​Introduction, some common terms

The Proof of Decentralization (PoD) initiative aims to validate Decentralized Social’s (DESO) ability to operate as a fully decentralized network.  

Previously, DESO has been reliant upon a limited number of centralized “trusted block producers” (TBTs) to mint new blocks. In 2024 Proof of Stake (POS) validators were added to the node network, but the question continues to be asked – "is it really decentralized”?  

SafetyNet (https://safetynet.social/u/SafetyNet) is leading a community-driven experiment to prove DESO can operate independently.  

If successful, this will silence sceptics, strengthen trust in DESO, and showcase its decentralized power.  

We need you! #WeAreAllDeso – and we build it together! 

• A key feature of blockchain is decentralization, which means there is no central server or controlling-authority. 
• Servers making up the ecosystem are called nodes and are linked to each other instead of being reliant on one central server- forming a distributed  peer-to-peer network. 
• The blockchain is available and stored on each node. In other words, the information is distributed throughout the network instead of being copied. (SafetyNet nodes are all using full blocksync mode, having the full history of deso blockchain) 
• The peer-to-peer network and decentralization are the powerful features of blockchain and provide security and trust in this system. (You’ll have to hack 51% of the systems to gain control) 
• Deso Architecture: 
•  

Proof of Decentralization Experiment

SafetyNet is proposing the following experiment to prove the DeSo blockchain can run without the DeSo core nodes (deso.org or deso.com), hence a clear proof of decentralization. 

The idea is this: 

• Connect 3 fully synced (so having full fire hose of blockchain content) DeSo nodes only to each other by using appropriate backend and frontend configuration. All other peer traffic is blocked. 
• The three are validators rotating as leader in the Proof of Stake mechanism built into deso, minting new blocks and validating those.
• Use independent identity service  for signing transactions - configure identity.safetynet.social for user authentication, login and transaction signing for frontends carrying out the experiment. 
• Obviously SafetyNet users contributing to the experiment will initially have to sign in using their seed phrase to this identity service. BTW: that experiment with our own identity service we already executed earlier and worked great.
• Execute common DeSo transactions to prove independent functionality of: 

1. Create new account 
2. Post 
3. Repost/Quote repost 
4. React to a post (like)
5. Comment 
6. Diamond a post
7. Mint an NFT 
8. Searching a user
9. Aob

• Monitor sync state between the three nodes in the experiment – it is essential that new blocks are mined and synchronized between these nodes to validate the experiment. 

 

Technical Instructions  for Experiment 

1. The database of the isolated nodes is backed up, as to keep state of the block chain safe for recovery after the experiment (as a full resync takes two/three days, which is a fallback if restore fails to bring nodes back to fully operational state) 
2. Isolate network by firewall  
3. Client computers outside the server network need browser access (HTTP/HTTPS), while the SafetyNet Ubuntu servers itself are isolated and restricted to only communicate with the three specified IP addresses (159.69.139.36, 162.55.92.47, and 194.233.74.138), the configuration needs to handle 
4. Server-to-Server Restriction: Limit the server’s traffic to only the three IP addresses. 
5. Client Accessibility: Allow unrestricted HTTP/HTTPS access for browser clients from the outside. 
6. See appendix for details how to do so via script/iptables on each of the servers 

 

NOTE: 

GIVEN THIS ISOLATION broken images and videos WILL OCCUR (as images.deso.com and media.deso.com will be gone.  

Also some fonts used from fontawesome might give some display issues.  

Configure frontend app to make use of identity.safetynet.social and validator 

export const environment = {

 production: true,

 uploadImageHostname: 'node.safetynetvalidator.nl',

 verificationEndpointHostname: 'https://node.safetynetvalidator.nl',

 uploadVideoHostname: 'node.safetynetvalidator.nl',

 identityURL: 'https://identity.safetynet.social',

 supportEmail: 'support@safetynet.social',

 dd: {

   apiKey: 'DCEB26AC8BF47F1D7B4D87440EDCA6',

   jsPath: 'https://safetynetvalidator.nl/tags.js',

   ajaxListenerPath: ' safetynetvalidator.nl/api',

   endpoint: ' https://safetynetvalidator.nl/js',

 },

 amplitude: {

   key: '',

   domain: '',

 },

 node: {

   id: 31,

   name: 'SafetyNet',

   url: 'https://safetynet.social',

   logoAssetDir: '/assets/deso/',

 },

 heroswapURL: 'https://heroswap.com',

 heroswapAffiliateName: 'SafetyNetValidator',

};

Configure backend with these lines in Environment 

 # A comma-separated list of ip:port addresses that we should listen on.

# These will take priority over addresses discovered by network

# interfaces.

EXTERNAL_IPS=159.69.139.36, 162.55.92.47, 194.233.74.138

 

# A comma-separated list of ip:port addresses that we should connect to on startup.

# If this argument is specified, we don't connect to any other peers. This is useful

# if you want to debug your node sync without worrying about external factors.

CONNECT_IPS=159.69.139.36, 162.55.92.47, 194.233.74.138

 

 

 

 

APPENDIX ISOLATE NETWORK 

client computers outside the server network need browser access (HTTP/HTTPS), while the Ubuntu server itself is isolated and restricted to only communicate with the three specified IP addresses (159.69.139.36, 162.55.92.47, and 194.233.74.138), the configuration needs to handle: 

1. Server-to-Server Restriction: Limit the server’s traffic to only the three IP addresses. 
2. Client Accessibility: Allow unrestricted HTTP/HTTPS access to the clients from the outside. 

Here’s the setup to achieve this: 

 

Step 1: Flush Existing Rules 

Clear any existing rules to avoid conflicts: 

sudo iptables -F 

sudo iptables -X 

 

Step 2: Set Default Policies to Drop 

Set default policies to drop all traffic: 

sudo iptables -P INPUT DROP 

sudo iptables -P OUTPUT DROP 

sudo iptables -P FORWARD DROP 

 

Step 3: Allow Loopback Traffic 

Enable loopback traffic for internal processes: 

sudo iptables -A INPUT -i lo -j ACCEPT 

sudo iptables -A OUTPUT -o lo -j ACCEPT 

 

Step 4: Allow Traffic to/from the Three IPs 

Restrict server traffic to only the specified IP addresses: 

# Allow incoming traffic from the allowed IPs 

sudo iptables -A INPUT -s 159.69.139.36 -j ACCEPT 

sudo iptables -A INPUT -s 162.55.92.47 -j ACCEPT 

sudo iptables -A INPUT -s 194.233.74.138 -j ACCEPT 

 

# Allow outgoing traffic to the allowed IPs 

sudo iptables -A OUTPUT -d 159.69.139.36 -j ACCEPT 

sudo iptables -A OUTPUT -d 162.55.92.47 -j ACCEPT 

sudo iptables -A OUTPUT -d 194.233.74.138 -j ACCEPT 

 

Step 5: Allow Established and Related Connections 

Enable established connections to ensure smooth communication: 

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

 

Step 6: Enable Client Browser Access (HTTP/HTTPS) 

Allow client computers to access the server for HTTP/HTTPS traffic: 

1. Allow Incoming HTTP/HTTPS Traffic: 

 

# Allow incoming HTTP traffic (port 80) 

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT 

 

# Allow incoming HTTPS traffic (port 443) 

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT 

2. Allow Outgoing HTTP/HTTPS Responses: 

 

# Allow outgoing HTTP traffic (port 80) 

sudo iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT 

 

# Allow outgoing HTTPS traffic (port 443) 

sudo iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT 

 

Step 7: Save and Persist the Rules 

Save the rules to make them persistent across reboots: 

1. Install iptables-persistent if not already installed: 

 

sudo apt-get install iptables-persistent 

1. Save the rules: 

 

sudo netfilter-persistent save 

sudo netfilter-persistent reload 

 

Step 8: Verify Configuration 

1. Check the iptables rules: 

sudo iptables -L -v 

Confirm rules for: 

• Only allowing traffic between the server and the three IP addresses. 
• HTTP/HTTPS access for external clients. 

1. Test: 

• From a client computer, access the server in a browser: 

 

http://<your-server-ip> 

or 

 

https://<your-server-ip> 

• Confirm that server traffic outside the three IPs is blocked: 

 

 

curl http://deso.com 

It should fail if deso.com is not one of the allowed IPs. 

 

Key Notes 

• HTTP/HTTPS for Clients: This rule allows all external clients to access the server over HTTP/HTTPS. 
• Server Communication: The server can only communicate with the three specified IP addresses. 
• DNS Traffic: If the server itself requires DNS resolution (for example, for connecting to the allowed IPs by domain), allow DNS traffic as well: 

sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 

sudo iptables -A INPUT -p udp --sport 53 -j ACCEPT 

With this setup, your server is isolated for outbound communication but accessible for external clients via HTTP/HTTPS. 

Here's a Bash script that: 

1. Saves the current iptables configuration to a file. 
2. Applies the desired iptables setup to restrict traffic to the three specified IPs (159.69.139.36, 162.55.92.47, and 194.233.74.138) while allowing HTTP/HTTPS access for external clients. 
3. Restores the original iptables configuration from the saved file. 

 

Script: manage_iptables.sh 

#!/bin/bash 

 

# Paths for saving and restoring iptables rules 

SAVED_RULES="/tmp/iptables_saved.rules" 

RESTORE_RULES="/tmp/iptables_restored.rules" 

 

# Define desired IPs 

ALLOWED_IPS=("159.69.139.36" "162.55.92.47" "194.233.74.138") 

 

# Save the current iptables rules 

save_rules() { 

    echo "Saving current iptables rules..." 

    sudo iptables-save > "$SAVED_RULES" 

    echo "Rules saved to $SAVED_RULES" 

} 

 

# Restore iptables rules from saved file 

restore_rules() { 

    if [ -f "$SAVED_RULES" ]; then 

        echo "Restoring iptables rules..." 

        sudo iptables-restore < "$SAVED_RULES" 

        echo "Rules restored from $SAVED_RULES" 

    else 

        echo "No saved rules found at $SAVED_RULES. Cannot restore." 

        exit 1 

    fi 

} 

 

# Apply desired iptables setup 

apply_desired_setup() { 

    echo "Applying desired iptables setup..." 

    # Flush existing rules 

    sudo iptables -F 

    sudo iptables -X 

 

    # Default policies to drop all traffic 

    sudo iptables -P INPUT DROP 

    sudo iptables -P OUTPUT DROP 

    sudo iptables -P FORWARD DROP 

 

    # Allow loopback traffic 

    sudo iptables -A INPUT -i lo -j ACCEPT 

    sudo iptables -A OUTPUT -o lo -j ACCEPT 

 

    # Allow traffic to/from the specified IPs 

    for IP in "${ALLOWED_IPS[@]}"; do 

        sudo iptables -A INPUT -s "$IP" -j ACCEPT 

        sudo iptables -A OUTPUT -d "$IP" -j ACCEPT 

    done 

 

    # Allow established and related traffic 

    sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

    sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

 

    # Allow HTTP/HTTPS traffic for external clients 

    sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT 

    sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT 

    sudo iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT 

    sudo iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT 

 

    # Optional: Allow DNS resolution if needed 

    sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 

    sudo iptables -A INPUT -p udp --sport 53 -j ACCEPT 

    sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT 

    sudo iptables -A INPUT -p tcp --sport 53 -j ACCEPT 

 

    echo "Desired iptables setup applied." 

} 

 

# Menu for managing iptables 

case "$1" in 

    save) 

        save_rules 

        ;; 

    restore) 

        restore_rules 

        ;; 

    apply) 

        apply_desired_setup 

        ;; 

    *) 

        echo "Usage: $0 {save|restore|apply}" 

        echo "  save    - Save current iptables rules" 

        echo "  restore - Restore iptables rules from saved file" 

        echo "  apply   - Apply desired iptables setup" 

        exit 1 

        ;; 

esac 

 

Usage Instructions 

1. Save the script: Save the script as manage_iptables.sh and make it executable: 

chmod +x manage_iptables.sh 

1. Save the current iptables rules: 

./manage_iptables.sh save 

1. Apply the desired setup: 

./manage_iptables.sh apply 

1. Restore the saved iptables rules: 

 

./manage_iptables.sh restore 

 

Notes 

• Requirements: The script requires sudo privileges to execute iptables commands. 
• Persistence: To make the rules persist across reboots, use iptables-persistent: 

sudo apt-get install iptables-persistent 

sudo netfilter-persistent save 

• Validation: Use sudo iptables -L -v to validate the current rules after applying or restoring. 

This script makes it easy to toggle between the current and desired iptables configurations.