Running a public supertux cart server securely - eviltoast

I want to run my own public supertux cart server since when i connect localy with my friends if we are more than 2 ppl any other will time out and noidea how to fix it so i thought this could be a opertunity on how to secure a exposed server.

I watched the techno tim security video where he said to isolate it on the local network then a local reverse proxy and a cloudflare one

So if i use it in a container is is restricted from the local network? if no how do i do that and do i need a seperate reverse proxy that only has acess to the one container in like a docker network and then i expose the port and make it acesseable with duck dns and then look into cloud flare

any more things i need to reseach and what ressources do you guys recomend for me

  • R0NAM1@alien.topB
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    A good strategy for having a publicly accessible server that is still ‘private’ is to forward a port to the internet from the machine that runs SuperTux server on your firewall/router combo, BUT put it through whitelist based access control (ACL), then whenever your friends want to play they just give you there latest IP address (ifconfig.me) and you update the firewall to allow them. Usually this presents to any remote host as a closed/filtered port that the firewall just drops packets for unless the IP matches.

    Although I don’t recommend security through obscurity by itself, it would be terrifyingly impressive for an attacker to somehow know the specific whitelisted IP addresses and forge them to even get a return packet. I do the same thing with a bedrock server for switches and other less-then-configurable by network devices and it works very well.

    What router/firewall combo do you use, any custom firmware? The only way this could not work is if the router does not support it, if it dosen’t you should get a new router regardless, all in ones default software is usually buggy and exploitable as hell.