Skip to content

Instantly share code, notes, and snippets.

@heri16

heri16/0-connect.sh

Last active December 7, 2025 16:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save heri16/24979369b7086b6c38b6574b0712219d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save heri16/24979369b7086b6c38b6574b0712219d to your computer and use it in GitHub Desktop.
Download ZIP
Quickly setup and operate a nym-mixnet exit-node. See: https://nym.com/docs/operators/nodes
Raw
0-connect.sh
# Set public ip address of VPS
NODE_IP=103.90.238.200
# Setup modern TERM
infocmp -x xterm-ghostty | ssh "nonroot@${NODE_IP}" -- tic -x -
infocmp -x xterm-ghostty | ssh "nonroot@${NODE_IP}" -- sudo tic -x -
# Connect via ssh
ssh "nonroot@${NODE_IP}"
Raw
1-pre-setup.sh
# Configure secure DNS
sudo mkdir -p /etc/systemd/resolved.conf.d/
sudo tee /etc/systemd/resolved.conf.d/secure-dns.conf <<'EOF'
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
FallbackDNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNSSEC=yes
DNSOverTLS=yes
EOF
# Enable secure DNS
systemd-analyze cat-config systemd/resolved.conf --no-pager
sudo systemctl restart systemd-resolved
resolvectl status --no-pager
# Check for IPv6 connectivity
curl -6 ifconfig.co
# If the above IPv6 connectivity check fails, setup a IPv6 tunnel, and set the broker's IP address here:
open https://manager.route64.org/tunnelbroker/
NODE_IP=$(curl -4 ifconfig.co 2> /dev/null)
BROKER_IP=103.170.116.130
ASSIGNED_PREFIX=2a11:6c7:f07:9d
# sudo ip tunnel add tb22916R64 mode gre remote $BROKER_IP local $NODE_IP ttl 255
# sudo ip link set tb22916R64 up
# sudo ip -6 addr add ${ASSIGNED_PREFIX}::2/64 dev tb22916R64
# sudo ip -6 route add default dev tb22916R64
sudo tee /etc/netplan/99-tunnel-brokers.yaml > /dev/null <<EOF
network:
version: 2
tunnels:
tb22916R64:
mode: gre
local: ${NODE_IP}
remote: ${BROKER_IP}
ttl: 255
addresses:
- ${ASSIGNED_PREFIX}::2/64
routes:
- to: default
via: "::"
EOF
sudo chmod 600 /etc/netplan/99-tunnel-brokers.yaml
sudo netplan generate
ls /run/systemd/network/
sudo netplan apply
sudo networkctl reconfigure tb22916R64
sudo networkctl status tb22916R64 --no-pager
ping -c 3 ${ASSIGNED_PREFIX}::1
curl -6 ifconfig.co
sudo apt update
sudo apt upgrade
sudo reboot
Raw
2-setup.sh
# Set the correct parameters below
NODE_COUNTRY_CODE="SG"
NODE_CITY="Singapore 🇸🇬"
DNS_HOSTNAME="sgp1.example.com"
CONTACT_EMAIL="[email protected]"
# Install mise.jdx.dev
[ -n "$ZSH_VERSION" ] && curl --proto '=https' --tlsv1.3 https://mise.run/zsh || curl --proto '=https' --tlsv1.2 https://mise.run/zsh | sh
[ -n "$BASH_VERSION" ] && curl --proto '=https' --tlsv1.3 https://mise.run/bash | bash
[ -n "$FISH_VERSION" ] && curl --proto '=https' --tlsv1.3 https://mise.run/fish | sh
exec -l $SHELL
# Test node's connectivity
mise use -g jq
curl -O --proto '=https' --tlsv1.3 https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/test-nodes-pings.sh
chmod +x test-nodes-pings.sh
./test-nodes-pings.sh
# Install nginx
sudo apt install -y nginx certbot python3-certbot-nginx
sudo ufw disable
# Issue TLS cert
sudo certbot --nginx --non-interactive --agree-tos --redirect -m "$CONTACT_EMAIL" -d "$DNS_HOSTNAME"
# Disable default site
sudo unlink /etc/nginx/sites-enabled/default
sudo nginx -t && sudo systemctl restart nginx
# Stop & remove all remnant services
sudo systemctl stop nym-node
sudo rm /etc/systemd/system/nym-node.service
sudo systemctl stop nym-bridge
sudo rm /etc/systemd/system/nym-bridge.service
sudo rm -rf /root/.nym
# Download automated installer script
mise use -g python@latest
curl -O --proto '=https' --tlsv1.3 https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/nym-node-cli.py
command -v python3 && sed -i '1s|^#!.*|#!/usr/bin/env python3|' ./nym-node-cli.py
chmod +x ./nym-node-cli.py
# Begin installation, follow instructions, and make sure no red-colored lines emitted
sudo ./nym-node-cli.py install --hostname "$DNS_HOSTNAME" --moniker "mixnet.id | ${NODE_CITY}" --description "High-IOPS server on the most well-peered ASN connection in the country, with Global AnyCast DNS infrastructure." --wireguard-enabled true --location "$NODE_COUNTRY_CODE" --mode exit-gateway --email "$CONTACT_EMAIL"
# Take note of this output:
# ******************************************
# * * * C O N G R A T U L A T I O N ! * * *
# Your Nym node is registered to Nym network
# Wait until the end of epoch for the change
# to propagate (max 60 min)
# Then you can see your node at:
# https://explorer.nym.spectredao.net/nodes/<NODE_IDENT_KEY>
# ******************************************
# Set the node identity key
NODE_IDENT_KEY="0jvQQQyQHjHRsZjBwR5WWW8RqtvBwChzpcsp18G6nYYY"
# Open node monitoring sites
open https://explorer.nym.spectredao.net/nodes/$NODE_IDENT_KEY
open https://harbourmaster.nymtech.net/gateway/$NODE_IDENT_KEY
open https://nym.com/explorer/nym-node/$NODE_IDENT_KEY
Raw
3-post-setup.sh
# Set the correct parameters below
NODE_IDENT_KEY="0jvQQQyQHjHRsZjBwR5WWW8RqtvBwChzpcsp18G6nYYY"
DNS_HOSTNAME="sgp1.example.com"
CONTACT_EMAIL="[email protected]"
# Check node's status
sudo networkctl status tb22916R64 --no-pager
sudo systemctl status nym-bridge --no-pager
sudo systemctl status nym-node --no-pager
sudo systemctl status nginx --no-pager
# Check node's config
sudo head -n72 /root/.nym/nym-nodes/default-nym-node/config/config.toml
sudo grep -E 'hostname|announce_wss_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml
# Check DNS records of node
getent ahostsv4 ${DNS_HOSTNAME} | uniq
getent ahostsv6 ${DNS_HOSTNAME} | uniq
# Check that node's API is accessible
curl -L http://${DNS_HOSTNAME}:8080/api/v1/swagger/#/
curl -L http://${DNS_HOSTNAME}/api/v1/swagger/#/
curl https://${DNS_HOSTNAME}/api/v1/swagger/#/
curl https://${DNS_HOSTNAME}/api/v1/roles 2> /dev/null | jq .
# Check node's firewall rules
sudo iptables -L ufw-user-input -v -n --line-numbers
sudo ip6tables -L ufw6-user-input -v -n --line-numbers
# Save firewall rules to persist across reboots
sudo apt install -y netfilter-persistent iptables-persistent
sudo netfilter-persistent save
sudo netfilter-persistent reload
sudo systemctl enable netfilter-persistent
# Change website value to `nym-exit.example.com`
sudo nano /root/.nym/nym-nodes/default-nym-node/data/description.toml
sudo systemctl restart nym-node
# Change email value to your email address
sudo sed -i "s|<YOUR_EMAIL_ADDRESS>|${CONTACT_EMAIL}|g" /var/www/${DNS_HOSTNAME}/index.html
curl https://${DNS_HOSTNAME} 2> /dev/null | grep '<meta.*contact:email'
# Check node's info
curl https://${DNS_HOSTNAME}/api/v1/description 2> /dev/null | jq .
curl https://${DNS_HOSTNAME}/api/v1/system-info 2> /dev/null | jq .
echo 'Node ID:' \
$(curl -s https://validator.nymtech.net/api/v1/nym-nodes/described \
| jq --arg key "$NODE_IDENT_KEY" '.data[] | select(.description.host_information.keys.ed25519==$key) | .node_id')
# Check for nginx configuration warnings
sudo nginx -t
# Fix `http2 on;` nginx warning
sudo ls /etc/nginx/sites-available
sudo sed -i '/^[[:space:]]*listen 9001 ssl http2;/ { N; s|^[[:space:]]*listen 9001 ssl http2;\n[[:space:]]*listen \[::\]:9001 ssl http2;| listen 9001 ssl;\n listen [::]:9001 ssl;\n http2 on;| }' /etc/nginx/sites-available/wss-config-nym
cat /etc/nginx/sites-available/wss-config-nym
# Disable weaker ciphers and curve groups
sudo sed -i '/^[[:space:]]*ssl_dhparam \/etc\/letsencrypt\/ssl-dhparams\.pem;/a\
\
# Disable weaker ciphers and groups. See: https://ssl-config.mozilla.org/#server=nginx&config=intermediate&ocsp=false\
ssl_conf_command CipherString ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;\
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;\
ssl_conf_command Curves x25519:prime256v1:secp384r1;' /etc/nginx/sites-available/wss-config-nym
cat /etc/nginx/sites-available/wss-config-nym
# Enable HSTS to get A+ score on https://www.ssllabs.com/ssltest/
sudo sed -i '/proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;/a\
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;' /etc/nginx/sites-available/${DNS_HOSTNAME}
cat /etc/nginx/sites-available/${DNS_HOSTNAME}
# Check for nginx configuration warnings & restart nginx
sudo ls /etc/nginx/sites-enabled
sudo nginx -t && sudo systemctl restart nginx
# Download automated network testing script
curl -O --proto '=https' --tlsv1.3 https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh
chmod +x ./network-tunnel-manager.sh
# Check node's network config
sudo ./network-tunnel-manager.sh --help
sudo ./network-tunnel-manager.sh check_ip_routing
sudo ./network-tunnel-manager.sh check_ipv6_ipv4_forwarding
sudo ./network-tunnel-manager.sh check_nym_wg_tun
sudo ./network-tunnel-manager.sh check_nymtun_iptables
sudo resolvectl dns --no-pager
sudo networkctl list --no-pager
sudo networkctl status -n0 --no-pager
# Run automated network testing script
sudo ./network-tunnel-manager.sh joke_through_the_mixnet
sudo ./network-tunnel-manager.sh joke_through_wg_tunnel
sudo ./network-tunnel-manager.sh exit_policy_test_connectivity
sudo ./network-tunnel-manager.sh exit_policy_tests
# Check node's IPv6 address
sudo ./network-tunnel-manager.sh fetch_and_display_ipv6
curl -6 -s ifconfig.co
# Check that DNS record matches node's IPv6 address
DNS_IP="$(getent ahostsv6 ${DNS_HOSTNAME} | awk '$2=="STREAM" {print $1}' | uniq)"
[ "$DNS_IP" == "$(curl -6 -s ifconfig.co)" ] && echo "GOOD MATCH" || echo "BAD dns-record: ${DNS_IP}"
# Change QUIC port to udp/443
sudo sed -i 's/:4443/:443/g' /etc/nym/bridges.toml
sudo sed -i 's/:4443/:443/g' /etc/nym/client_bridge_params.json
sudo netfilter-persistent save
# sudo iptables-save | sudo tee /etc/iptables/rules.v4
# sudo ip6tables-save | sudo tee /etc/iptables/rules.v6
sudo sed -i 's/-m udp --dport 4443/-m udp --dport 443/g' /etc/iptables/rules.v4
sudo sed -i 's/-m udp --dport 4443/-m udp --dport 443/g' /etc/iptables/rules.v6
# sudo cat /etc/iptables/rules.v4 | sudo iptables-restore
# sudo cat /etc/iptables/rules.v6 | sudo ip6tables-restore
sudo netfilter-persistent reload
sudo systemctl enable netfilter-persistent
sudo systemctl restart nym-bridge
sudo systemctl restart nym-node
# Check node's firewall rules
sudo iptables -L ufw-user-input -v -n --line-numbers
sudo ip6tables -L ufw6-user-input -v -n --line-numbers
# Reboot
sudo reboot
Raw
4-dpi-hardening.sh
# Set the correct parameters below
DNS_HOSTNAME="sgp1.example.com"
# Overwrite `/etc/nginx/sites-available/$DNS_HOSTNAME` with this file
sudo tee /etc/nginx/sites-available/$DNS_HOSTNAME <<EOF
map \$http_upgrade \$route {
"" @static; # empty header → static
default @ws_backend; # anything else → WebSocket
}
map \$sent_http_content_type \$hsts_header {
"~*text/html" "max-age=63072000; includeSubDomains; preload";
default "";
}
map \$sent_http_content_type \$expect_ct_header {
"~*text/html" "max-age=86400, enforce";
default "";
}
map \$sent_http_content_type \$x_xss_protection_header {
"~*text/html" "0";
default "";
}
map \$sent_http_content_type \$csp_header {
"~*text/html" "sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox; upgrade-insecure-requests; base-uri 'none'; frame-ancestors 'none'; default-src blob: data: 'self'; font-src 'none'; style-src 'self' 'unsafe-inline'; style-src-attr 'unsafe-inline'; script-src 'self' 'sha256-tIPFFuERfdUkWGR9Qbo82JM2MTTGCpWpBX2S6aBCTbw=';";
default "";
}
map \$sent_http_content_type \$permissions_policy_header {
"~*text/html" "cross-origin-isolated=(self), autoplay=*, fullscreen=*, picture-in-picture=*, web-share=*, clipboard-write=*, accelerometer=(), ambient-light-sensor=(), bluetooth=(), browsing-topics=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), screen-wake-lock=(), serial=(), usb=(), xr-spatial-tracking=(), sync-xhr=()";
default "";
}
server {
server_name ${DNS_HOSTNAME};
# Add basic security headers. See: https://securityheaders.com
add_header 'X-Frame-Options' 'DENY' always;
add_header 'Referrer-Policy' 'strict-origin' always;
add_header 'Cross-Origin-Resource-Policy' 'same-origin' always;
add_header 'Cross-Origin-Opener-Policy' 'same-origin' always;
add_header 'X-Content-Type-Options' 'nosniff' always;
# Add strict security headers which forces browsers to use HTTPS
add_header 'Strict-Transport-Security' '\$hsts_header' always;
add_header 'Expect-CT' '\$expect_ct_header' always;
add_header 'X-XSS-Protection' '\$x_xss_protection_header' always;
add_header 'Content-Security-Policy' '\$csp_header' always;
add_header 'Permissions-Policy' '\$permissions_policy_header' always;
location = /index.html {
root /var/www/${DNS_HOSTNAME};
access_log off;
}
location = /favicon.ico {
return 204;
access_log off;
log_not_found off;
}
location /api {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location / {
try_files @ \$route;
}
location @static {
index index.html;
# First attempt to serve request as file, then
# as directory index, then fall back to displaying a 404.
try_files \$uri \$uri/ =404;
}
location @ws_backend {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD' always;
add_header 'Access-Control-Allow-Headers' '*' always;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_pass http://localhost:9000;
proxy_intercept_errors on;
}
http2 on;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/${DNS_HOSTNAME}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/${DNS_HOSTNAME}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Disable weaker ciphers and groups. See: https://ssl-config.mozilla.org/#server=nginx&config=intermediate&ocsp=false
ssl_conf_command CipherString ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_conf_command Curves x25519:prime256v1:secp384r1;
}
server {
listen 80;
listen [::]:80;
server_name ${DNS_HOSTNAME};
location / {
try_files @_ \$route;
}
location @static {
if (\$host = ${DNS_HOSTNAME}) {
return 301 https://\$host\$request_uri;
} # managed by Certbot
return 404; # managed by Certbot
}
location @ws_backend {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD' always;
add_header 'Access-Control-Allow-Headers' '*' always;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_pass http://localhost:9000;
proxy_intercept_errors on;
}
}
EOF
# Test websocket port
mise use -g websocat
echo | websocat -n ws://${DNS_HOSTNAME}:9000/ && echo "Port 9000 (ws): OK"
# Reload nginx configuration:
sudo unlink /etc/nginx/sites-enabled/wss-config-nym
sudo nginx -t && sudo systemctl reload nginx
echo | websocat -n ws://${DNS_HOSTNAME}/ && echo "Port 80 (ws): OK"
echo | websocat -n wss://${DNS_HOSTNAME}/ && echo "Port 443 (wss): OK"
# Change announce_ws_port and announce_wss_port:
sudo sed -i 's/^\(announce_ws_port[[:space:]]*=[[:space:]]*\)[0-9]\+/\180/' /root/.nym/nym-nodes/default-nym-node/config/config.toml
sudo sed -i 's/^\(announce_wss_port[[:space:]]*=[[:space:]]*\)[0-9]\+/\1443/' /root/.nym/nym-nodes/default-nym-node/config/config.toml
sudo grep -E 'hostname|announce_ws_port|announce_wss_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml
sudo systemctl restart nym-node
# Change `mixnet.announce_port` and `verloc.announce_port`:
sudo awk '
/^\[[^]]+\]/ { section="" }
/^\[mixnet\]/ { section="mixnet" }
/^\[verloc\]/ { section="verloc" }
/^bind_address[[:space:]]*=/ {
if (section=="mixnet") { print "bind_address = '[::]:8443'"; next }
if (section=="verloc") { print "bind_address = '[::]:1790'"; next }
}
/^announce_port[[:space:]]*=/ {
if (section=="mixnet") { print "announce_port = 8443 "; next }
if (section=="verloc") { print "announce_port = 995 "; next }
}
{ print }
' /root/.nym/nym-nodes/default-nym-node/config/config.toml | sudo tee /root/.nym/nym-nodes/default-nym-node/config/config.toml.save
sudo grep -E 'bind_address|announce_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml.save
sudo chown --reference="/root/.nym/nym-nodes/default-nym-node/config/config.toml" "/root/.nym/nym-nodes/default-nym-node/config/config.toml.save" && \
sudo chmod --reference="/root/.nym/nym-nodes/default-nym-node/config/config.toml" "/root/.nym/nym-nodes/default-nym-node/config/config.toml.save" && \
sudo mv "/root/.nym/nym-nodes/default-nym-node/config/config.toml.save" "/root/.nym/nym-nodes/default-nym-node/config/config.toml"
# Update node's firewall rules to open `mixnet.announce_port` and `verloc.announce_port`
# and block traffic to spynode at OVH
IPV4="$(curl -4 -s ifconfig.co)"
IPV6="$(curl -6 -s ifconfig.co)"
sudo netfilter-persistent reload
sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 995 -j REDIRECT --to-ports 1790
sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 995 -j REDIRECT --to-ports 1790
sudo iptables -A ufw-user-output -d "$(getent ahostsv4 proof.ovh.net | awk '$2=="STREAM" {print $1}' | head -n1)" -p tcp -j REJECT --reject-with tcp-reset
sudo iptables -A ufw-user-output -d "$(getent ahostsv4 proof.ovh.net | awk '$2=="STREAM" {print $1}' | head -n1)" -j REJECT --reject-with icmp-admin-prohibited
sudo ip6tables -A ufw6-user-output -d "$(getent ahostsv6 proof.ovh.net | awk '$2=="STREAM" {print $1}' | head -n1)" -p tcp -j REJECT --reject-with tcp-reset
sudo ip6tables -A ufw6-user-output -d "$(getent ahostsv6 proof.ovh.net | awk '$2=="STREAM" {print $1}' | head -n1)" -j REJECT --reject-with icmp6-adm-prohibited
sudo netfilter-persistent save
# Update node's firewall rules to close port 9000 and port 9001
sudo sed -i 's/-m tcp --dport 9000/-m tcp --dport 8888/g' /etc/iptables/rules.v4
sudo sed -i 's/-m tcp --dport 9000/-m tcp --dport 8888/g' /etc/iptables/rules.v6
sudo sed -i 's/-m tcp --dport 9001/-m tcp --dport 8443/g' /etc/iptables/rules.v4
sudo sed -i 's/-m tcp --dport 9001/-m tcp --dport 8443/g' /etc/iptables/rules.v6
sudo netfilter-persistent reload
# Create temporary backup port redirections to keep good uptime scores
sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 1789 -j REDIRECT --to-ports 8443
sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 1789 -j REDIRECT --to-ports 8443
sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 9000 -j REDIRECT --to-ports 80
sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 9000 -j REDIRECT --to-ports 80
sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 9001 -j REDIRECT --to-ports 443
sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 9001 -j REDIRECT --to-ports 443
# Check node's firewall rules
sudo iptables -L ufw-user-input -v -n --line-numbers
sudo ip6tables -L ufw6-user-input -v -n --line-numbers
sudo iptables -t nat -L PREROUTING -v -n --line-numbers
sudo ip6tables -t nat -L PREROUTING -v -n --line-numbers
# Restart nym-node service
sudo grep -E 'announce_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml
sudo systemctl restart nym-node
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment