How to set up a simple Linux firewall
This is the third part of a two part series. In the first part I described how to set up a remote Ethereum node. In the second part I went over setting up an SSH tunnel and using it to access your node with MetaMask. In this article I cover why a Linux firewall is important and describe how to set one up on your remote
A firewall is a technology which blocks network traffic to or from a computer. At first that may seem counterproductive. But you can poke holes in your firewall to allow external entities to access the machine on specific ports. What the heck is a port, though? From Wikipedia:
At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. Ports are identified for each protocol and address combination by 16-bit unsigned numbers, commonly known as the port number.
This means that each assigned port number has a specific meaning. There are two types of ports, TCP and UDP, but the difference between them is not pertinent to this article. You may already know that websites use TCP ports
443. SSH uses TCP port
22 by default. Ethereum clients use these specific ports:
30303TCP: The network listening port
30303UDP: The network discovery port
8545TCP: The RPC port
Since we use an SSH tunnel to communicate via RPC with our remote node, we will not be opening port
8545 on our firewall. This prevents any external entities from making RPC calls to your node. This is what we want. On the other hand, we will be opening port
22 so that our SSH tunnel will work.
There is a utility that ships with Ubuntu by default called the Uncomplicated Firewall (UFW). It is ideal for securing your machine without having to know the gory details of
iptables, filter tables, or rule chains. Firewalls are very complex things; having this tool to make them uncomplicated is quite a relief.
Back to the command line
As in previous articles we need to get ourselves to a command prompt. Go back to your Linode dashboard and make sure you're on the Linodes tab on the left. Click on the three dots to the right of name you gave the VPS that's running
geth. Choose Launch Console from the dropdown menu. Once the terminal window appears and you've logged back in, you're ready to start.
Becoming an enabler
The first thing you should do once you're sitting at a command line is enable the UFW. Right away your computer is far more secure than it was a few seconds ago. Check the status to see what the firewall is doing. In the examples below I've included both the commands and their output for clarity.
$ sudo ufw enable Started bpfilter Firewall is active and enabled on system startup $ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip
As you can see from the output of the
status command, UFW is denying all incoming network traffic. This may seem overly restrictive, but it doesn't include responses to your own traffic. For example, if you request a web page with your browser, the website has to send you the HTML for your browser to display. So we're good.
Allowing specific incoming traffic
As discussed earlier,
geth use specific ports in order to participate in the Ethereum network. Also, our SSH tunnel uses its own specific port. Type the following to allow SSH traffic through our firewall:
$ sudo ufw allow 22/tcp Rule added Rule added (v6)
The output indicates that the firewall has been configured properly, both for IPv4 and IPv6. If you don't know what those are, it's not important. Here's a short guide on the subject. Continue now to allow
geth to communicate with the outside world.
$ sudo ufw allow 30303/tcp $ sudo ufw allow 30303/udp
Both of these commands will produce the same output as the previous command. Now when you ask for the status of the firewall you get a different answer.
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 30303/tcp ALLOW IN Anywhere 30303/udp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 30303/tcp (v6) ALLOW IN Anywhere (v6) 30303/udp (v6) ALLOW IN Anywhere (v6)
That's it! Your computer is now sitting behind a firewall, only allowing the network traffic necessary to run
geth and permitting you to access it via SSH.
The first version of this article was quite a bit longer and far more complicated. In discussions with peers (thanks, Evans!) I realized that using UFW instead of manually specifying firewall rules would make a more effective article.
With your shiny new firewall, your remote Ethereum node is now much safer from malicious attack. Note: this is specific to running
geth. If you have other services on the same machine you'll have to open the relevant ports or your services will cease to function after you activate this firewall. I hope this article helped you understand a little more clearly what a firewall is and how to set one up. If you have any questions please ask in the comments below.