Welcome to Mainsail
Technology Stack
Directory Structure
Data Models
Cryptography
Architecture
Application Lifecycle
Service Container
Service Provider
Managers and Drivers
Contracts
Services
Cache
Events
Filesystem
Logging
Mixins
Pipeline
Queue
Schedule
Triggers
Validation
Understanding the Lifecycle
Understanding the Nonce
Transaction Types
Overview
Transfer
Validator Registration
Validator Resignation
Username Registration
Username Resignation
Vote / Unvote
Multisignature Registration
Multipayment
Introduction
Requirements
Networks
Configuring Mainsail
Environment Variables
Using the Install Script
Installing from Source
Docker on Linux/macOS
Security Through Obscurity
Using SSH
Staying Up-to-Date
Applying P2P iptables
Applying API iptables
Installing Fail2Ban
Setting Up Port Knocking
Cloudflare DDoS Protection
Mainsail CLI Commands
Mainsail API CLI Commands
Becoming a Validator
Introduction
Transaction Tester
Troubleshooting
Contact Us

Applying API iptables

iptables is a utility that allows system admins to configure IP packet filtering rules for Linux’s kernel firewall. These rules are organized in separate tables and determine how to treat network packets. Using iptables is highly recommended and shouldn’t be overlooked unless required by your system’s architecture and/or you’re aware of the security implications.

Warning

Using iptables is highly recommended. Be aware that Mainsail can implement multiple API endpoints, and you should consider applying the iptables script to each of them.

The iptables Script

The iptables script offers additional protection for Mainsail and Mainsail API nodes by using standard firewall tools to rate-limit certain connections.

Specifically:

  • Parallel/simultaneous P2P connections are restricted to a total of 10 per IP address; this number can be adjusted using the P2P_GLOBAL_CONN script variable.
  • Global connections are limited to 4 NEW connections per 30-second interval.

Script Usage

Command Example
start bash api-iptables.sh start pool
stop bash api-iptables.sh stop pool
restart bash api-iptables.sh restart pool
status bash api-iptables.sh status pool

Running the Script

Download and execute the iptables script using the following commands:

1wget -N https://raw.githubusercontent.com/ArkEcosystem/mainsail/main/scripts/api-iptables.sh

Edit the iptables script an use correct settings.

1nano ./api-iptables.sh

Enable iptables:

1bash ./api-iptables.sh start

Configuration

Edit the iptables script an review setting.

1nano ./api-iptables.sh
Option Description
API_GLOBAL Public API port number.
API_GLOBAL_RATE Request rate for Public API.
API_GLOBAL_BURST Burst for Public API.
API_TRANSACTION_POOL_GLOBAL Transaction pool API port number.
API_GLOBAL_RATE Request rate for Transaction pool.
API_GLOBAL_BURST Burst for Transaction pool API.
Process Description
api The public API that is part of mainsail-api script.
pool The transaction pool API that is part of mainsail script.

Creating a cron job

Because the filtering initiated by the iptables script does not persist after a system reboot, you should also consider adding the script to a cron job.

  1. edit the crontab file (choose the ‘nano’ editor when prompted):

    1crontab -e

  2. add the following line to the end of the crontab file:

    1@reboot bash ~/api-iptables.sh start pool
    2@reboot bash ~/api-iptables.sh start api

  3. save the changes and exit:

    1ctrl + x
    2 
    3# press 'y' then 'enter' to confirm

  4. apply the permissions:

    1sudo bash -c "echo \"$USER ALL=(ALL) NOPASSWD:/sbin/api-iptables\" >> /etc/sudoers"

Warning

Failing to apply permissions will prevent the iptables script from executing after a system reboot.
Previous
Next
Last updated 8 months ago
Edit Page
Share: