nat (dnat and snat) together on one machine? It's basically a router which should also act as a ddos filter, but when I install synproxy, the natting doesn't work anymore...
I can't really find something on the internet so help would be appreciated.

Thanks in advance