Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

UFW rules

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
Luh0GKC
Posts: 3
Joined: Wed Apr 12, 2017 11:01 am

UFW rules

Postby Luh0GKC » Thu Jul 13, 2017 11:25 am

Is this up to date in terms of IPs: https://github.com/cryptostorm-dev/csto ... ctives.txt

How do I add these rules with UFW?

Code: Select all

iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow loopback device"
iptables -A OUTPUT -o lo -j ACCEPT -m comment --comment "Allow loopback device"

iptables -A INPUT -s 127.0.1.1 -j ACCEPT -m comment --comment "resolv"
iptables -A OUTPUT -d 127.0.1.1 -j ACCEPT -m comment --comment "resolv"

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

User avatar

parityboy
Site Admin
Posts: 1066
Joined: Wed Feb 05, 2014 3:47 am

Re: UFW rules

Postby parityboy » Mon Jul 17, 2017 5:28 pm

@OP

For the latest set of IPs, do this:

Code: Select all

nslookup linux-balancer.cryptostorm.net


which right now will net you this:

Code: Select all

Non-authoritative answer:
Name:   linux-balancer.cryptostorm.net
Address: 109.71.42.163
Name:   linux-balancer.cryptostorm.net
Address: 64.120.5.252
Name:   linux-balancer.cryptostorm.net
Address: 5.133.8.192
Name:   linux-balancer.cryptostorm.net
Address: 185.117.118.21
Name:   linux-balancer.cryptostorm.net
Address: 162.221.207.229
Name:   linux-balancer.cryptostorm.net
Address: 108.62.19.132
Name:   linux-balancer.cryptostorm.net
Address: 176.123.3.250
Name:   linux-balancer.cryptostorm.net
Address: 173.234.56.116
Name:   linux-balancer.cryptostorm.net
Address: 173.208.95.76
Name:   linux-balancer.cryptostorm.net
Address: 5.101.137.252
Name:   linux-balancer.cryptostorm.net
Address: 89.163.214.183
Name:   linux-balancer.cryptostorm.net
Address: 167.114.84.133
Name:   linux-balancer.cryptostorm.net
Address: 185.140.114.52
Name:   linux-balancer.cryptostorm.net
Address: 46.166.170.11
Name:   linux-balancer.cryptostorm.net
Address: 173.234.159.236
Name:   linux-balancer.cryptostorm.net
Address: 212.83.177.138
Name:   linux-balancer.cryptostorm.net
Address: 104.238.194.236
Name:   linux-balancer.cryptostorm.net
Address: 213.163.64.209
Name:   linux-balancer.cryptostorm.net
Address: 95.141.47.59
Name:   linux-balancer.cryptostorm.net
Address: 185.107.80.85
Name:   linux-balancer.cryptostorm.net
Address: 46.165.222.248
Name:   linux-balancer.cryptostorm.net
Address: 78.155.222.164
Name:   linux-balancer.cryptostorm.net
Address: 104.238.195.140
Name:   linux-balancer.cryptostorm.net
Address: 80.233.134.53
Name:   linux-balancer.cryptostorm.net
Address: 82.103.131.173
Name:   linux-balancer.cryptostorm.net
Address: 185.60.147.79
Name:   linux-balancer.cryptostorm.net
Address: 46.165.240.174
Name:   linux-balancer.cryptostorm.net
Address: 70.32.38.68
Name:   linux-balancer.cryptostorm.net
Address: 212.129.27.79
Name:   linux-balancer.cryptostorm.net
Address: 198.7.58.245


I use iptables directly rather than ufw, so I can't help you there unfortunately.


Topic Author
Luh0GKC
Posts: 3
Joined: Wed Apr 12, 2017 11:01 am

Re: UFW rules

Postby Luh0GKC » Tue Jul 18, 2017 1:18 pm

Ah I noticed the iptables_cryptostorm.sh doesn't even look at the chaindirectives.txt so I can just run that and get the iptables rules based on nslookup?

Is that something that persists or do I need to run it every boot?

How come I can't connect to the VPN while the rules are active?

openvpn says

Code: Select all

RESOLVE: Cannot resolve host address: linux-paris.cstorm.pw:443 (Name or service not known)


While my openvpn.conf has these

Code: Select all

remote linux-paris.cryptostorm.net 443 udp
remote linux-paris.cryptostorm.nu 443 udp
remote linux-paris.cryptostorm.org 443 udp
remote linux-paris.cstorm.pw 443 udp


and iptables -L does include

Code: Select all

ACCEPT udp -- anywhere linux-paris.cryptostorm.net  udp dpt:443 /* linux-balancer.cryptostorm.net */


Do I have to remove the other 3 remotes?

User avatar

parityboy
Site Admin
Posts: 1066
Joined: Wed Feb 05, 2014 3:47 am

Re: UFW rules

Postby parityboy » Tue Jul 18, 2017 4:58 pm

@OP

You can make the rules persistent by installing the iptables-persistent package. This gives you the commands iptables-save and iptables-restore, allowing you to save and restore to any file. However, the rules which become active on boot are stored in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

As for your DNS resolution issues...drop the firewall, do "nslookup www.google.com" and post the output here. I want to check something...


Topic Author
Luh0GKC
Posts: 3
Joined: Wed Apr 12, 2017 11:01 am

Re: UFW rules

Postby Luh0GKC » Wed Jul 19, 2017 9:43 am

Iptables off,

VPN connected

Code: Select all

nslookup www.google.com
Server:      212.129.46.86
Address:   212.129.46.86#53

Non-authoritative answer:
Name:   www.google.com
Address: 216.58.209.36


No VPN

Code: Select all

nslookup www.google.com
Server:      127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
Name:   www.google.com
Address: 172.217.4.4

User avatar

parityboy
Site Admin
Posts: 1066
Joined: Wed Feb 05, 2014 3:47 am

Re: UFW rules

Postby parityboy » Wed Jul 19, 2017 5:10 pm

@OP

I think I see the issue. In your iptables rules, switch out 127.0.1.1 for 127.0.0.53 (both lines). 127.0.0.53 is the address that your local dnsmasq is listening on. That in turn will forward the DNS request to your router which is probably on 192.168.1.1 while the VPN is inactive.

Once the VPN is up, dnsmasq will be updated to use the DNS server sitting on whichever exit node you're connected to.


Return to “member support & tech assistance”

Who is online

Users browsing this forum: No registered users and 19 guests

Login