FreedomBox on LXC

DefenderOogway · March 20, 2021, 7:34pm

Pre-Requesitites - Setup LXC on your Linux System

Underprivileged LXC has been setup, with user mappings, network mappings

Templates for LXC can be found here:
- https://us.images.linuxcontainers.org/images/

How To Steps include:
- Download Template (Debian unstable in this example)
- Configure Freedombox on LXC container
- Setup static ip to portforward easy
- Enable port forwarding

Steps:

> lxc-create --name debunstable-freedombox -t download            

Interactive added these options when prompted:


Distribution: 
debian
Release: 
sid
Architecture: 
amd64
(should download image)

> systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start debunstable-freedombox  --logfile $HOME/lxc_freedombox.log --logpriority DEBUG

> lxc-ls --fancy
confirm running ->

NAME                   STATE   AUTOSTART GROUPS IPV4      IPV6 UNPRIVILEGED 
debunstable-freedombox RUNNING 0         -      10.0.3.53 -    true         


attach to instance:

lxc-attach --name  debunstable-freedombox
root@debunstable-freedombox:/# apt update
root@debunstable-freedombox:/# DEBIAN_FRONTEND=noninteractive apt install snapd freedombox systemd syslog-ng mariadb-server -y
root@debunstable-freedombox:/# vi /etc/network/interfaces

You can use the following commands to help you find gateway and ip address:

# ip addr
# ip route

example:
Replace auto eth0 dhcp to this: 

yours will be specific to your network

auto eth0
  iface eth0 inet static
    address 10.0.3.53
    netmask 255.255.255.0
    gateway 10.0.3.1

root@debunstable-freedombox:/# systemctl restart networking.service

root@debunstable-freedombox:/#  echo nameserver 1.1.1.1 > /etc/resolv.conf
replace 8.8.8.8 with your favorite name server 

root@debunstable-freedombox:/#  exit
root@host> iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o $WAN -j MASQUERADE

# Dont' forget to forward your ports
root@host> echo 1 > /proc/sys/net/ipv4/ip_foward 
root@host> iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 6677 -j DNAT --to 10.0.3.53:443

Log in and follow the instructions including getting the secret key

NickA · March 20, 2021, 8:56pm

I think it’s better, and possibly also easier to use a bridge configuration.
(Freedombox being separatately connected to the network, so no additional port forwarding on the host, and not introducing to send every new internet request into google nameserver logs.)

https://wiki.debian.org/LXC#Unprivileged_container also has more detailed info to set up lxc then in Installing Yunohost in unprivileged LXC on Debian before installing freedombox (FreedomBox/Hardware/Debian - Debian Wiki).

NickA · March 20, 2021, 9:04pm

Oops, there is also some experience in a section ** Misc : installing Freedombox in a LXC ** in:

DefenderOogway · March 20, 2021, 9:14pm

I’m not a fan of bridge…
I like it completely segrated with a firewall in case I open any services to public… I think you can lock it down more no?

NickA · March 20, 2021, 9:31pm

Don’t you have a firewall/router in front of the host, anyway? Using a bridge and separate IPs allows to use a single dhcp server, and use default ports (like http ports 80 and 443) to all the IPs without conflicts (at least locally if behind a NAT).

But it could be that the iptables that the freedombox usually manages locally don’t work in an LXC container?

If needed it may still be possible to configure some bridge based packet filtering on the host.

DefenderOogway · March 20, 2021, 9:53pm

It really depends on your setup I have several docker instances on this instance . Many services some being proxies to other ports .
For my setup it works well if ppl only require an easier setup

Ramon · May 8, 2021, 8:28am

Hi, for information,
I use put a Freedombox inside LXC container and made it only accessible from a OpenVPN server inside the container too.
Here, you will find more explanation on how to setup Freedom Box in a container :

I used the LXC MACVLAN option so that my container is directly accessible on the local network and its IP adress is provided by the Box of my ISP.

Coming to firewall issues opened by NickA FreedomBox on LXC - #5 by NickA

I understood that there is a lack of compatibility between the Firewalld use by the Freedom Box and LXC. So I removed it and choose to build the firewall function using IPTables.

#Remove firewalld

sudo service firewalld stop
sudo apt-get purge firewalld
# install Iptables persistent
apt-get install iptables-persistent

After that I used one script to set IPtables rules :
cd ~
mkdir config-iptables
cd config-iptables
nano iptable-config.sh # the script is given on next post
chown 700 iptable-config.sh

Ramon · May 8, 2021, 8:45am

#!/bin/sh

BEGIN INIT INFO

Provides: openvpn.LxcFreedomBox,

Required-Start: $remote_fs $syslog $network

Required-Stop: $remote_fs $syslog $network

Default-Start: 2 3 4 5

Default-Stop: 0 1 6

Description: openvpn.LxcFreedomBox, SSH, Freedombox, Matrix

END INIT INFO

Clear Iptables Rules

iptables -F
iptables -X

allow IPv4

echo “1” > /proc/sys/net/ipv4/ip_forward

Drop all incoming connections

iptables -P INPUT DROP

Accept all outgoing connections

iptables -P OUTPUT ACCEPT

Allow existing traffic

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow the traffic on OpenVPN clients’ IP range

iptables -A FORWARD -s VVV.PPP.NNN.0/24 -j ACCEPT

Allow the traffic on the local network’s IP range

iptables -A FORWARD -s LLL.AAA.NNN.0/24 -j ACCEPT

reject all other traffic

iptables -A FORWARD -j REJECT

Route incoming VPN traffic toward the local network

iptables -t nat -A POSTROUTING -s VVV.PPP.NNN.0/24 -j SNAT --to-source LLL.AAA.NNN.24

Syn flood protection

iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

Port scan protection

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

Allow loopback

iptables -A INPUT -i lo -j ACCEPT

Allow OpenVPN

iptables -A INPUT -p udp --dport 51194 -j ACCEPT

Allow SSH restricted to the local network or the inside the VPN

iptables -A INPUT -p tcp -s LLL.AAA.NNN.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s VVV.PPP.NNN.0/24 --dport 22 -j ACCEPT

iptables -A OUTPUT -p tcp -d LLL.AAA.NNN.0/24 --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -d VVV.PPP.NNN.0/24 --sport 22 -j ACCEPT

Allow Freedom Box services from both LAN and VPN

# web services

iptables -A INPUT -p tcp -s LLL.AAA.NNN.0/24 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # plinth server → client --dport
iptables -A INPUT -p tcp -s VVV.PPP.NNN.0/24 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # apt-get : client → server --sport

iptables -A OUTPUT -p tcp -d LLL.AAA.NNN.0/24 --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # Plinth: server → client
iptables -A OUTPUT -p tcp -d VVV.PPP.NNN.0/24 --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # apt-get: client → server

iptables -A INPUT -p tcp -s LLL.AAA.NNN.0/24 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s VVV.PPP.NNN.0/24 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -d LLL.AAA.NNN.0/24 --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d VVV.PPP.NNN.0/24 --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# Cockpit / accessible uniquement depuis le VPN

sudo iptables -t filter -A INPUT -i tun0 -p tcp --dport 9090 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -t filter -A OUTPUT -o tun0 -p tcp --sport 9090 -m state --state ESTABLISHED -j ACCEPT

# Matrix / Synapse (

iptables -I INPUT 1 -p tcp -s LLL.AAA.NNN.0/24 -m tcp --dport 8008 -j ACCEPT
iptables -I INPUT 1 -p tcp -s VVV.PPP.NNN.0/24 -m tcp --dport 8008 -j ACCEPT

	# might be adapted if you consider to federate servers inside the LAN or VPN
	# 8448/tcp for Matrix federation
	# 3478/tcp, 5349/tcp, 3478/udp, 5349/udp, 49152-49172/udp for TURN/STUN

Allow all traffic from the VPN TUN0 tunnel interface

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

Routing

iptables -A FORWARD -i tun0 -o eth0 -s VVV.PPP.NNN.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Save IPTables rules in order to keep it at boot

iptables-save -c > /etc/iptables-save

Ramon · May 8, 2021, 8:47am

I did’nt succeeded to make Cockpit work with my configuration.
Once the script edited and written.

make it set at boot by iptables-persistent

Save the rules in the following commands (I had to do it from the host through the command

lxc exec faminet – /bin/bash)

iptables-save >/etc/iptables/rules.v4
ip6tables-save >/etc/iptables/rules.v6

update IPtables config

dpkg-reconfigure iptables-persistent

service netfilter-persistent save

services’s activation

service netfilter-persistent reload

####### Fail2ban ######################################################################

fail2ban to protect OPENVPN

HOWTO fail2ban with OpenVPN - Fail2ban

Fail2ban on Debian Buster - the right way to configure? - Server Fault

apt-get install fail2ban
dpkg-reconfigure fail2ban

It requires to create a profile for OpenVPN

cd /etc/fail2ban/filter.d
sudo nano openvpn.local

then create and edit a “jail” file :

cd /etc/fail2ban/jail.d
sudo nano LxcFreedomBox-f2b.conf
# → here is the template

/etc/fail2ban/jail.d/LxcFreedomBox.conf

[DEFAULT]
ignoreip = 127.0.0.1 LLL.AAA.NNN.0/24 VVV.PPP.NNN.0/24
findtime = 10m
bantime = 48h
maxretry = 5

[sshd]
enabled = true
port = 22
protocol = tcp
filter = sshd
logpath = /var/log/auth.log
maxretry = 10

[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
logpath = /var/log/openvpn/log
maxretry = 10

[apache-auth]
enabled = true

In order to make fail2ban work in this “containerized” setup is to do the following :

modify the “backend” parameter in /etc/fail2ban/jail.conf so that Fail2ban can read systemd’s log journals :

backend = systemd

then copy jail.conf

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and restart fail2ban:

sudo systemctl restart fail2ban

then check

admin@LxcFreedomBox:~$ sudo service fail2ban status
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-04-10 20:32:47 CEST; 31s ago