CONSENSYS GUIDES

How to Set up
an Ethereum Node
Written by Daniel Ellison, Hardware and Software Researcher at ConsenSys

How to Set up an Ethereum Node | A ConsenSys Guide

CONTENTS

Introduction...........................................................................................................................3

Part I - Setting up your Ethereum Node.....................................................................4

Why you should set up your own Ethereum node......................................................4
Getting Started.......................................................................................................................4
Back to business....................................................................................................................5
Housekeeping.........................................................................................................................6
Installing geth.......................................................................................................................... 7
Synchronizing your node....................................................................................................8
Configuring your node for remote access....................................................................9
Setting up RPC access.........................................................................................................9

Part II - Securing Remote Access to your Node Using MetaMask................. 11

Obtaining the IP address of your VPS............................................................................ 11
SSH on Windows................................................................................................................... 11
Initiating the tunnel.............................................................................................................. 11
Configuring MetaMask....................................................................................................... 12
Making the impermanent permanent........................................................................... 12
Remote permanence.......................................................................................................... 13
Local permanence.............................................................................................................. 15
SSH key pairs......................................................................................................................... 15
Linux......................................................................................................................................... 16
macOS..................................................................................................................................... 18
Windows................................................................................................................................. 19
Testing the persistent SSH tunnel................................................................................. 20

Part III - How to set up a Linux Firewall..................................................................... 21

Wat Firewal?!.......................................................................................................................... 21
Uncomplicated Firewall..................................................................................................... 21
Back to the command line................................................................................................22
Becoming an enabler.........................................................................................................22
Allowing specific incoming traffic..................................................................................22

Conclusion............................................................................................................................24

2 How to Set up an Ethereum Node | A ConsenSys Guide

Introduction
This guide contains three parts:

Part I - Setting up your Ethereum Node

Part one covers the process of installing an Ethereum node remotely on a Virtual
Private Server (VPS), synchronizing it with the blockchain, and setting it up to
allow secure remote access.

Part II - Securing Remote Access to your Node Using MetaMask

We explore secure remote access to this Ethereum node via MetaMask. We also
cover how to make everything survive crashes and shutdowns.

When you’ve completed the steps described in this guide you will be running
your own Ethereum node securely on a remote machine, thus contributing to
the decentralization of the Ethereum network.

That machine could be a Virtual Private Server (VPS), such as that provided by
Digital Ocean, Linode, or AWS, or it could be a computer in your own home. You
will also set up an SSH tunnel to make your remote node appear to be available
on your local machine. You will learn how to point MetaMask at your node to take
advantage of your own contribution to the Ethereum network. This guide will
also explain how to make your efforts permanent, automatically restarting on any
failure or reboot. All in all, you’ll be significantly ahead of a large percentage of
Ethereum users. We think it’s worth the effort

Part III - How to set up a Linux Firewall

In this part, Daniel covers why a Linux firewall is important and describes how to
set one up on your remote geth node.

3 How to Set up an Ethereum Node | A ConsenSys Guide

 Part I - Setting up
your Ethereum Node

WHY YOU SHOULD SET UP YOUR OWN

ETHEREUM NODE

We would The concept behind Ethereum is to create a

achieve maximal
network of so many nodes that hold copies of the
blockchain network that it would be impossible

decentralization
for any government, corporate entity, or cohort
of nefarious actors to take down or censor the

of a blockchain network. It’s vital that the data be spread across

the globe as widely as possible in order to ensure

network if every maximum decentralization. Therefore, if you want

to help Ethereum grow, one of the best things you
person on the can do is set up your own node.

planet owned GETTING STARTED

precisely one To start, we delve into how to set up a Go

Ethereum (geth) node on a Linux-based server.

full node device That sounds scary as all get-out, doesn’t it? Don’t
worry, you won’t actually have to install Linux itself.
connected to the I’m going to give guidance on how to create a
Linux instance on Linode, a Linux VPS provider. In
network.” fact, I’m running my own geth node on an Arch
Linux Linode VPS. For this exercise we’ll stick
with a more common Linux distribution, Ubuntu.
Joe Lubin
Linode’s Ubuntu image has several utilities pre-
Founder of ConsenSys,
installed, such as sshd, wget, tmux, and sudo.
Co-founder of Ethereum
This avoids having to explain how to install these
utilities, allowing us to concentrate on the task at
hand. Go to www.linode.com and — if you don’t
already have one — sign up for an account.

4 How to Set up an Ethereum Node | A ConsenSys Guide

AN ASIDE FROM DANIEL ELLISON, HARDWARE AND SOFTWARE
RESEARCHER AT CONSENSYS

Yes, using a VPS for this costs you some money. There are many reasons to
sacrifice your cash in this way, but there are also people thinking of ways to
incentivize us to run full nodes. Until then, if you have it within your means
consider making a sacrifice for the health of the network. On the other hand, if
you have the equipment and the technical know-how, go ahead and set up a
node on your own hardware, keeping your costs to a minimum.

BACK TO BUSINESS

Once you have an account on Linode, log in and go to your dashboard if you’re
not automatically dropped there. Click the Create button at the top. Choose
Linode from the resulting dropdown menu. Under Choose a distribution click
Ubuntu. Under Region, make a choice appropriate for your locale. Under Linode
Plan choose the level of commitment you’re comfortable with. According to
Etherscan, a geth node that’s been fast-synced currently takes up about 133GB
of disk space. You could probably, for a time, get away with a Linode 8GB VPS
with 160GB of storage, but you will run out of space quickly. You could start with
that size to try things out; Linode allows you to resize an instance at any time so
you could step up to the next level if you decide to make your node permanent.
For now, I’ll assume you chose Linode 16GB to avoid any storage issues. For
Linode Label, provide a name by which to refer to your VPS, or just leave it at the
default built up from your choices. Under Root Password, enter a password that
you have to provide later in order to log into your VPS. On the right you see a
summary of your choices and a big Create button. Click the button.

Your new VPS will now be created. When it’s done, click on Launch Console at
the top right. A new window pops up and presents you with a login prompt. Log
in as root, using the password you provided on creation. You should be left at a
command line prompt that looks like this:

root@localhost:~#

5 How to Set up an Ethereum Node | A ConsenSys Guide

HOUSEKEEPING

There’s a bit of housekeeping to take care of before we can begin the geth
installation. First, create a non-root user. You never want to log in as root. Never.
For normal day-to-day operation, you operate as a user with standard privileges,
only acquiring root privileges as necessary. Issue the useradd command,
replacing Regular User and user with your own choices unless, of course, your
name is actually Regular User. After that, add this new user to the sudo system
as one who can elevate their privileges. Finally, provide a password for the user.
From this point on we use # at the beginning of a line to indicate commands to
run as root and $ for those to run as a regular user. It’s never necessary to type
that character.

# useradd -c “Regular User” -d /home/user -m -s /bin/bash user

# echo “%user ALL=(ALL:ALL) ALL” > /etc/sudoers.d/user
# chmod 440 /etc/sudoers.d/user
# passwd user

Now we lock the root account’s password so nobody can ever log in as root, not
even you. After that, reboot.

# passwd --lock root

# reboot

Once you’re back at a login prompt, login using the username and password of
the user we just created. After logging in, make sure that you can switch to the
root user account. Type sudo su -. After providing your password you should
see this response:

$ sudo su -
[sudo] password for user:
root@localhost:~#

Type exit to return to the regular user’s account. You’re now ready to install geth.

6 How to Set up an Ethereum Node | A ConsenSys Guide

INSTALLING GETH

We use the latest version of geth from the Go Ethereum team. As of this writing,
that version is Punisher (v1.8.27). For the latest version when you read this, go
here and right-click on the Geth x.x.xx for Linux button near the top. Choose
Copy Link Address or whatever the equivalent is for your browser. At your
command prompt, type wget, then a space, then paste the link you just copied
and hit return. Next, uncompress the freshly-downloaded file and move it to a
location the system knows about. After that you should test that the system does
know how to locate geth.

$ wget https://gethstore.blob.core.windows.net/builds/geth-
linux-amd64-1.8.27-4bcc0a37.tar.gz
$ tar xf geth-linux-amd64-1.8.27-4bcc0a37.tar.gz
$ cd geth-linux-amd64-1.8.27-4bcc0a37
$ sudo mv geth /usr/bin/
$ cd ~
$ geth version
Geth
Version: 1.8.27-stable
Git Commit: 4bcc0a37ab70cb79b16893556cffdaad6974e7d8
Architecture: amd64
Protocol Versions: [63 62]
Network Id: 1
Go Version: go1.11.9
Operating System: linux
GOPATH=
GOROOT=/home/travis/.gimme/versions/go1.11.9.linux.amd64

If you don’t get something like the response above from geth then you’ll have to
do some troubleshooting. If you did, congratulations! You now have a working
Linux VPS with geth installed correctly.

7 How to Set up an Ethereum Node | A ConsenSys Guide

SYNCHRONIZING YOUR NODE
Before we can do anything we need to synchronize our node with the Ethereum
blockchain. This takes a long time, even in “fast” mode. Days, in fact. To start the
process, type:

$ tmux
$ geth --syncmode “fast” --cache=1024

You see several lines of output from geth and then it pauses for a while. Once
you see lines start to appear with Imported new block headers you know the
sync has started. This is the part that goes for days. In order for you to safely
close windows and leave geth to finish its sync, type ctrl-b d. In other words,
hold down the control key and hit b. Release the control key and hit d. You
should see the following output:

[detached (from session 0)]

The geth sync continues on in the background and you’re free to log off and do
more productive things than watching log output. To check on the progress of
the synchronization, attach to the geth node via the built-in JavaScript console
and issue the syncing command.

$ geth attach
> web3.eth.syncing
> {
currentBlock: 142490,
highestBlock: 7640000,
knownStates: 143562,
pulledStates: 143174,
startingBlock: 0
}
>

8 How to Set up an Ethereum Node | A ConsenSys Guide

Press ctrl-d to exit the console. Check again occasionally to monitor the progress.
When the result changes from block and state count to false, your node is in sync
with the Ethereum mainnet. You can safely close that terminal window. When you
come back to this terminal window by hitting the Launch Console link as before,
you can reconnect to your geth instance by typing the following:

$ tmux attach -t 0

This should return you to a screen that shows the continuing output from your
running geth node.

CONFIGURING YOUR NODE FOR REMOTE ACCESS

Now that you’ve synchronized, there’s nothing further to do if your aim was to
provide an additional node to the Ethereum network. That would, however, be
overly-selfless. You want to take advantage of your node, using it for your own
Ethereum transactions and even perhaps for contract deployment and access
through your own dapp. A more general use would be to have MetaMask point
to your node instead of its default Infura nodes. This is a confusing process, but if
you follow the steps carefully there shouldn’t be a problem.

SETTING UP RPC ACCESS

RPC stands for remote procedure call, which means one computer requesting
action from another. geth supports this with what are called command-line
switches: instructions to geth on startup. Configuring geth to accept connections
from any computer on the internet is extremely hazardous to your node’s health.
It’s safer to allow RPC access only from the machine that’s running geth. This
makes no sense, we know, but I’ll explain how to get around that restriction
securely later. For now, we want to change the switches we use to start geth.

Go back to your Linode dashboard and make sure you’re on the Linodes tab on
the left. Click on the three dots to the right of the name you gave the VPS that’s
running geth. Choose Launch Console from the dropdown menu. Once the
terminal window appears and you’ve logged back in, reconnect to your geth
instance with:

$ tmux attach -t 0

9 How to Set up an Ethereum Node | A ConsenSys Guide

If you’ve confirmed that your node has completed syncing, you should see a
slow but steady stream of Imported new chain segment log lines. Only proceed
from here if that is the case. Otherwise, be patient and wait.

Stop your geth node with ctrl-c. It will take a while for it to shut down as it executes
some housekeeping, but eventually you’ll be left at a command prompt. Your geth
is dead. We now start it up again with a different set of switches. Type the following
to start geth with RPC enabled for the local machine:

$ geth --cache=1024 --rpc --rpcaddr localhost --rpcport 8545

Your node will eventually get back to spitting out lines with Imported new chain
segment. With that, you’ve completed setting up your geth node.

CONGRATS ON SETTING UP YOUR GETH NODE!

In Part II we’ll describe how to set up a local SSH tunnel and make MetaMask
use that tunnel to interact with our geth node. To finish up we describe how to
make everything we’ve done survive crashes and reboots, having it all restart
automatically. Continue below to get started!

10 How to Set up an Ethereum Node | A ConsenSys Guide

Part II - Securing Remote Access to
your Node Using MetaMask
We explore secure remote access to this Ethereum node via MetaMask. We also
cover how to make everything survive crashes and shutdowns.

SETTING UP AN SSH TUNNEL

Setting up a what? This is a semi-confusing process. We won’t go into details

here, but in effect, it allows requests made to your local machine to be forwarded
automatically to another machine, in this case, the VPS running your geth node.
It’ll become clear why we need this when we set up MetaMask later.

OBTAINING THE IP ADDRESS OF YOUR VPS

In order to forward requests to your VPS, you’ll need to know its IP address. This
is determined by returning to your Linode dashboard and going to the Linodes
tab on the left. You should see your node’s IP address on the right, just below
the geographic location of your VPS. It looks something like this: 172.16.389.54.
Make a note of that IP; we’ll be using it shortly.

SSH ON WINDOWS

As of the April 2018 update, Windows 10 has OpenSSH installed by default. This
provides ssh.exe as well as several other SSH utilities. To check the state of SSH
on Windows at the time of writing I downloaded the latest Windows 10 ISO and
installed it into a virtual machine. OpenSSH was already installed and available
from cmd.exe. If you have Windows 10 but OpenSSH is not installed, follow the
instructions in this Microsoft article. If you have an older version of Windows
there are several utilities available that will provide SSH capabilities.

INITIATING THE TUNNEL

We’re going from here with the assumption that you have command-line access
to an ssh client. The following command sets up the SSH tunnel. This command
is identical on all three platforms.

ssh -N -v user@172.16.389.54 -L 8545:localhost:8545

11 How to Set up an Ethereum Node | A ConsenSys Guide

The -N switch tells ssh not to execute a remote command. We want a
continuous connection, or tunnel, to our node. There’s no command to execute
remotely at this point. The -v switch makes ssh output some logging information
as it executes. We then supply the username and IP address in order to log into
our VPS. The rest sets up the tunnel itself, specifying that anything your local
machine receives on port 8545 (the port on which your node is listening for RPC
requests) should be forwarded to the same port on your node securely through
the tunnel. That’s the most important point: nobody else can do this except
you. Your node is safe from exploits due to an exposed RPC port.

CONFIGURING METAMASK

This is the easiest part of the whole tunnel kerfuffle. We’re assuming you left the
SSH tunnel running and that you can see its log output. In your browser, activate
MetaMask by clicking on the fox head at the top right of your browser window.
At the top of the MetaMask window is the currently-chosen Ethereum network.
If you’ve been using beta dapps, it’ll probably say something like Rinkeby Test
Network. Click on that name and you see a dropdown menu. At the top is Main
Ethereum Network. That’s our final destination, but we don’t want to use that menu
item. If you do, MetMask connects to an Infura node, defeating the entire purpose
of this long journey. Further down the list, you see Localhost 8545. Click on that,
watching the output of your SSH tunnel. You should see lines appear similar to this:

debug1: Connection to port 8545 forwarding to localhost port

8545 requested.
debug1: channel 1: new [direct-tcpip]

MetaMask should now have Localhost 8545 at the top and you should see
Deposit and Send buttons in the middle. If so, you’ve now connected your
remote geth node to MetaMask, though MetaMask believes it has connected to
your local machine.

MAKING THE IMPERMANENT PERMANENT

You now have a fully-functioning geth node and are able to connect to it
remotely and securely through MetaMask and an SSH tunnel. Congratulations!
Of course, computers crash or are shut down deliberately. In order to avoid
having to set everything up again on a restart, we need to do two things: a) Set
up our geth node to start automatically on the VPS and b), somehow do the
same for the SSH tunnel on our local machine.

12 How to Set up an Ethereum Node | A ConsenSys Guide

REMOTE PERMANENCE

In relative terms, this is the easy part of the permanence process. We only have
to deal with one operating system, Linux, and there’s an established way to start
tasks automatically: systemd. Linux politics aside, let’s get started.

systemd handles processes on most Linux systems and Ubuntu is no exception.

In order to do so it reads .service files. To have our geth node start automatically
on boot we need to provide a geth.service file. Go back and launch the console
from the Linodes tab. If your geth node is still running you have to shut it down.
As before, type the following to reconnect to your geth node:

$ tmux attach -t 0

Stop your geth node with ctrl-c. Again, wait until you’re at a command prompt,
then type ctrl-d to exit from tmux. Type the following at the command line,
substituting user in User=user for the username you provided previously:

$ cat > geth.service <<EOF

[Unit]
Description=Go Ethereum client

[Service]
User=user
Type=simple
Restart=always
ExecStart=/usr/bin/geth --rpc --rpcaddr localhost --rpcport
8545

[Install]
WantedBy=default.target
EOF

13 How to Set up an Ethereum Node | A ConsenSys Guide

This creates a geth.service file in the current directory. You need to do a few
things to make it available to systemd:

$ sudo mv geth.service /etc/systemd/system/

$ sudo systemctl daemon-reload
$ sudo systemctl enable geth.service
$ sudo systemctl start geth.service

To check on the status of the service, use this:

$ sudo systemctl status geth.service

Somewhere near the beginning of the output, you’ll see active (running). If you
don’t, there will be error messages below. Good luck! To see the continuous
output from geth, type the following:

$ sudo journalctl -f -u geth.service

If all is well you’ll see a stream of lines containing Imported new chain segment.
Type ctrl-c to stop the output. Don’t worry, this doesn’t shut down your geth
node. It only stops showing the systemd log output.

From now on, when your VPS restarts for any reason geth starts up again
automatically.

14 How to Set up an Ethereum Node | A ConsenSys Guide

LOCAL PERMANENCE
You’ve successfully started an SSH tunnel on your machine, but as soon as you
close the terminal or put your laptop to sleep the tunnel disconnects and the
connection is broken. This is obviously sub-optimal. Having to start up a terminal
session and re-activate the tunnel is a bit of a drag. The problem is, the three
major operating systems have three different ways to set up permanent services
like our SSH tunnel.

SSH KEY PAIRS

In order for any of the following to work automatically, you need to have SSH
private and public keys. If you regularly ssh into remote machines without
needing to provide a password, you’re already set up. Even in that case, you need
to send your public key to the remote machine running geth. For instructions
on how to do this — and how to generate an SSH key pair in the first place if you
need to — read this article from Linode or this one from Atlassian explains things
fairly well. These articles are already very long and very technical; mucking about
with SSH keys is a well-known process so it’s not necessary to repeat those
instructions here. If you can type:

$ ssh user@172.16.389.54

supplying your own username and the IP of your remote geth node, and you are
logged in without having to supply a password, you’re good to go. If this is not
the case, none of the following will work.

15 How to Set up an Ethereum Node | A ConsenSys Guide

LINUX
The process of making an SSH tunnel permanent is similar to the way it was
done on our VPS. We install a persistent.ssh.tunnel.service file and set things
up so that the service starts with the system. The only major difference, aside
from the necessarily different ExecStart line, is that we need to precede that
line with a line specifying a slight startup delay to make sure the network is ready
before the service starts. Remember, of course, to replace user in User=user
with your own desktop username and user@172.16.389.54 with your username
on the remote system and its IP address.

$ cat > persistent.ssh.tunnel.service <<EOF

[Unit]
Description=Persistent SSH Tunnel

[Service]
User=user
Type=simple
Restart=always
ExecStartPre=/bin/sleep 10
ExecStart=/usr/bin/ssh -N -v user@172.16.389.54 -L
8545:localhost:8545

[Install]
WantedBy=default.target
EOF

16 How to Set up an Ethereum Node | A ConsenSys Guide

This creates a persistent.ssh.tunnel.service file in the current directory. As
before, you need to do a few things to make it available to systemd, this time on
your local system:

$ sudo mv persistent.ssh.tunnel.service /etc/systemd/system/

$ sudo systemctl daemon-reload
$ sudo systemctl enable persistent.ssh.tunnel.service
$ sudo systemctl start persistent.ssh.tunnel.service

To check that the service started successfully, type the following:

$ sudo systemctl status persistent.ssh.tunnel.service

17 How to Set up an Ethereum Node | A ConsenSys Guide

MACOS

Apple’s macOS has its own way of setting up persistent services using
launchctl. Similar to systemd on Linux, you provide a configuration file — this
time in the form of an XML document instead of an INI file — and then install and
activate the service using that XML document. First we create this file, providing
as usual the username and IP address of our VPS for user@172.16.389.54. As
well, provide your macOS username under UserName.

$ cat > com.persistent.ssh.tunnel.plist <<EOF

<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.
apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0”>
<dict>
<key>Label</key>
<string>com.persistent.ssh.tunnel</string>
<key>UserName</key>
<string>user</string>
<key>StandardErrorPath</key>
<string>/tmp/persistent.ssh.tunnel.err</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/ssh</string>
<string>-N</string>
<string>-v</string>
<string>user@172.16.389.54</string>
<string>-L</string>
<string>8545:localhost:8545</string>
</array>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
EOF

18 How to Set up an Ethereum Node | A ConsenSys Guide

Once you’ve created the com.persistent.ssh.tunnel.plist file, move it to a location
in which launchctl expects these files to reside. Finally, give the command to
install it into the system and start the process running in the background.

$ sudo mv com.persistent.ssh.tunnel.plist /Library/

LaunchDaemons/
$ sudo launchctl load /Library/LaunchDaemons/com.persistent.
ssh.tunnel.plist

Installing the .plist file into /Library/LaunchDaemons/ makes it available to any

user on the system; it’s not dependent on you being logged in for the tunnel to
be active.

WINDOWS

In order to set up a persistent service in Windows, you need to download a utility

that provides this functionality. The one I used is the free, open source, and
public domain NSSM so you need to install that before proceeding.

The steps below create the persistent-ssh-tunnel service and sets various
parameters so that you can use it to connect MetaMask to your geth node.
We’ve provided the commands as well as the responses from nssm for clarity.
To execute these commands you need to start a terminal session as a Windows
administrator. You can do this by opening the start menu and typing cmd. This
should bring up a Best match menu with Command Prompt highlighted. To the
right choose Run as administrator. Click Yes to allow this app to make changes.
If all goes well, you see a black terminal window open with the command
prompt C:\Windows\system32>. Carefully type the commands below, making
sure not to type the command prompt! Be sure that each command gets a
response similar to the ones provided here. Substitute your Windows username
for .\user (keeping the .\) and your Windows login password for password.
Also provide your username and the IP address of your remote geth node in
user@172.16.389.54.

19 How to Set up an Ethereum Node | A ConsenSys Guide

C:\Windows\system32>nssm install persistent-ssh-tunnel
“C:\Windows\System32\OpenSSH\ssh.exe” “-N -v user@172.16.389.54 -L
8545:localhost:8545”
Service “persistent-ssh-tunnel” installed successfully!

C:\Windows\system32>nssm set persistent-ssh-tunnel ObjectName “.\

user” “password”
Set parameter “ObjectName” for service “persistent-ssh-tunnel”.

C:\Windows\system32>nssm set persistent-ssh-tunnel DisplayName

“Persistent SSH Tunnel”
Set parameter “DisplayName” for service “persistent-ssh-tunnel”.

C:\Windows\system32>nssm set persistent-ssh-tunnel Description

“Establishes a persistent SSH tunnel between a remote server and
the local computer.”
Set parameter “Description” for service “persistent-ssh-tunnel”.

C:\Windows\system32>nssm start persistent-ssh-tunnel persistent-ssh-

tunnel: START: The operation completed successfully.

TESTING THE PERSISTENT SSH TUNNEL

Assuming all went well, you now have a system service on either Windows,
Linux, or macOS that runs in the background and starts every time your local
machine restarts. To test it out, open a browser that has MetaMask installed and
follow the instructions above under Configuring MetaMask. MetaMask should
again connect to Localhost 8545, but this time it’s using the background service
which tunnels requests to your geth VPS. You no longer have to think about
establishing a connection to your remote Ethereum node.

20 How to Set up an Ethereum Node | A ConsenSys Guide

Part III - How to set up a Linux
Firewall
WAT FIREWAL?!

A firewall is a technology which blocks network traffic to or from a computer. At

first that may seem counterproductive. But you can poke holes in your firewall to
allow external entities to access the machine on specific ports. What the heck is
a port, though? From Wikipedia:

At the software level, within an operating system, a port is a logical construct that
identifies a specific process or a type of network service. Ports are identified for
each protocol and address combination by 16-bit unsigned numbers, commonly
known as the port number.

This means that each assigned port number has a specific meaning. There are
two types of ports, TCP and UDP, but the difference between them is not pertinent
to this article. You may already know that websites use TCP ports 80 and 443.
SSH uses TCP port 22 by default. Ethereum clients use these specific ports:

• 30303 TCP: The network listening port

• 30303 UDP: The network discovery port
• 8545 TCP: The RPC port

Since we use an SSH tunnel to communicate via RPC with our remote node, we
will not be opening port 8545 on our firewall. This prevents any external entities
from making RPC calls to your node. This is what we want. On the other hand,
we will be opening port 22 so that our SSH tunnel will work.

UNCOMPLICATED FIREWALL

There is a utility that ships with Ubuntu by default called the Uncomplicated
Firewall (UFW). It is ideal for securing your machine without having to know the
gory details of iptables, filter tables, or rule chains. Firewalls are very complex
things; having this tool to make them uncomplicated is quite a relief.

21 How to Set up an Ethereum Node | A ConsenSys Guide

BACK TO THE COMMAND LINE

As in previous articles we need to get ourselves to a command prompt. Go back

to your Linode dashboard and make sure you’re on the Linodes tab on the left.
Click on the three dots to the right of name you gave the VPS that’s running
geth. Choose Launch Console from the dropdown menu. Once the terminal
window appears and you’ve logged back in, you’re ready to start.

BECOMING AN ENABLER

The first thing you should do once you’re sitting at a command line is enable the
UFW. Right away your computer is far more secure than it was a few seconds
ago. Check the status to see what the firewall is doing. In the examples below
I’ve included both the commands and their output for clarity.

$ sudo ufw enable

Started bpfilter
Firewall is active and enabled on system startup
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

As you can see from the output of the status command, UFW is denying all
incoming network traffic. This may seem overly restrictive, but it doesn’t include
responses to your own traffic. For example, if you request a web page with your
browser, the website has to send you the HTML for your browser to display. So
we’re good.

ALLOWING SPECIFIC INCOMING TRAFFIC

As discussed earlier, geth use specific ports in order to participate in the

Ethereum network. Also, our SSH tunnel uses its own specific port. Type the
following to allow SSH traffic through our firewall:

$ sudo ufw allow 22/tcp

Rule added
Rule added (v6)

22 How to Set up an Ethereum Node | A ConsenSys Guide

The output indicates that the firewall has been configured properly, both for
IPv4 and IPv6. If you don’t know what those are, it’s not important. Here’s a short
guide on the subject. Continue now to allow geth to communicate with the
outside world.

$ sudo ufw allow 30303/tcp

$ sudo ufw allow 30303/udp

Both of these commands will produce the same output as the previous command.
Now when you ask for the status of the firewall you get a different answer.

$ sudo ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
30303/tcp ALLOW IN Anywhere
30303/udp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
30303/tcp (v6) ALLOW IN Anywhere (v6)
30303/udp (v6) ALLOW IN Anywhere (v6)

That’s it! Your computer is now sitting behind a firewall, only allowing the network
traffic necessary to run geth and permitting you to access it via SSH.

23 How to Set up an Ethereum Node | A ConsenSys Guide

Conclusion
For the sake of expedience, we’ve made specific choices in these articles.
For instance, we chose to use a VPS, and indeed a particular VPS provider, for
our Ethereum node. As explained above, this costs money. Dapp developers
receiving income from their project should definitely consider this route. On
the other hand, someone who is simply curious and would like to follow the
steps outlined could set up a VPS, follow the tutorial, and after testing it out and
learning all there is to be learned, shut down and delete the VPS. This would end
up costing just a few cents: if it took you two hours to complete this tutorial you’d
be out 24¢ US, assuming a Linode 16GB VPS.

You’re also free to choose a different VPS provider. Digital Ocean’s Droplets are
competitively priced. The process here should work equally well on a Droplet.
Amazon’s AWS is also a possibility. Using your own hardware would save the
monthly cost, but the process gains much more complexity and would have
been inappropriate for an article aimed at moderately technical people.

Another choice I made was to use the Ubuntu Linux distribution as the operating
system for our geth node. Ubuntu is one of the most popular distributions, but
there are, shall we say, several other Linux distributions you could choose. If
you’re more familiar with another distribution, then you should be able to handle
the differences between your choice and the Ubuntu-based instructions above.

I chose a system service utility for Windows, offering no alternatives, and glossed
over the SSH aspects on that OS. Again, this guide would verge on novel-length
if I were to go into every aspect of all of the software on all of the platforms.

This has definitely been a long journey. We know it’s all a bit ambitious, especially
for those with a less technical bent. We hope you were able to follow these
instructions and end up with your own remote Ethereum node, connecting to it
with MetaMask through a secure SSH tunnel.

24 How to Set up an Ethereum Node | A ConsenSys Guide

 We would
achieve maximal
decentralization of a
blockchain network
if every person on
the planet owned
precisely one full node
device connected to
the network.”
Joe Lubin
Founder of ConsenSys,
Co-founder of Ethereum

How to Set up an Ethereum Node | A ConsenSys Guide