From 0163b40c91079955d46f2a297de3edd200417810 Mon Sep 17 00:00:00 2001 From: Michael Wolber Date: Fri, 3 Jan 2020 18:33:42 +0100 Subject: [PATCH 1/3] Update rc.local Suggestion to add more restrictive firewall rules to prevent the bot from talking to anywhere else in the world but the local network. The only exception are the telegram servers to enable the forks telegram bot. --- deployment/etc/rc.local | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/deployment/etc/rc.local b/deployment/etc/rc.local index 79ff50f5..f9c17847 100644 --- a/deployment/etc/rc.local +++ b/deployment/etc/rc.local @@ -12,4 +12,20 @@ iptables -t nat -A OUTPUT -p tcp --dport 80 -d 203.0.113.1 -j DNAT --to-desti iptables -t nat -A OUTPUT -p udp --dport 8053 -d 203.0.113.1 -j DNAT --to-destination 127.0.0.1:8053 iptables -A OUTPUT -d 203.0.113.1/32 -j REJECT ip6tables -A OUTPUT -d 2001:db8::1/128 -j REJECT -### VALETUDO RC.LOCAL EXIT ### \ No newline at end of file + + +# allow local network +iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT +iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT + +# but allow telegram +iptables -A INPUT -s 91.108.4.0/22 -p tcp --dport 443 -j ACCEPT +iptables -A INPUT -s 149.154.160.0/20 -p tcp --dport 443 -j ACCEPT +iptables -A OUTPUT -d 91.108.4.0/22 -p tcp --dport 443 -j ACCEPT +iptables -A OUTPUT -d 149.154.160.0/20 -p tcp --dport 443 -j ACCEPT + + +# block rest +iptables -A OUTPUT -j DROP + +### VALETUDO RC.LOCAL EXIT ### From 001b3dc8d46e03d0c6861f35a3cce1f07a2cd106 Mon Sep 17 00:00:00 2001 From: Michael Wolber Date: Sat, 11 Jan 2020 14:33:18 +0100 Subject: [PATCH 2/3] Update rc.local Added all private network ranges to the allowed list. --- deployment/etc/rc.local | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deployment/etc/rc.local b/deployment/etc/rc.local index f9c17847..5e5db2f6 100644 --- a/deployment/etc/rc.local +++ b/deployment/etc/rc.local @@ -17,6 +17,8 @@ ip6tables -A OUTPUT -d 2001:db8::1/128 -j REJECT # allow local network iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT +iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT +iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT # but allow telegram iptables -A INPUT -s 91.108.4.0/22 -p tcp --dport 443 -j ACCEPT From 2eea7d0edbddfcee4e09ab0f7c12838f78836e74 Mon Sep 17 00:00:00 2001 From: Michael Wolber Date: Sat, 11 Jan 2020 15:04:48 +0100 Subject: [PATCH 3/3] Update rc.local Added an INPUT block to connections from the world with exception to local networks (and telegram). (Actually I think the INPUT chain should be flushed in the beginning as well, but as I not completely sure what is going on I did not add this line here.) --- deployment/etc/rc.local | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/deployment/etc/rc.local b/deployment/etc/rc.local index 5e5db2f6..3a8a3a06 100644 --- a/deployment/etc/rc.local +++ b/deployment/etc/rc.local @@ -15,19 +15,24 @@ ip6tables -A OUTPUT -d 2001:db8::1/128 -j REJECT # allow local network +iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT +iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT +iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT +iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT +iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT +iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT +iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT -iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT -iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT -iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT -# but allow telegram -iptables -A INPUT -s 91.108.4.0/22 -p tcp --dport 443 -j ACCEPT -iptables -A INPUT -s 149.154.160.0/20 -p tcp --dport 443 -j ACCEPT -iptables -A OUTPUT -d 91.108.4.0/22 -p tcp --dport 443 -j ACCEPT +# and allow telegram +iptables -A INPUT -s 91.108.4.0/22 -p tcp --dport 443 -j ACCEPT +iptables -A INPUT -s 149.154.160.0/20 -p tcp --dport 443 -j ACCEPT +iptables -A OUTPUT -d 91.108.4.0/22 -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -d 149.154.160.0/20 -p tcp --dport 443 -j ACCEPT # block rest iptables -A OUTPUT -j DROP +iptables -A INPUT -j DROP ### VALETUDO RC.LOCAL EXIT ###