• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

TAO'S MASTERNODE SETUP GUIDE FOR DUMMIES (UPDATE GUIDE UPDATED FOR 13.0)

Tao, I finally got round to attempting this. I have got to the final command, masternode start. When I run this, I get a message saying...

you must set masternode=1 in the configuration

I have a darkcoin.conf in the correct location and it does have, on line 9, masternode=1. Can you help..?

EDIT: Tao, I restarted my machine and the masternode started successfully. Thanks so much for taking the time to do this. Will send you some coins over to show appreciation...

What and how did you restart exactly? : )
 
Ok, I've borrowed heavily from chaeplin's 5 MN setup guide:
https://darkcointalk.org/threads/ec2-multiple-remote-nothing-mn-max-5.1660/

You should refer to his guide for details on how to setup your user spaces ('ubuntu' and 'ubuntu2' in the iptables script below) and darkcoin.conf.
The following iptables script is useful on VULTR and currently works for 2 IPs. It's straightforward to see how to extend it to 3 IPs.

NOTE: Be sure to install the connection tracking module, conntrack. Like this:
$ sudo apt-get install conntrack

Copy the code below into a file called firewall_2ips.sh. Then change permissions to be executable.
$ chmod 755 firewall_2ips.sh

Then run the script as sudo:
$ sudo ./firewall_2ips.sh

Code:
#
IIP=`/sbin/ifconfig eth0 |sed --silent 's/.*inet addr:\(.*\) \ Bcast.*/\1/p'`
IIP2=`/sbin/ifconfig eth0:1 |sed --silent 's/.*inet addr:\(.*\) \ Bcast.*/\1/p'`
IPTABLES="/sbin/iptables"
echo "Activating firewall for $IIP and $IIP2"
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Add your spoofed IP range/IPs here
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"

#Accept loopback packets always
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Filter out message fragments
$IPTABLES -A INPUT -f -j DROP
# Drop XMAS packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#DROP null packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Drop packet that claiming from our own server on WAN port
$IPTABLES -A INPUT -i eth0 -s $IIP -j DROP

## Drop all spoofed
for ip in $SPOOF_IPS
do
$IPTABLES -A INPUT -i eth0 -s $ip -j DROP
$IPTABLES -A OUTPUT -o eth0 -s $ip -j DROP
done

#
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP

$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -m tcp --dport 9997 -j REJECT --reject-with tcp-reset
#
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -d $IIP --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -d $IIP --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -d $IIP2 --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -d $IIP2 --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
#
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 9999 -j  ACCEPT
#
#
$IPTABLES -A OUTPUT -p udp -o eth0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -o eth0 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport ssh -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 9999 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 9999 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 9999 -j ACCEPT
#$IPTABLES -A OUTPUT -j ACCEPT
#COMMIT
#-----
#
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu  -p tcp --dport 9999 -j SNAT --to-source $IIP
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu2 -p tcp --dport 9999 -j SNAT --to-source $IIP2
#
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu  -p tcp --dport 443 -j SNAT --to-source $IIP
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu2 -p tcp --dport 443 -j SNAT --to-source $IIP2
#
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu  -p tcp --dport ssh -j SNAT --to-source $IIP
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu2 -p tcp --dport ssh -j SNAT --to-source $IIP2

Note that this script opens up the https port (port 443). This enables you to update masternode software easily. You may not want this port to be open. If that's the case, just comment out the lines with port 443 and those packets won't be accepted.


Hello, I have made a file called firewall_2ips.sh made it executable and tried to run sudo ./firewall_2ips.sh and I am getting these errors:
""./firewall_2ips.sh:2-78 not found "" and "" ./firewall_2ips.sh: 3.IPP=104.156.227.208: not found ""

I am using Putty and WinSCP to login to my Vultr server and doing the commands through those.

Please help!
 
Hello, I have made a file called firewall_2ips.sh made it executable and tried to run sudo ./firewall_2ips.sh and I am getting these errors:
""./firewall_2ips.sh:2-78 not found "" and "" ./firewall_2ips.sh: 3.IPP=104.156.227.208: not found ""

I am using Putty and WinSCP to login to my Vultr server and doing the commands through those.

Please help!
The script uses a tool called sed to read your IP addresses from the output of ifconfig. It's failing to parse the IPs, so just set $IIP and $IIP2 to your primary and secondary IPs by hand.
 
Last edited by a moderator:
The script uses a tool called sed to read your IP addresses from the output of ifconfig. It's failing to parse the IPs, so just set $IIP and $IIP2 to your primary and secondary IPs by hand.

Where exactly is the lines to input the $IIP and $IIPS that in the code? or do i have to enter it everywhere it says that?
Do I use my VSP IP or Local wallet(s) IP?
If I do have to use my Local IP, I only run 1 IP on the MN computer do I just put it in both slots of leave the secondary one empty?

Sorry for the dummy questions I am new with IPtables/windows-in-general
 
On the local node, how come you can't just run 1 wallet but use 2 conf files.. Each with their own masternodeprivkey. Would you just generate a new masternode key... Then send 1000 DRK and it would be linked to the next Vin which is the new masternode key? Or it won't work that way?
 
On the local node, how come you can't just run 1 wallet but use 2 conf files.. Each with their own masternodeprivkey. Would you just generate a new masternode key... Then send 1000 DRK and it would be linked to the next Vin which is the new masternode key? Or it won't work that way?
There's no code yet to tie a particular vin (1000DRK lump) to a particular masternodeprivkey / server IP.

For now, just have a separate .dat and .conf for each MN, you'll save yourself a lot of headaches.
 
There's no code yet to tie a particular vin (1000DRK lump) to a particular masternodeprivkey / server IP.

For now, just have a separate .dat and .conf for each MN, you'll save yourself a lot of headaches.
Understood! Would be really easy to add I suppose...but if we get Startmany to work..then we wouldn't need it.
 
You could always specify a second data directory with the other wallet and conf file, else save multiple configs and then rename the appropriate wallet before launching the config file for that masternode,
 
There's no code yet to tie a particular vin (1000DRK lump) to a particular masternodeprivkey / server IP.

For now, just have a separate .dat and .conf for each MN, you'll save yourself a lot of headaches.

Doesn't that mean you need to have two copies of the block chain (one for each MN wallet)? Seems like a waste of space...
 
Doesn't that mean you need to have two copies of the block chain (one for each MN wallet)? Seems like a waste of space...
No, you don't need two copies of the blockchain. Just swap your MN .dat and .conf files in and out of your .darkcoin directory as required before launching your daemon/qt wallet.
 
No, you don't need two copies of the blockchain. Just swap your MN .dat and .conf files in and out of your .darkcoin directory as required before launching your daemon/qt wallet.
And if you run local wallets on Linux you can do this by some simple script like that:
Code:
$ cat loop.sh
#!/bin/bash
#### .conf and .dat files should have the same name
##### MAKE SURE YOU BACKED UP YOUR ORIGINAL WALLET.DAT IF YOU NEED IT #####
masternodesDir="masternodes"
configs="$masternodesDir/*.conf"
echo "Starting masternodes..."
## darkcoind stop
read -s -p "Enter your wallet passphrase:" mySuperSecretPassphrase
echo ""
for conf in $configs
do
  wallet="${conf##*/}"
  wallet="$masternodesDir/${wallet%%.conf}.dat"
  message="config $conf and wallet $wallet"
  echo "Processing - $message"
  cp $conf ~/.darkcoin/darkcoin.conf
  cp $wallet ~/.darkcoin/wallet.dat
  darkcoind
  sleep 20
  darkcoind passphrase $mySuperSecretPassphrase 999999
  darkcoind masternode start
  darkcoind stop
  sleep 2
  echo "Done - $message"
done
## darkcoind
echo "Yay!"
Configs and wallets might then sit in masternodes folder like that
Code:
$ ls masternodes/
1.conf    1.dat    2.conf    2.dat    3.conf    3.dat

EDIT: btw, it should work but try it on testnet first just in case :)
 
No, you don't need two copies of the blockchain. Just swap your MN .dat and .conf files in and out of your .darkcoin directory as required before launching your daemon/qt wallet.

When you have 2 darkcoinds writing the blockchain data simultaneously it's most probably only a matter of time until it's corrupted (I don't have the possibility to look into the code right now, but back in the good old days[TM] it was definitely not possible with bitcoind).
 
When you have 2 darkcoinds writing the blockchain data simultaneously it's most probably only a matter of time until it's corrupted (I don't have the possibility to look into the code right now, but back in the good old days[TM] it was definitely not possible with bitcoind).
I just make sure I'm only running one daemon or qt at any given time. :)

And if you run local wallets on Linux you can do this by some simple script like that:
Code:
$ cat loop.sh
#!/bin/bash
#### .conf and .dat files should have the same name
##### MAKE SURE YOU BACKED UP YOUR ORIGINAL WALLET.DAT IF YOU NEED IT #####
masternodesDir="masternodes"
configs="$masternodesDir/*.conf"
echo "Starting masternodes..."
## darkcoind stop
read -s -p "Enter your wallet passphrase:" mySuperSecretPassphrase
echo ""
for conf in $configs
do
  wallet="${conf##*/}"
  wallet="$masternodesDir/${wallet%%.conf}.dat"
  message="config $conf and wallet $wallet"
  echo "Processing - $message"
  cp $conf ~/.darkcoin/darkcoin.conf
  cp $wallet ~/.darkcoin/wallet.dat
  darkcoind
  sleep 20
  darkcoind passphrase $mySuperSecretPassphrase 999999
  darkcoind masternode start
  darkcoind stop
  sleep 2
  echo "Done - $message"
done
## darkcoind
echo "Yay!"
Configs and wallets might then sit in masternodes folder like that
Code:
$ ls masternodes/
1.conf    1.dat    2.conf    2.dat    3.conf    3.dat

EDIT: btw, it should work but try it on testnet first just in case :)

Yeah I did it that way with SMUT before I found out that a local restart was only needed when there was a protocol bump. Went back to manually moving stuff because it was easier to figure out what had gone wrong in the event that something had. I tried the -datadir thing too but that meant you had to wait until the blockchain in each datadir had synced each time, was a pain.

Being able to hot-swap wallets and confs in the client would be handy, but I do c++ much like I do sheet music - I can mostly read it, just don't ask me to sit down at a piano and play it... :tongue: ...shouldn't be much more than just sticking a file selector dialogue in there though?

edit: yeehaw, thanks UdjinM6! :) - https://github.com/darkcoin/darkcoin/pull/50
 
Last edited by a moderator:
Hey, thanks for putting in the work Tao. One thing worries me, it appears if someone followed your guide word for word, they would have a functioning firewall at first, but if the server were to restart.. the firewall.sh would not be active. If someone really were a noob, they might have to restart their server for whatever reason, then they would try to start their masternode not knowing that they had no firewall active. I may have missed something! But this little detail has been bugging me. Please let me know if I am incorrect!
 
Hey, thanks for putting in the work Tao. One thing worries me, it appears if someone followed your guide word for word, they would have a functioning firewall at first, but if the server were to restart.. the firewall.sh would not be active. If someone really were a noob, they might have to restart their server for whatever reason, then they would try to start their masternode not knowing that they had no firewall active. I may have missed something! But this little detail has been bugging me. Please let me know if I am incorrect!

g8F98FF3gjafogj4 flare Thanks for that info, I will update the guide.

EDIT: Done! Thanks again, I wouldn't want to be blamed for something bad happening due to lack of security!
 
Last edited by a moderator:
Hey Tao,
In the most respectful way possible I have to propose that a reminder to run the firewall script at some distant future date is not sufficient. If we weren't funneling all new users not familiar with linux to this guide I wouldn't think it was such a big deal. Would you be opposed to including a script to run as sudo that would setup the firewall in a permanent manner in your guide?

* I am certainly willing to give a shot, and think I could get it with a bit of work. I wouldn't be surprised if some linux pros around couldn't pump it out really quick.
 
If you want to run it each boot:

Code:
crontab -e
...select editor if asked, nano is easiest...
add this to the end of the file:
Code:
@reboot /path/to/script.sh


Or just use ufw, far easier than iptables, here's the basics, you only need to do this once:
Code:
sudo apt-get install ufw (if needed, and you may need to 'sudo apt-get update' first as well)
sudo ufw allow ssh/tcp
sudo ufw allow 9999/tcp
sudo ufw logging on
sudo ufw enable
sudo ufw status
 
Last edited by a moderator:
If you want to run it each boot:

Code:
crontab -e
...select editor if asked, nano is easiest...
add this to the end of the file:
Code:
@reboot /path/to/script.sh


Or just use ufw, far easier than iptables, here's the basics, you only need to do this once:
Code:
sudo apt-get install ufw (if needed, and you may need to 'sudo apt-get update' first as well)
sudo ufw allow ssh/tcp
sudo ufw allow 9999/tcp
sudo ufw logging on
sudo ufw enable
sudo ufw status
Another solution:

Code:
sudo apt-get install iptables-persistent


And choose "yes" to store the ipv4 rules
 
Back
Top