Fermi's github -This is a git repository containing Cryptostorm related stuff.-

[Fermi]

location: https://github.com/fermi-cryptostorm/fe ... ostorm-git

Current content:
iptables:
up to date iptables, only allowing:

• DNS traffic with the Cryptostorm deepDNS servers
  Cryptostorm exit nodes (port 443 UDP)
  local LAN

Of course changes may be needed to adapt to your local topology.

iptables_logging

• enables logging for INPUT, OUTPUT and FORWARD chains

use /abuse it ...

/Fermi

[Pattern_Juggled]

Excellent work, Fermi!

Also forked across into this new repository: github.com/cryptostorm/samizdat-inbound, as an excellent starting point for many other elements soon to join these iptables chains in this repo.

Cheers,

~ pj

[marzametal]

ooooer iptables!

Fermi... that is one bitchin' iptables file! Makes me want to smack Windows off again... lmao

[df]

I'm probably wrong, but I think these lines will allow leaks:

Code: Select all

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"

If your router's @ 192.168.1.1 and your system's DNS is set by the router via DHCP, wouldn't this allow for bypassing the latter CS-only rules?
Like if you get disconnected from CS and somehow your DNS gets reverted back to DHCP, or if NetworkManager resets resolv.conf to your router's IP, or whatever... Or am I high? :-x

In any event, I wrote up a hacky bash script that does something similar (along with some verifications n whatnot) just ffs:

Code: Select all

#!/bin/bash
if [ `id -u` != "0" ]; then
        echo "Error: you must be root to run this script!"
        exit 1
fi
if [ $OSTYPE != "linux-gnu" ]; then
        echo "Error: this script is only for Linux!"
        exit 1
fi
IPT=`command -v iptables`
if [ $? -ne 0 ]; then
        echo "Error: cannot find iptables on this system."
        exit 1
fi
echo -e "\033[31mWARNING:\033[00m";
echo -e "This script will disconnect you if you are remotely connected to this system\n"
read -rp "Clear current iptables rules? [Y/n]" idunno
idunno=${idunno,,}
if [[ $idunno =~ ^(yes|y|^$) ]]; then
        echo "Flushing existing rules..."
        $IPT -F
else
        read -rp "Continue with script [Y/n]" whatever
        whatever=${whatever,,}
        if ! [[ $whatever =~ ^(y|yes|^$) ]]; then
                echo "Ok, exiting..."
                exit 1
        fi
fi
read -rp "Apply rules now [Y/n]" surewhynot
surewhynot=${surewhynot,,}
if ! [[ $surewhynot =~ ^(y|yes|^$) ]]; then
        echo "Ok, exiting..."
        exit 1
fi
echo "Applying rules..."
$IPT -A OUTPUT -d 46.165.222.248 -j ACCEPT
$IPT -A OUTPUT -d 46.165.222.245 -j ACCEPT
$IPT -A OUTPUT -d 46.165.222.246 -j ACCEPT
$IPT -A OUTPUT -d 79.134.235.133 -j ACCEPT
$IPT -A OUTPUT -d 79.134.235.134 -j ACCEPT
$IPT -A OUTPUT -d 79.134.235.131 -j ACCEPT
$IPT -A OUTPUT -d 212.83.167.81 -j ACCEPT
$IPT -A OUTPUT -d 212.83.163.209 -j ACCEPT
$IPT -A OUTPUT -d 212.129.46.86 -j ACCEPT
$IPT -A OUTPUT -d 212.83.161.53 -j ACCEPT
$IPT -A OUTPUT -d 212.129.25.237 -j ACCEPT
$IPT -A OUTPUT -d 212.129.46.32 -j ACCEPT
$IPT -A OUTPUT -d 198.27.89.56 -j ACCEPT
$IPT -A OUTPUT -d 198.27.76.1 -j ACCEPT
$IPT -A OUTPUT -d 198.100.159.249 -j ACCEPT
$IPT -A OUTPUT -d 130.180.201.117 -j ACCEPT
$IPT -A OUTPUT -d 130.180.201.118 -j ACCEPT
$IPT -A OUTPUT -d 31.24.34.50 -j ACCEPT
$IPT -A OUTPUT -d 109.71.42.163 -j ACCEPT
$IPT -A OUTPUT -d 109.71.42.164 -j ACCEPT
$IPT -A OUTPUT -d 109.71.42.228 -j ACCEPT
$IPT -A OUTPUT -d 91.214.70.206 -j ACCEPT
$IPT -A OUTPUT -d 91.214.70.207 -j ACCEPT
$IPT -A OUTPUT -d 91.214.70.199 -j ACCEPT
$IPT -A OUTPUT -d 76.164.234.12 -j ACCEPT
$IPT -A OUTPUT -d 76.164.234.13 -j ACCEPT
$IPT -A OUTPUT -d 76.164.234.11 -j ACCEPT
$IPT -A OUTPUT -d 103.254.153.243 -j ACCEPT
$IPT -A OUTPUT -d 103.254.153.242 -j ACCEPT
$IPT -A OUTPUT -d 103.254.153.244 -j ACCEPT
$IPT -A OUTPUT -d 142.54.172.52 -j ACCEPT
$IPT -A OUTPUT -d 142.54.172.51 -j ACCEPT
$IPT -A OUTPUT -d 142.54.172.53 -j ACCEPT
$IPT -A OUTPUT -d 212.129.34.154 -j ACCEPT
$IPT -A OUTPUT -d 195.154.33.73 -j ACCEPT
$IPT -A OUTPUT -d 212.129.10.40 -j ACCEPT
$IPT -A OUTPUT -d 195.154.33.76 -j ACCEPT
$IPT -A OUTPUT -j DROP
echo "Done!"

Pretty sure that won't break your entire system.... maybe.

[jlg]

This thread got me thinking about starting a github for conf files for myself. Purely because Github > Owncloud for storing them.

[jlg]

(I'll post back if my github for CS stuff ever happens).

[DesuStrike]

I'm probably wrong, but I think these lines will allow leaks:

Code: Select all

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"

Shouldn't this be mitigated by enforcing a set of DNS IPs on the client and telling it to disregard any DHCP pushed DNS?

[Fermi]

Improved version:
https://github.com/cryptostorm/cryptoha ... tostorm.sh
or
https://github.com/fermi-cryptostorm/fe ... tostorm.sh

also drops IPv6 traffic, in case IPv6 wasn't disabled in the kernel.

again, use /abuse it ...

/Fermi