Port Forwarding or Tunneling a Service

PreviousDisaster Recovery NextCrowdsec Modules

Last updated 1 year ago

Was this helpful?

Port Forwarding or Tunneling a Service

This guide will step you through Port Forwarding or Tunneling a service

Required Knowledge

External Access to Systems

Monitoring and Alerting

Authentication, Access and Accounts

Process

There are 2 solutions for making a service accessible externally - a CF Tunnel or Port Forwarding.

Cloudflare Tunnel

Creating a 'public host'

Log into
On the left, select Access > Tunnels
Select the relevant tunnel and click on 'Configure'
Click on the Public Hostname tab
Click on 'Add Public Hostname' and input the relevant data, eg
Click on Save hostname
Naigate to the url and confirm it is working

Note: If the internal service is on HTTPS you may need to disable TLS verify,

Adding Authentication

Authentication is applied as an 'Application' and allows you to limit services to specific users, IP address, countries etc.

On the left, select Access > Applications
Click on 'Add an application' and select Self Hosted
Configure the Application
- Application Configuration block Input the name and URLs you wish to configure
- Application Appearance block Select custom logo and provide a URL to an image, such as the logo of the app
- Tags Apply any relevant tags, such as 'test', 'xfgn' etc
Click on OK / Save / Next
Under the settings tab, tick 'Enable automatic cloudflared authentication'
Click on OK / Save / Next

Port Forward

Enable Firewall

As port forwarding opens the server to direct access via the internet, we require the firewall to be enabled.

Ubuntu

SSH into server and input the below commands
```
ufw allow ssh
ufw enable
```
Run the below command to get a list of active ports on the server and take note of anything that may need to be allowed through. Take note of anything with 'docker', as these will be containers running on the host (you can compare this data against Portainer)
```
lsof -i -P -n | grep LISTEN
```
Use the below command to allow ports through the firewall
```
ufw allow PORT
```

Generic "allow list", applicable to all our servers

ufw allow 8080 #crowdsec
ufw allow ssh #allow SSH

Port Forward in UniFi

Click on the settings cog in the bottom left
Select Security > Port Forwarding
Click on Create Entry

Please ensure the port forward rule is named using the below scheme

Forwarding to

Purpose

Firewall Rule Name

Lungo

API to allow remote devices to connect to Wazuh

Lungo - Wazuh API

Latte

Ports to make Plex available externally

Latte - Plex Ports

Espresso

Portainer Edge Agent connection to Portainer main instance

Espresso - Edge Agent

Where possible, limit the 'From' IP to the relevant client (eg VPS), though this isn't possible for most use cases (eg Plex, Pterodactyl game ports)