An Exercise in Dithering

Tagged with firewall, linux, mini pc, raspberry pi, remmina, ssh, x11 on June 2, 2024

I’ve gone to a lot of trouble to accomplish basically nothing. Although I have a very secure connection from my Mini PC to my Raspberry Pi 400 (“Pi” for short), I may abandon the idea of using the Pi for remote services. I really can’t make up my mind about it and if that isn’t an exercise in dithering, I don’t know what is.

Although I live in the Philippines, I plan to be away for 10 to 12 months from sometime in 2025 to sometime in 2026. While I’m gone, one or more power outages are guaranteed to take place. That doesn’t worry me since I have a UPS in place, which can act as a sort of surge protector. What worries me is the ISP. They do strange things.

My house will stay locked up while I’m gone, with only a single sister-in-law entering to turn on outside lights at night and turning them off in the morning. There isn’t always someone available who’s reliable enough to go in and reset the router. A nephew can, when he’s around, but he’s usually not around when something needs to be fixed. He’s in college and he keeps odd hours.

I’ll eventually make up my mind about it. In the meantime, I’m employing some things I’ve learned.

Keys to the Kingdom

The secret to security is access. I use UFW as the interface to iptables, which implements packet filtering rules. The default rules allow all outgoing while denying all incoming. The rules I had to create were to specify what IP addresses could be allowed in.

Since I have access to the Pi restricted to one subdomain’s IP address and one local static IP address (both for the Mini PC), I don’t need to specify ports. Since I’m not specifying the protocol, it works for both TCP and UDP. I’ve rewritten the BASH script I use (more than once):

#!/bin/bash
HOSTNAME=sub.domain.com
IPFILE=/home/username/access.txt
STATIC_IP=192.168.1.101
CURRENT_IP=$(dig +short $HOSTNAME)
if [ ! -f $IPFILE ]; then
    /usr/sbin/ufw allow from $STATIC_IP
    /usr/sbin/ufw allow from $CURRENT_IP
    echo $CURRENT_IP > $IPFILE
else
    OLD_IP=$(cat $IPFILE)
    if [ "$CURRENT_IP" = "$OLD_IP" ] ; then
        echo IP address has not changed
    else
        /usr/sbin/ufw delete allow from $OLD_IP
        /usr/sbin/ufw allow proto rom $CURRENT_IP
        echo $CURRENT_IP > $IPFILE
        echo iptables have been updated
    fi
fi

The static local IP addresses of the Mini PC and the Pi are both set at the router. The ports that need to be forwarded to the Pi are also set at the router. Currently, those ports are 22 for SSH, and 3389 for RDP.

Both the Mini PC and the Pi have subdomain names obtained through Duck DNS and Dynu, with Duck DNS being a fallback service.

X11 Forwarding

I’m using the Cinnamon desktop environment on both the Mini PC and the Pi, and both use the X Window System. Although I can use Remmina to display the desktop on the Pi, I probably won’t use it often. I can forward X11 through SSH to the Pi and allow X11 on the Pi in the SSH daemon configuration.

When I bring up the terminal, and log into the Pi through SSH, I can immediately execute the name of an application and bring it up in front of me on the Mini PC. I’ve tested this feature with Chromium (chromium-browser) and Transmission (transmission-gtk), and I’ve been able to interact with both applications. They’re slightly sluggish, of course, because the connection speed isn’t superfast.

Image by LoggaWiggler from Pixabay