Pi-Star and PiAware

spike85 · March 29, 2022, 4:42pm

Hi community. Long time reader, first time poster.

I’m trying to set up a pi-star system to also run piaware. I found three topics mentioning this subject briefly on the forums here. There are no mentions in the pi-star forums. Information I’ve gleaned so far include the need to adjust the settings of /etc/lighttpd/lighttpd.conf to change from port 80 (used by pi-star) to port 8888.

https://discussions.flightaware.com/t/v3-81-new-user-failed-to-claim-feed/

However, I’m a little confused about the second subject on that discussion regarding iptables and what rules to apply. Is there a simple iptables rule that could/should be added?

Here are some details for troubleshooting purposes:

pi-star@pi-star(rw):~$ sudo piaware-status
PiAware master process (piaware) is not running.
PiAware ADS-B client (faup1090) is not running.
PiAware ADS-B UAT client (faup978) is not running (disabled by configuration settings)
PiAware mlat client (fa-mlat-client) is not running.
Local ADS-B receiver (dump1090-fa) is running with pid 1013.

dump1090-fa (pid 1013) is listening for ES connections on port 30005.
faup1090 is NOT connected to the ADS-B receiver.
piaware is NOT connected to FlightAware.

dump1090 is producing data on localhost:30005.

You don't have a feeder ID yet.
pi-star@pi-star(rw):~$ top

top - 12:14:36 up  1:36,  1 user,  load average: 0.56, 0.64, 0.70
Tasks: 138 total,   3 running, 123 sleeping,  11 stopped,   1 zombie
%Cpu(s): 11.5 us,  3.8 sy,  0.0 ni, 84.5 id,  0.0 wa,  0.0 hi,  0.3 si,  0.0 st
MiB Mem :    972.8 total,    668.4 free,    126.1 used,    178.2 buff/cache
MiB Swap:      0.0 total,      0.0 free,      0.0 used.    772.9 avail Mem 

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                                                       
 1013 dump1090  15  -5   32628   7956   4120 R  38.5   0.8  37:18.58 dump1090-fa                                                                                   
 1380 www-data  20   0  127256  12016   9116 S   2.3   1.2   1:35.67 php-fpm7.0                                                                                    
 1381 www-data  20   0  127376  11904   9248 S   2.0   1.2   1:33.50 php-fpm7.0                                                                                    
 1232 root      10 -10   53564  43056   3392 R   1.6   4.3   1:52.89 MMDVMHost                                                                                     
14903 pi-star   20   0   10584   3160   2612 R   1.0   0.3   0:00.08 top                                                                                           
  886 adsbexc+  19  -1   89396   6952   2628 S   0.7   0.7   0:49.43 feed-adsbx                                                                                    
 4569 www-data  20   0  127064  10760   8464 S   0.7   1.1   1:30.72 php-fpm7.0                                                                                    
  116 root      20   0   35692   7792   6832 S   0.3   0.8   0:07.16 systemd-journal                                                                               
  248 root      20   0       0      0      0 S   0.3   0.0   0:04.11 brcmf_wdog/mmc1                                                                               
  884 adsbexc+  19  -1   18812  10940   7076 S   0.3   1.1   0:18.50 mlat-client                                                                                   
 1332 www-data  20   0    8072   4076   3200 S   0.3   0.4   0:15.08 nginx                                                                                         
 5716 root      20   0       0      0      0 I   0.3   0.0   0:00.62 kworker/u8:2-events_unbound                                                                   
    1 root      20   0   33860   8244   6376 S   0.0   0.8   0:31.89 systemd                                                                                       
    2 root      20   0       0      0      0 S   0.0   0.0   0:00.01 kthreadd                                                                                      
    3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp                                                                                        
    4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par_gp                                                                                    
    8 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_percpu_wq                                                                                  
    9 root      20   0       0      0      0 S   0.0   0.0   0:00.00 rcu_tasks_rude_                                                                               
   10 root      20   0       0      0      0 S   0.0   0.0   0:00.00 rcu_tasks_trace                                                                               
   11 root      20   0       0      0      0 S   0.0   0.0   0:01.64 ksoftirqd/0                                                                                   
   12 root      20   0       0      0      0 I   0.0   0.0   0:14.13 rcu_sched                                                                                     
   13 root      rt   0       0      0      0 S   0.0   0.0   0:00.05 migration/0                                                                                   
   14 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/0                                                                                       
   15 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/1                                                                                       
   16 root      rt   0       0      0      0 S   0.0   0.0   0:00.04 migration/1                                                                                   
   17 root      20   0       0      0      0 S   0.0   0.0   0:01.04 ksoftirqd/1                                                                                   
   20 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/2                                                                                       
   21 root      rt   0       0      0      0 S   0.0   0.0   0:00.04 migration/2                                                                                   
   22 root      20   0       0      0      0 S   0.0   0.0   0:01.11 ksoftirqd/2                                                                                   
   24 root       0 -20       0      0      0 I   0.0   0.0   0:00.01 kworker/2:0H-kblockd                                                                          
   25 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/3                                                                                       
   26 root      rt   0       0      0      0 S   0.0   0.0   0:00.03 migration/3                                                                                   
   27 root      20   0       0      0      0 S   0.0   0.0   0:00.93 ksoftirqd/3                                                                                   
   30 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kdevtmpfs                                                                                     
   31 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 netns                                                                                         
   35 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kauditd                                                                                       
   37 root      20   0       0      0      0 S   0.0   0.0   0:00.00 khungtaskd                                                                                    
   38 root      20   0       0      0      0 S   0.0   0.0   0:00.00 oom_reaper                                                                                    
   39 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 writeback                                                                                     
   40 root      20   0       0      0      0 S   0.0   0.0   0:00.60 kcompactd0                                                                                    
[6]+  Stopped                 top
pi-star@pi-star(rw):~$ sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  192.168.0.0/16       anywhere             udp dpt:20000
ACCEPT     udp  --  172.16.0.0/12        anywhere             udp dpt:20000
ACCEPT     udp  --  10.0.0.0/8           anywhere             udp dpt:20000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  192.168.0.0/16       anywhere             tcp dpt:microsoft-ds
ACCEPT     tcp  --  172.16.0.0/12        anywhere             tcp dpt:microsoft-ds
ACCEPT     tcp  --  10.0.0.0/8           anywhere             tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     udp  --  anywhere             anywhere             udp dpt:10022
ACCEPT     udp  --  anywhere             anywhere             udp dpt:2460
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2222
ACCEPT     udp  --  anywhere             anywhere             udp dpts:bootps:bootpc
ACCEPT     all  --  192.168.50.0/24     !192.168.50.0/24     
ACCEPT     udp  --  192.168.50.0/24      192.168.50.1         udp dpt:domain
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ACCEPT     udp  --  192.168.0.0/16       anywhere             udp spt:1900
ACCEPT     udp  --  172.16.0.0/12        anywhere             udp spt:1900
ACCEPT     udp  --  10.0.0.0/8           anywhere             udp spt:1900
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request state NEW,RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpts:20001:20007
ACCEPT     udp  --  anywhere             anywhere             udp dpts:30001:30007
ACCEPT     udp  --  anywhere             anywhere             udp dpts:30051:30057
ACCEPT     udp  --  anywhere             anywhere             udp dpts:30061:30064
ACCEPT     udp  --  anywhere             anywhere             udp dpt:40000
ACCEPT     udp  --  anywhere             anywhere             udp spts:42000:43000 dpts:1024:65535
ACCEPT     udp  --  anywhere             anywhere             udp spt:52000 dpts:1024:65535
ACCEPT     udp  --  anywhere             anywhere             udp spts:41000:41010 dpts:32768:60999
LOGNDROP   all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:git
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:9007
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:14580
REJECT     tcp  --  anywhere             dcs001.xreflector.net  tcp dpt:20001 reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:20001
ACCEPT     udp  --  anywhere             192.168.0.0/16       udp dpt:20000
ACCEPT     udp  --  anywhere             172.16.0.0/12        udp dpt:20000
ACCEPT     udp  --  anywhere             10.0.0.0/8           udp dpt:20000
ACCEPT     udp  --  anywhere             anywhere             udp dpts:20001:20007
ACCEPT     udp  --  anywhere             anywhere             udp dpts:30001:30007
ACCEPT     udp  --  anywhere             anywhere             udp dpts:30051:30057
ACCEPT     udp  --  anywhere             anywhere             udp dpts:30061:30064
ACCEPT     udp  --  anywhere             anywhere             udp dpt:40000
ACCEPT     udp  --  anywhere             anywhere             udp dpts:55550:55580
ACCEPT     udp  --  anywhere             anywhere             udp dpt:62031
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5040
ACCEPT     udp  --  anywhere             anywhere             udp dpt:62030
ACCEPT     udp  --  anywhere             anywhere             udp dpts:42000:43000
ACCEPT     udp  --  anywhere             anywhere             udp spt:42001 dpt:62500
ACCEPT     udp  --  anywhere             anywhere             udp dpts:41000:41010
ACCEPT     udp  --  anywhere             anywhere             udp dpt:41720
ACCEPT     udp  --  anywhere             anywhere             udp dpt:41400
ACCEPT     udp  --  anywhere             anywhere             udp dpt:42400
ACCEPT     udp  --  anywhere             anywhere             udp dpt:41500
ACCEPT     udp  --  anywhere             anywhere             udp spt:14050
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:43434
ACCEPT     udp  --  anywhere             anywhere             udp dpts:bootps:bootpc
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere             udp dpts:bootps:bootpc
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ACCEPT     tcp  --  anywhere             192.168.0.0/16       tcp dpts:1025:65535
ACCEPT     tcp  --  anywhere             172.16.0.0/12        tcp dpts:1025:65535
ACCEPT     tcp  --  anywhere             10.0.0.0/8           tcp dpts:1025:65535
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request state NEW
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply state RELATED,ESTABLISHED

Chain LOGNDROP (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

pi-star@pi-star(ro):~$ sudo netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:30154           0.0.0.0:*               LISTEN      900/feed-adsbx      
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1405/smbd           
tcp        0      0 0.0.0.0:30157           0.0.0.0:*               LISTEN      930/python3         
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      1390/shellinaboxd   
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/init              
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1393/lighttpd       
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1285/nginx: master  
tcp        0      0 0.0.0.0:30002           0.0.0.0:*               LISTEN      937/dump1090-fa     
tcp        0      0 0.0.0.0:30003           0.0.0.0:*               LISTEN      937/dump1090-fa     
tcp        0      0 0.0.0.0:30004           0.0.0.0:*               LISTEN      937/dump1090-fa     
tcp        0      0 0.0.0.0:30005           0.0.0.0:*               LISTEN      937/dump1090-fa     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1074/sshd           
tcp        0      0 0.0.0.0:8504            0.0.0.0:*               LISTEN      1393/lighttpd       
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      1393/lighttpd       
tcp        0      0 0.0.0.0:30104           0.0.0.0:*               LISTEN      937/dump1090-fa     
tcp        0      0 0.0.0.0:31003           0.0.0.0:*               LISTEN      930/python3         
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1405/smbd           
udp        0      0 0.0.0.0:68              0.0.0.0:*                           860/dhcpcd          
udp        0      0 0.0.0.0:111             0.0.0.0:*                           1/init              
udp        0      0 192.168.1.69:123        0.0.0.0:*                           1050/ntpd           
udp        0      0 127.0.0.1:123           0.0.0.0:*                           1050/ntpd           
udp        0      0 0.0.0.0:123             0.0.0.0:*                           1050/ntpd           
udp        0      0 192.168.1.255:137       0.0.0.0:*                           1051/nmbd           
udp        0      0 192.168.1.69:137        0.0.0.0:*                           1051/nmbd           
udp        0      0 0.0.0.0:137             0.0.0.0:*                           1051/nmbd           
udp        0      0 192.168.1.255:138       0.0.0.0:*                           1051/nmbd           
udp        0      0 192.168.1.69:138        0.0.0.0:*                           1051/nmbd           
udp        0      0 0.0.0.0:138             0.0.0.0:*                           1051/nmbd           
udp        0      0 0.0.0.0:47262           0.0.0.0:*                           369/avahi-daemon: r 
udp        0      0 0.0.0.0:32953           0.0.0.0:*                           1523/MMDVMHost      
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           369/avahi-daemon: r 
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           1075/minissdpd

spike85 · March 29, 2022, 6:43pm

http://wiki.pistar.uk/Adding_custom_firewall_rules_to_Pi-Star

Apparently a script exists to add custom rules to the built-in pi-star firewall. Could anyone advise what might be added here to allow the necessary traffic?

obj · March 30, 2022, 1:57am

For PiAware to be able to feed data to FlightAware, you need to allow:

outbound TCP to port 1200 (main feed)
outbound UDP to ports 4999 - 19999 inclusive (mlat data)

for traffic towards all of the IPs listed in the piaware.flightaware.com DNS name.

obj · March 30, 2022, 2:18am

Here is an untested script that will generate iptables / ip6tables rules for piaware.

(When run, it will print the required rules; it does not actually apply the rules. I’m guessing it’s going to be unsafe to do DNS lookups at the point where the rules are normally applied during startup, so the idea is that you run this once and copy/paste the output into the firewall script, and repeat that process occasionally to pick up any IP changes – the list of IPs is relatively stable but it does change over time)

#!/bin/sh

for ip in $(getent ahostsv4 piaware.flightaware.com | grep STREAM | cut -d' ' -f1)
do
    echo "iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d $ip --dport 1200 -j ACCEPT"
    echo "iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d $ip --dport 4999:19999 -j ACCEPT"
done

for ip in $(getent ahostsv6 piaware.flightaware.com | grep STREAM | cut -d' ' -f1)
do
    echo "ip6tables -A OUTPUT --ipv6 -p tcp -s 0/0 -d $ip --dport 1200 -j ACCEPT"
    echo "ip6tables -A OUTPUT --ipv6 -p udp -s 0/0 -d $ip --dport 4999:19999 -j ACCEPT"
done

spike85 · March 30, 2022, 11:22am

Thank you @obj that seems to print out the necessary rules! On the morning routine right now but tonight I’ll adjust the script to print to the associated firewall script of the pi-star and set it to run as a cronjob every 12 hrs? Every hour? Cheers!

pi-star@pi-star(rw):~$ sh fatables.sh
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.80.200 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.80.200 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.84.195 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.84.195 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.84.198 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.84.198 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.84.193 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.84.193 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.84.194 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.84.194 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.80.196 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.80.196 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.80.201 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.80.201 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.80.197 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.80.197 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.80.198 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.80.198 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.84.197 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.84.197 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.80.199 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.80.199 --dport 4999:19999 -j ACCEPT
iptables -A OUTPUT --ipv4 -p tcp -s 0/0 -d 206.253.84.196 --dport 1200 -j ACCEPT
iptables -A OUTPUT --ipv4 -p udp -s 0/0 -d 206.253.84.196 --dport 4999:19999 -j ACCEPT

spike85 · April 2, 2022, 1:27am

So far so good!

There was one additional error I ran into with my setup at this point in time. Piaware was having a buffer overflow error preventing it’s launch. I solved the issue through the method here: buffer overflow when IPv6 gets disabled · Issue #51 · flightaware/piaware · GitHub

The file /etc/hosts had three items related to ipv6 which I commented out. I don’t believe it will cause issues for now. But in the future it may be something to look at.

One other thing to look at:

I’m going to have to learn some better python before I put this all into a cronjob. If I get a bit of extra time, or if someone more savvy than me has the time, it would be useful to have the iptables script from @obj run, sort results, and then compare to what already exists in the file /root/ipv4.fw then if different, update that file and run the command sudo pistar-firewall.

Thank you all for your great support and the great forum and community around this hobby. I’ve learned so much through this process.

system · April 2, 2023, 1:27am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Piaware not running ADS-B Flight Tracking	18	5178	January 15, 2020
Faup978 not currently running? ADS-B Flight Tracking	10	1264	July 11, 2022
V3.81 new user failed to claim feed ADS-B Flight Tracking	6	845	May 30, 2020
No Data to FA ADS-B Flight Tracking	15	1704	September 28, 2019
Newer RPi is having issues ADS-B Flight Tracking	42	1163	June 3, 2024

Pi-Star and PiAware

Related topics