Skip to content

Latest commit

 

History

History
102 lines (68 loc) · 4.29 KB

port-forwarding-or-tunneling-a-service.md

File metadata and controls

102 lines (68 loc) · 4.29 KB

Port Forwarding or Tunneling a Service

This guide will step you through Port Forwarding or Tunneling a service

Required Knowledge

external-access-to-systems.md

monitoring-and-alerting.md

authentication-access-and-accounts.md

Process

There are 2 solutions for making a service accessible externally - a CF Tunnel or Port Forwarding.

Cloudflare Tunnel

Creating a 'public host'

  1. Log into Cloudflare's Zero Trust

  2. On the left, select Access > Tunnels

  3. Select the relevant tunnel and click on 'Configure'

  4. Click on the Public Hostname tab

  5. Click on 'Add Public Hostname' and input the relevant data, eg

    cool.xfgn.dev will proxy to http://coolserver:123

  6. Click on Save hostname

  7. Naigate to the url and confirm it is working

Note: If the internal service is on HTTPS you may need to disable TLS verify,

Adding Authentication

Authentication is applied as an 'Application' and allows you to limit services to specific users, IP address, countries etc.

  1. Log into Cloudflare's Zero Trust
  2. On the left, select Access > Applications
  3. Click on 'Add an application' and select Self Hosted
  4. Configure the Application

    • Application Configuration block
      Input the name and URLs you wish to configure\

      This application will secure cool.xfgn.dev, cooltest.xfgn.dev and test.xfgn.dev/cool (but test.xfgn.dev will not be secured)

    • Application Appearance block
      Select custom logo and provide a URL to an image, such as the logo of the app

    • Tags
      Apply any relevant tags, such as 'test', 'xfgn' etc

  5. Click on OK / Save / Next
  6. Create a policy using the information outlined in #cloudflare-authenticationand hit OK / Save / Next
  7. Under the settings tab, tick 'Enable automatic cloudflared authentication'
  8. Click on OK / Save / Next

Port Forward

Enable Firewall

As port forwarding opens the server to direct access via the internet, we require the firewall to be enabled.

Ubuntu

  1. SSH into server and input the below commands

    ufw allow ssh
ufw enable

  2. Run the below command to get a list of active ports on the server and take note of anything that may need to be allowed through. Take note of anything with 'docker', as these will be containers running on the host (you can compare this data against Portainer)

    lsof -i -P -n | grep LISTEN

  3. Use the below command to allow ports through the firewall

    ufw allow PORT

  4. Ensure that the Crowdsec Firewall bouncer is enabled and configured

Generic "allow list", applicable to all our servers

ufw allow 8080 #crowdsec
ufw allow ssh #allow SSH

Port Forward in UniFi

  1. Navigate to the UniFi site manager and select Rigatoni
  2. Click on the settings cog in the bottom left
  3. Select Security > Port Forwarding
  4. Click on Create Entry

Please ensure the port forward rule is named using the below scheme

Forwarding toPurposeFirewall Rule Name
LungoAPI to allow remote devices to connect to WazuhLungo - Wazuh API
LattePorts to make Plex available externallyLatte - Plex Ports
EspressoPortainer Edge Agent connection to Portainer main instanceEspresso - Edge Agent

Where possible, limit the 'From' IP to the relevant client (eg VPS), though this isn't possible for most use cases (eg Plex, Pterodactyl game ports)