AnyX Guide Type: example

  • Real VNC & Raspberry Pi

    Real VNC & Raspberry Pi

    ae2c7d35 raspberry pi

    Remote Video, Open Source

    Real VNC & Raspberry Pi

    How to setup Real VNC to interoperate with standard VNC on your Raspberry Pi.

    CONTACT

    Real VNC & Raspberry Pi

    The Raspberry PI supports multiple operating system distributions. The default used is often Raspbian, which has a VNC-similar server installed called Real VNC.

    Real VNC is not enabled by default. It also uses a proprietary authentication scheme by default.

    To enable VNC on your Raspberry Pi and access via Agilicus Any-X, you may use the option panel, changing the Authentication from “Unix password” to “VNC password”. Or, if you prefer, you may edit the text files as below.

    1. Add Authentication=VncAuth to /root/.vnc/config.d/vncserver-x11
    # cat /root/.vnc/config.d/vncserver-x11
_AnlLastConnTime=int64:0000000000000000
_LastUpdateCheckSuccessTime=int64:01d8f9c1abad5c0a
_LastUpdateCheckTime=int64:01d8f9c1abad5c0a
Authentication=VncAuth
Password=d00971cd8cacb99e
ViewOnlyPassword=d00971cd8cacb99e

    2. set a VNC password (optionally read-only)

    $ vncpasswd -service
Password:
Verify:

    Now enable/restart the vnc service:

    systemctl enable vncserver-x11-serviced
systemctl restart vncserver-x11-serviced

    Encryption

    The Real VNC Server supports a super-set of the Encryption supported by Agilicus AnyX. You may need to set “Prefer On” to allow the two sides to negotiate.

    2f723b59 image
    d33ca6a4 image

    At this stage you can follow the standard directions to create a VNC Desktop

    1. Resources/Desktops/New
    2. Add user permissions to new desktop
    3. Open Profile and select the desktop
  • Sample: Synology Local SSL

    Sample: Synology Local SSL

    synology-nas-web

    SAMPLE

    Synology Local SSL

    The Agilicus connector can facilitate a publicly trusted local certificate for your Synology Web Interface.

    CONTACT

    Overview

    100% of connections from the public networks into Agilicus AnyX are protected by Transport Level Security (TLS/SSL). Each endpoint has its own publicly-trusted certificate allocated, no wildcards, no fake certificates or certificate authority trusts to be injected. This is all done in a fully automatic fashion.

    In some cases, you wish to access the same resource from the local side, without going through Agilicus AnyX. Although we do not generally recommend this (it lowers the overall security since there is no strong authentication and multi-factor), it can be useful or required. In this sample, we show how to setup a Synology DS120 NAS web interface such that the local DNS resolves to its local IP, and, it is protected by the same public certificate that the Agilicus AnyX platform allocated. In this fashion a user on the local network can directly access the NAS without seeing broken ‘do you want to trust this site” messages.

    Setup

    Create Web Application

    First, configure the Synology web interface as a ‘Web Application’. We assign it a name (ds120), we select its via a connector we have previously installed on this NAS. We use ‘localhost’ and ‘port 5000’ for the upstream configuration (which is how we reach the web interface from inside the NAS). We then assign permission to our user.

    At this stage we should be able to navigate to the url, and reach the NAS. If you take your mobile phone, disconnect the WiFi, and then reach the url, it should work. If your local DNS overrides, you may still see the NAS directly with its TLS/SSL error, we will resolve that in the next section.

    fb3086e2 image
    a568960b image
    67062561 image
    cefae7a4 image
    057ac301 image
    22dcf92c image

    Export Certificate

    Referring to the instructions for exporting certificates, we see that the Connector will export the certificate if a Python script exists in a certain location (/opt/agilicus/agent/plugins/certificate-exporter.py).

    We can see where the Synology looks for its certificate:

    # ps -ef|grep nginx
root      6609   654  0 17:22 pts/0    00:00:00 grep --color=auto nginx
root      6872     1  0 Sep19 ?        00:00:00 nginx: master process /usr/bin/nginx -c /etc/nginx/nginx.conf.run -g pid /run/nginx.pid; daemon on; master_process on;
http     31327  6872  0 Sep23 ?        00:01:24 nginx: worker process
http     31328  6872  0 Sep23 ?        00:01:02 nginx: worker process
# grep cert /etc/nginx/nginx.conf.run
    include /usr/syno/etc/www/certificate/system_default/cert.conf*;
# ls -ld /usr/syno/etc/www/certificate/system_default/cert.conf*
-rw------- 1 root root 224 Feb 20  2023 /usr/syno/etc/www/certificate/system_default/cert.conf
# cat /usr/syno/etc/www/certificate/system_default/cert.conf
ssl_certificate          /usr/syno/etc/www/certificate/system_default/73b8b5b1-7f63-4764-a54f-1a0d78d58dfd.pem;
ssl_certificate_key      /usr/syno/etc/www/certificate/system_default/d27d6342-50fb-423f-b850-386b6a68e5ab.pem;

    OK, lets take a look at the ‘factory’ certificates:

    # openssl x509 -in /usr/syno/etc/www/certificate/system_default/73b8b5b1-7f63-4764-a54f-1a0d78d58dfd.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6280518885899342 (0x1650194132fc4e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = TW, L = Taipel, O = Synology Inc., CN = Synology Inc. CA
        Validity
            Not Before: Feb 20 06:15:00 2023 GMT
            Not After : Feb 21 06:15:00 2024 GMT
        Subject: C = TW, L = Taipel, O = Synology Inc., CN = synology
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:df:33:80:97:f8:9d:88:a8:9f:49:35:7f:20:7a:
                    ba:68:26:47:3e:ed:7f:9f:79:3f:f3:6f:2c:31:1c:
                    38:36:cd:36:36:ed:bb:47:bf:29:cc:8c:e2:d2:3d:
                    16:4b:16:5b:16:7c:36:4e:c8:e8:05:f4:33:d6:7f:
                    91:7b:2c:c4:8b:3d:1e:18:19:d7:60:84:d4:08:db:
                    8e:b4:63:5e:bc:fa:e6:31:1f:5d:f8:64:27:76:4c:
                    a2:63:d4:a5:03:c7:cd:e9:83:f3:31:a7:29:c8:1d:
                    ed:bf:35:b5:02:c0:53:18:83:29:71:85:b2:15:b2:
                    0d:4e:11:0d:b1:4b:73:34:29:20:e4:5a:5c:f3:6d:
                    bf:9e:f7:85:f9:f6:8b:fd:63:26:66:d2:ac:0f:f5:
                    5b:e7:38:34:4d:e7:2d:db:ae:77:9f:69:0d:e6:3b:
                    3a:15:b1:28:ae:94:49:98:40:ed:d9:0f:2d:d6:bb:
                    f9:b3:64:33:7e:c0:6c:de:f0:eb:5d:f0:8d:3b:67:
                    60:01:69:b1:fa:b2:db:f3:33:88:a0:9c:e4:e9:f2:
                    3c:3a:eb:b5:b3:de:94:50:f3:3b:f0:70:a1:8d:f7:
                    e6:a6:c1:74:47:97:45:4d:b3:9a:27:f8:ad:44:db:
                    24:20:57:03:3f:01:e6:0b:82:dd:1f:49:ba:f7:cd:
                    e4:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                mod_ssl generated custom server certificate
            Netscape Cert Type:
                SSL Server
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:synology
    Signature Algorithm: sha256WithRSAEncryption
         6d:38:84:e7:22:8f:f7:65:69:8a:98:8b:e7:fd:03:86:13:ce:
         ba:27:75:0a:c9:95:7c:38:07:6c:0c:7f:6f:2e:23:e8:68:52:
         cf:de:57:bd:d5:ee:75:1b:6e:f9:cf:58:74:36:f9:9a:3a:8c:
         4d:e0:7e:d7:21:00:ef:81:5e:4c:0c:59:34:cb:fe:37:60:0e:
         5a:81:f4:a6:fa:fb:39:82:1d:74:f7:6d:75:d4:72:e3:95:bc:
         a7:d3:76:df:e3:4f:d5:be:83:5a:3b:af:26:b8:1e:9f:d0:42:
         99:c3:6a:6a:36:13:a9:ef:bd:6f:88:42:71:d1:2f:ad:14:8d:
         5b:d9:17:b0:fc:bc:8b:f8:20:b2:26:25:c6:83:93:b7:2a:36:
         cc:85:f7:84:d3:01:13:40:a5:b9:ef:60:4e:47:46:26:84:b7:
         0e:da:eb:88:6c:75:9f:44:4c:0f:ab:f6:1b:0d:76:dc:4d:f1:
         04:87:11:e9:26:c4:12:cb:fe:ea:57:58:4b:85:1d:cc:de:c7:
         23:1d:55:1d:a1:d5:06:36:c6:4a:d0:15:e2:f0:34:9b:a2:05:
         2a:2c:b0:14:e1:a8:a4:95:99:17:df:3d:f7:f6:c3:ab:49:ff:
         b3:d9:ab:b2:50:51:cb:bb:aa:3c:72:e4:ba:a6:cf:4a:b1:4c:
         96:1d:1f:a6
-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIHFlAZQTL8TjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQG
EwJUVzEPMA0GA1UEBwwGVGFpcGVsMRYwFAYDVQQKDA1TeW5vbG9neSBJbmMuMRkw
FwYDVQQDDBBTeW5vbG9neSBJbmMuIENBMB4XDTIzMDIyMDA2MTUwMFoXDTI0MDIy
MTA2MTUwMFowSTELMAkGA1UEBhMCVFcxDzANBgNVBAcMBlRhaXBlbDEWMBQGA1UE
CgwNU3lub2xvZ3kgSW5jLjERMA8GA1UEAwwIc3lub2xvZ3kwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDfM4CX+J2IqJ9JNX8gerpoJkc+7X+feT/zbywx
HDg2zTY27btHvynMjOLSPRZLFlsWfDZOyOgF9DPWf5F7LMSLPR4YGddghNQI2460
Y168+uYxH134ZCd2TKJj1KUDx83pg/MxpynIHe2/NbUCwFMYgylxhbIVsg1OEQ2x
S3M0KSDkWlzzbb+e94X59ov9YyZm0qwP9VvnODRN5y3brnefaQ3mOzoVsSiulEmY
QO3ZDy3Wu/mzZDN+wGze8Otd8I07Z2ABabH6stvzM4ignOTp8jw667Wz3pRQ8zvw
cKGN9+amwXRHl0VNs5on+K1E2yQgVwM/AeYLgt0fSbr3zeSZAgMBAAGjgZYwgZMw
OgYJYIZIAYb4QgENBC0WK21vZF9zc2wgZ2VuZXJhdGVkIGN1c3RvbSBzZXJ2ZXIg
Y2VydGlmaWNhdGUwEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEwYDVR0RBAwwCoIIc3lub2xv
Z3kwDQYJKoZIhvcNAQELBQADggEBAG04hOcij/dlaYqYi+f9A4YTzrondQrJlXw4
B2wMf28uI+hoUs/eV73V7nUbbvnPWHQ2+Zo6jE3gftchAO+BXkwMWTTL/jdgDlqB
9Kb6+zmCHXT3bXXUcuOVvKfTdt/jT9W+g1o7rya4Hp/QQpnDamo2E6nvvW+IQnHR
L60UjVvZF7D8vIv4ILImJcaDk7cqNsyF94TTARNApbnvYE5HRiaEtw7a64hsdZ9E
TA+r9hsNdtxN8QSHEekmxBLL/upXWEuFHczexyMdVR2h1QY2xkrQFeLwNJuiBSos
sBThqKSVmRffPff2w6tJ/7PZq7JQUcu7qjxy5Lqmz0qxTJYdH6Y=
-----END CERTIFICATE-----

    OK, it is expecting a FQDN of ‘synology’, and, is self-signed. We don’t want this. lets overwrite it with our properly signed one. To do so, place a script called certificate-exporter.py in /opt/agilicus/agent/plugins (you may need to make this directory). The script might look as below (notice I hard-coded in my host name since this connector services more than one endpoint, and I only want to export one certificate).

    #!/bin/python

import sys
import json
import base64
import os

# load the certificate export json from stdin
# see https://agilicus.com/www/api/certificate-export.schema.json
cert_obj = json.loads(sys.stdin.readline())

def import_certificate(obj):
    if obj.get("common_name") == "ds120.dbt.agilicus.cloud":
        with open("/usr/syno/etc/www/certificate/system_default/cert.conf", "w") as fd:
            fd.write("ssl_certificate   /usr/syno/etc/www/certificate/nas.pem;\nssl_certificate_key /usr/syno/etc/www/certificate/nas.key;\n");
        with open("/usr/syno/etc/www/certificate/nas.pem", "w") as fd:
            fd.write(obj.get("certificate"))
        with open("/usr/syno/etc/www/certificate/nas.key", "w") as fd:
            fd.write(obj.get("key"))

        with open("/usr/syno/etc/certificate/_archive/DEFAULT", "r") as fd:
            def_cert_name = fd.read()
            def_cert_name = def_cert_name.strip()
        with open(f"/usr/syno/etc/certificate/_archive/{def_cert_name}/cert.pem", "w") as fd:
            fd.write(obj.get("certificate"))
        with open(f"/usr/syno/etc/certificate/_archive/{def_cert_name}/privkey.pem", "w") as fd:
            fd.write(obj.get("key"))

        os.system("/bin/systemctl reload nginx")

import_certificate(cert_obj)

    Testing

    To test, we can remove the cached files (exported_certs.*) and then restart the connector

    -rwxr-xr-x 1 agilicus agilicus  844 Nov 13 18:29 certificate-exporter.py
-rw------- 1 root     root     5788 Nov 13 18:38 exported_certs.json
-rw------- 1 root     root        0 Nov 13 18:38 exported_certs.json.lock
# rm exported_certs*
# systemctl restart agilicus-agent

    We can test with curl and a DNS override:

    curl -v https://ds120.dbt.agilicus.cloud/ --resolve ds120.dbt.agilicus.cloud:443:172.16.0.109
  • UDP via SSTP VPN

    UDP via SSTP VPN

    UDP via SSTP VPN

    When only a subnet will do

    UDP via SSTP VPN

    This example demonstrates using the SNI-expose feature to allow direct access to a VPN, skipping authentication and authorisation.

    It is suitable for cases where a VPN is required (e.g. UDP adjacency) to a system that is behind a restrictive firewall, satellite, cellular, NAT.

    CONTACT

    Overview: UDP via SSTP VPN

    In this example I show a method of running a traditional VPN on top of Agilicus AnyX. Its important to note that this dramatically reduces the security: there is no Zero Trust, there is no single-sign-on with multi-factor, there is no fine-grained authorisation and audit: its simply a tunnel. Be very careful in setting up these instructions, you are relying solely on the strength of the VPN passwords, on the strength of the VPN encryption, on the security of the software implementing the VPN, achieving UDP via SSTP VPN.

    aa501cbb sstp vpn

    In this example, I am going to use Microsoft SSTP (which is PPP over HTTPS over TLS) in conjunction with the Agilicus AnyX SNI exposed host. This will allow you to emulate an HTTPS inbound connection, even if you have outbound only connectivity. Similar to other systems that use Dynamic DNS and Port Forwarding, you will get a single, stable hostname which is always available on port 443, which is directly attached to your SSTP server.

    In this example write up I will use SoftEther VPN. We provide some example configurations for it, but ultimately you can configure it however you wish and responsible for ensuring its setup correctly for your environment. The SoftEther SSTP VPN allows both bridged and routed (NAT) environments, you may use the bridged environment if there is a DHCP server on the same subnet, in which case the client will appear as local.

    Agilicus AnyX Setup

    The first step is to install a connector on the site which will have port-443 access to your VPN server. I recommend running this on the same server as the SoftEther.

    You will install the connector in the standard fashion (see installation instructions) for your platform. This connector can be shared with other purposes, it need not be dedicated.

    4d00374a image

    The second step is to create a ‘network’ and, expose it via hostname. In the below example, I have created a connector called ‘sstp’. I have created a network called ‘vpn’. The upstream hostname/port is the hostname/port of the on-premise SSTP server. Since I have installed it on the same host, I have used localhost, port 443.

    In addition, I have set the service to be TLS (since the SoftEther server, SSTP, is TLS), and, I have marked ‘Expose as Hostname’. The Expose as Hostname causes the Server Name Indication (SNI) to be directly Internet routable by name. This is logically equivalent to a dynamic DNS + port-forward solution.

    The external hostname will be <service-name>.networks.<yourdomain>. So, for example, if you sign in to https://admin.myco.anyx.cloud, and your create the service name as ‘vpn’, the external name will be vpn.networks.myco.anyx.cloud. You may test it by opening in your browser as https://vpn.networks.myco.anyx.cloud. This will give a simple web page or an empty web page.

    SoftEther VPN Server Setup: Windows

    You have signficant latitude in how to configure SoftEther on your windows machine (the server side, where the connector runs). Here I show a single opinionated install, feel free to make you own choices.

    7566dd9f image

    Download SoftEther(1)

    Navigate to the softether web site (softether.org) and find the current version for your platform to download.

    Here we are using the SoftEther VPN Server, and the Windows Platform.

    46fe18da image

    Download SoftEther(2)

    Download the software.

    1c812d17 image

    Select Components

    We need only install the SoftEther VPN Server.

    SSTP clients are built in to Windows by default, so later when we connect from outside this network, we can use the standard platform software.

    cc3e48c5 image

    Set the Admin Password

    This password is very important. It is used to control who can modify the setup of the VPN server. I do not recommend making it the same as the user you will sign in as. Make this password strong, store it in your password manager.

    2d8e4ef5 image

    Configure VPN for Remote

    You can consider which of these options is most appropriate for your environment.

    In this example, we are assuming 1 nomadic user is connecting to 1 fixed site.

    2ea7f67f image

    Disable Dynamic DNS

    SoftEther comes with its own dynamic hostnames. You do not need this.

    66d4a2a3 image

    Disable IPSEC/L2TP/EtherIP

    The only feature we want enabled is SSTP.

    ee25ae4b image

    Disable Azure Cloud VPN

    The only feature we want enabled is SSTP.

    b7bd59ff image

    Create a User

    Create the User you will use for access purposes. This is not the same as the administrator above.

    You may select various methods to authenticate, here we are showing Password.

    2fdc0d54 image

    Enable MS-SSTP

    Next we will enable and configure MS-SSTP

    c5e8c5f7 image

    Enable MS-SSTP

    Disable OpenVPN. Enable MS-SSTP

    318ca828 image

    Setup Hostname Certificate

    We will now configure the SSTP Certificate to match the name we created above in the Network.

    ff3bb3ca image

    Set Encryption and Keepalive

    Disable the ‘Use Keep Alive Internet Connection’

    Set ‘AES256-SHA256’ to use stronger encryption.

    Select ‘New’ to create a new certificate, matching the CN (common name) of the Network we created above.

    df7f7deb image

    Set Certificate Name

    In the Common Name (CN) field, enter the name of the Network you created above.

    This name will be in the format <network-name>.networks.<mydomain>.

    You only need to configure the first row, then press OK.

    At this stage, examine the other settings. The interface you are bridged to, whether you should use SecureNAT and DHCP.

    Client Setup and Test

    Android Client

    Multiple clients are available for Android. I have tested with Open SSTP Client.

    https://play.google.com/store/apps/details?id=kittoku.osc&hl=en_CA&gl=US

    The setup of this client is very simple:

    1. Hostname (as above in Network name)
    2. Username (as above in User created)
    3. Password (as above in User created)

    at this stage, you can press the enable button, and it should stay enabled.

    f5dd1ddf image
    952984af image

    Windows Client

    For Windows, we will use the built-in Microsoft VPN provider.

    On the start menu, type ‘vpn’, then select ‘Add a VPN connection’.

    From here, use the Windows (built-in) VPN provider, use the server name as above in the Network setup, and the User/Password you set.

    Once done, connect to the VPN, and you may use standard Windows network diagnostics to check.

    DZFRUXRpwEAAIBb9H+rEaX6syzXEwAAAABJRU5ErkJggg==

    ad341803 image
  • Agilicus Connector Air Gap Machine With Containers

    Agilicus Connector Air Gap Machine With Containers

    person-setup-machine

    Agilicus Connector Air Gap Machine With Containers

    Create a nearly-fully airgapped machine, with interior containers, no way in, and only 1 way out via Agilicus Connector.

    Agilicus Connector Air Gap Machine With Containers

    Imagine we have a complex set of orchestrated containers. They interoperate with each other. But, we don’t want them reaching the Internet, or the Internet reaching them.

    Some or all of these containers have a need to use remote services. Perhaps a cloud provider, perhaps another set in another building.

    In this example we show how to:

    1. Block all inbound traffic to a Debian 12 host
    2. Block all outbound traffic except for Agilicus API + Dataplane
    3. Use a service forwarder to allow specific containers to reach specific remote services

    For the container runtime we will use docker. The example below is a Debian 12 host with all options default, with docker.io installed.

    Debian 12: Default Firewall Rules

    Before we start we can inspect the default firewall rules. In a nutshell these:

    1. allow all outbound traffic from the host to Internet
    2. allow all outbound traffic from containers to Internet
    3. allow all outbound traffic from containers to host
    # iptables-save
    # Generated by iptables-save v1.8.9 (nf_tables) on Thu Apr 18 18:57:40 2024
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    :DOCKER - [0:0]
    :DOCKER-ISOLATION-STAGE-1 - [0:0]
    :DOCKER-ISOLATION-STAGE-2 - [0:0]
    :DOCKER-USER - [0:0]
    -A FORWARD -j DOCKER-USER
    -A FORWARD -j DOCKER-ISOLATION-STAGE-1
    -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -o docker0 -j DOCKER
    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
    -A FORWARD -i docker0 -o docker0 -j ACCEPT
    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
    -A DOCKER-ISOLATION-STAGE-1 -j RETURN
    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
    -A DOCKER-ISOLATION-STAGE-2 -j RETURN
    -A DOCKER-USER -j RETURN
    COMMIT
    # Completed on Thu Apr 18 18:57:40 2024
    # Generated by iptables-save v1.8.9 (nf_tables) on Thu Apr 18 18:57:40 2024
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :DOCKER - [0:0]
    -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
    -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
    -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
    -A DOCKER -i docker0 -j RETURN
    COMMIT
    # Completed on Thu Apr 18 18:57:40 2024

    Setup: Block inbound traffic, block outbound except to Agilicus Cloud, Local DNS/DHCP

    Note: you may wish to have console access rather than SSH access in case you make a mistake.

    We can see the Agilicus required IP/hostnames. For this example, we will allow (on port 443), these two IP:

    • 34.95.12.47 (www.agilicus.com)
    • 35.203.36.11 (api.agilicus.com)
    iptables -P OUTPUT DROP
    iptables -P INPUT DROP
    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -d 34.95.12.47/32 --dport 443 -j ACCEPT
    iptables -A OUTPUT -p tcp -d 35.203.36.11/32 --dport 443 -j ACCEPT
    iptables -A INPUT -p udp -m multiport --sports 67,68,123,53 -j ACCEPT
    iptables -A OUTPUT -p udp -m multiport --dports 67,68,123,53 -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    At this stage, we can test. First let us confirm that DNS works and that we can reach Agilicus WWW (for system updates):

    $ curl -I https://www.agilicus.com/
    HTTP/2 200

    Now let us check that we cannot reach other websites:

    $ curl -I https://www.google.ca/
    <timeout>

    Now let us demonstrate that a docker container cannot escape:

    # docker run --rm -it busybox
    Unable to find image 'busybox:latest' locally
    ... timeout

    Not so fast, we have now blocked docker hub. For our scheme to work, we will need to either get all containers on the machine out of band, or allow a docker registry. I will demonstrate the out-of-band technique:

    # On a machine with Internet access (not the one we are firewalling):
    $ docker pull library/busybox
    Using default tag: latest
    latest: Pulling from library/busybox
    7b2699543f22: Pull complete
    Digest: sha256:c3839dd800b9eb7603340509769c43e146a74c63dca3045a8e7dc8ee07e53966
    Status: Downloaded newer image for busybox:latest
    docker.io/library/busybox:latest
    $ docker image save -o /tmp/busybox.tar library/busybox
    $ scp /tmp/busybox.tar don@192.168.122.206:/tmp/
    busybox.tar                                                                                       100% 4400KB  54.7MB/s   00:00
    # 192.168.122.206 is the IP of the firewalled machine which we have allowed SSH to, you can also use a USB flash drive
    # On the firewalled machine:
    $ docker image load -i /tmp/busybox.tar
    $ docker run --rm -it library/busybox
    / # ping 1.1.1.1
    PING 1.1.1.1 (1.1.1.1): 56 data bytes
    64 bytes from 1.1.1.1: seq=0 ttl=55 time=17.874 ms
    ^C
    ### HUH?

    OK, why did the container reach the Internet if the host cannot? For this we need to understand FORWARD (e..g routing) versus INPUT/OUTPUT. The Host is routing the docker traffic, we need some rules in the FORWARD path.

    $ iptables -P FORWARD DROP
    $ iptables -t nat -D POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

    At this stage, lets test again. We have made the default forward policy be to drop, and we have removed the MASQUERADE (NAT) rule.

    $ docker run --rm -it library/busybox
    / #
    / # ping 1.1.1.1
    PING 1.1.1.1 (1.1.1.1): 56 data bytes
    ^C
    --- 1.1.1.1 ping statistics ---
    1 packets transmitted, 0 packets received, 100% packet loss
    / # wget https://www.agilicus.com/
    ^C

    OK, we now have a set of containers which cannot reach the Internet on anything, and, a host that can reach a very limited set (DNS, DHCP, and Agilicus AnyX Cloud).

    Let us now check that the container can still reach the host. For this we will use two windows. In one, we will run ‘netcat’ to listen on a port, in the other we will test from the host to itself. In green, window 1, we run netcat in listen mode:

    $ nc -lvp 8888
    listening on [any] 8888 ...
    connect to [127.0.0.1] from localhost [127.0.0.1] 38276

    In black, we run netcat in connect mode, we observe it works.

    $ nc -vv localhost 8888
    localhost [127.0.0.1] 8888 (?) open
    ^C sent 0, rcvd 0

    Let us now try from within the container

    $ docker run --rm -it library/busybox
    / # nc 172.17.0.1 8888
    ... hang

    Why did this hang? We are blocking all INPUT/OUTPUT except loopback (lo) and except for certain IP/port pairs. Let us add docker0 back in:

    # iptables -A OUTPUT -o docker0 -j ACCEPT
    # iptables -A INPUT -i docker0 -j ACCEPT

    OK at this stage we can test again, and it works. The container can reach the host (on all ports), but not the Internet.

    Install Agilicus Connector on Host

    Let us install the Agilicus connector.

    # which curl && (curl -sSL agilicus.com/www/releases/secure-agent/stable/install.sh > /tmp/i.sh) || (wget -O - agilicus.com/www/releases/secure-agent/stable/install.sh > /tmp/i.sh); sh /tmp/i.sh -c RXXXXr -s jxXXXn 
    (hang)

    Why did this hang? As a shortcut in the command, it is using ‘agilicus.com’ and ‘http’. We can make a minor change:

    $ which curl && (curl -sSL https://www.agilicus.com/www/releases/secure-agent/stable/install.sh > /tmp/i.sh) || (wget -O - agilicus.com/www/releases/secure-agent/stable/install.sh > /tmp/i.sh); sh /tmp/i.sh -c RikNorxMq33ZzNyCnpvfir -s jdy29jkn

    This now works, demonstrating that our above firewall rules prevent port 80 access.

    Next Steps

    You can save/restore your iptables rules with iptables-save and iptables-restore. You can install iptables-persistent package to make these load on reboot (or put the rules in e.g. /etc/rc.local).

    You may consider only allowing the containers to reach specific ports, where we would run the Agilicus connector.

    The final rule set we ended up with:

    # iptables-save
    # Generated by iptables-save v1.8.9 (nf_tables) on Thu Apr 18 20:19:46 2024
    *filter
    :INPUT DROP [87:68971]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [154:12030]
    :DOCKER - [0:0]
    :DOCKER-ISOLATION-STAGE-1 - [0:0]
    :DOCKER-ISOLATION-STAGE-2 - [0:0]
    :DOCKER-USER - [0:0]
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m conntrack --ctstate INVALID -j DROP
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p udp -m multiport --dports 67,68,123,53 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i docker0 -j ACCEPT
    -A FORWARD -j DOCKER-USER
    -A FORWARD -j DOCKER-ISOLATION-STAGE-1
    -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -o docker0 -j DOCKER
    -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
    -A FORWARD -i docker0 -o docker0 -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -d 34.95.12.47/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A OUTPUT -d 35.203.36.11/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A OUTPUT -p udp -m multiport --sports 67,68,123,53 -j ACCEPT
    -A OUTPUT -p udp -m multiport --dports 67,68,123,53 -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -o docker0 -j ACCEPT
    -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
    -A DOCKER-ISOLATION-STAGE-1 -j RETURN
    -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
    -A DOCKER-ISOLATION-STAGE-2 -j RETURN
    -A DOCKER-USER -j RETURN
    COMMIT
    # Completed on Thu Apr 18 20:19:46 2024
    # Generated by iptables-save v1.8.9 (nf_tables) on Thu Apr 18 20:19:46 2024
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :DOCKER - [0:0]
    -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
    -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
    -A DOCKER -i docker0 -j RETURN
    COMMIT
    # Completed on Thu Apr 18 20:19:46 2024
  • Print Via Service Forwarder

    Print Via Service Forwarder

    person-setup-machine

    Print Via Service Forwarder

    Print from a local machine or network to a remote printer, using two connectors via the Service Forwarder.

    (For end-user printing from a single application, see also Print Via Launcher).

    In this method, we install a connector on the remote end (the PC of the person wishing to print). We use the Service Forwarder (https://www.agilicus.com/anyx-guide/forwarding/) to ‘port-forward’ localhost (her PC) to the remote (printer:631). Thus the user can connect to their local machine as a printer. NOTE: if port 631 is in use locally we can use an alternate (e.g. forward localhost:6331 to printer:631).

    The data flow would be as below, diagram not to scale.

    The user will see the printer seamlessly.

    37d8015d image

    You have a set of connectors on your site, I suspect one of them has layer-3 connectivity to the printer in question.

    Steps:

    1. Create new connector (e.g. name user-pc-connector)
    2. Install connector on remote PC
    3. Create Network Resource
    4. Create service forwarder specifying destination IP, port 631 of the printer via the remote connector
    5. Add printer to machine specifying localhost

    In the sample pictures below, ‘Win10’ is the name of the remote user PC, and dbt is the name of the connector existing in the network with the printer.

    Step 1: Create a new connector

    On your desktop, open https://admin.__MYDOMAIN__. Create a new connector, give it a name.

    53631935 image

    This will place a text string on your clipboard. 

    Step 2: Install on Remote PC

    We will now paste this string from above into an Administrative cmd on the remote machine (e.g. via remote assist). The output should look similar to below.

    c54f486b image

    Step 3: Create Network Resource

    First step, we will create a ‘network’. This is sort of like a destination, its a resource no different than a share or a web app.

    dfd502db 3805 41ff acca 64b3d758aa8c

    Give the user, or a group, permission.

    5faefe86 image

    Step 4: Create Service Forwarder

    Next, we will create a service forwarder. This will make a ‘listener’ on ‘win10’ connected to the remote network on dbt (printer end).

    9047dba5 image

    At this stage, on the remote PC (win10 in my example), port 631 of the localhost is the same as the remote printer. If the PC is already using port 631, use an alternate port.

    Let us check (feel free to do this prior to the config to ensure the port is not in use).

    8edd2973 image

    Step 5: Add Printer

    ff66c48b image
    32265916 image

    At this time the printer is up, we can use it normally. It will always be accessible by this user.

  • Print via Launcher

    Print via Launcher

    person-setup-machine

    Print Via Service Launcher

    Print from a local application to a remote printer via the Agilicus Launcher.

    (For site-to-site printing, see also Print Via Service Forwarder).

    In this model, which is more suited if we have multiple users sharing the printer, we use a launcher with a local application. When the local application is running, the printer will be available. It will not be otherwise available.

    Step 1. Create Network (same as Step 3 in Print Via Service Forwarder, no change)

    Step 2. Create Launcher

    Step 3. Test via profile

    Step 4. Optional, consider enabling desktop integration

    Step 2. Create Launcher

    6d9e6d52 image
    ad92f8b2 image

    At this stage we can test. The user will need to install the Launcher on their desktop, via https://profile.__MYDOMAIN__. If installed, they can either use the desktop integration, or, run refresh and observe the new icon, launch it.

    1b1cd532 image

    Once the app is up, you can install the printer as in Print Via Service Forwarder (localhost:631, IPP). It will work while the app is running.

    We can check with netstat to see it is listening.

    cb70ee77 image

    NOTE: Multiple Printers

    The method we are using above to tunnel the printer works best with a single printer. In order to use multiple printers at the same time, when creating the network, use a source-port override such that each printer is unique.

    For example:
    printer1 -> port 631
    printer2 -> port 632
    printer3 -> port 633

    4888907b image