Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Fermi's github -This is a git repository containing Cryptostorm related stuff.-

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
User avatar

Topic Author
Fermi
ForumHelper
Posts: 176
Joined: Tue Jun 17, 2014 11:42 am

Fermi's github -This is a git repository containing Cryptostorm related stuff.-

Postby Fermi » Thu May 14, 2015 8:10 pm

location: https://github.com/fermi-cryptostorm/fe ... ostorm-git

Current content:
iptables:
up to date iptables, only allowing:
    DNS traffic with the Cryptostorm deepDNS servers
    Cryptostorm exit nodes (port 443 UDP)
    local LAN
Of course changes may be needed to adapt to your local topology.

iptables_logging
    enables logging for INPUT, OUTPUT and FORWARD chains

use :thumbup: /abuse :thumbdown: it ...

/Fermi

User avatar

Pattern_Juggled
Posts: 1493
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: Fermi's github - also cross-forked to 'samizdat-inbound'

Postby Pattern_Juggled » Thu May 14, 2015 8:33 pm

Excellent work, Fermi!

Also forked across into this new repository: github.com/cryptostorm/samizdat-inbound, as an excellent starting point for many other elements soon to join these iptables chains in this repo.

Cheers,

~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
[email protected]ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

marzametal
Posts: 487
Joined: Mon Aug 05, 2013 11:39 am

Re: Fermi's github -This is a git repository containing Cryptostorm related stuff.-

Postby marzametal » Fri May 15, 2015 5:28 am

ooooer iptables!

Fermi... that is one bitchin' iptables file! Makes me want to smack Windows off again... lmao

User avatar

df
Site Admin
Posts: 234
Joined: Thu Jan 01, 1970 5:00 am

Re: Fermi's github -This is a git repository containing Cryptostorm related stuff.-

Postby df » Sat May 16, 2015 6:21 am

I'm probably wrong, but I think these lines will allow leaks:

Code: Select all

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"


If your router's @ 192.168.1.1 and your system's DNS is set by the router via DHCP, wouldn't this allow for bypassing the latter CS-only rules?
Like if you get disconnected from CS and somehow your DNS gets reverted back to DHCP, or if NetworkManager resets resolv.conf to your router's IP, or whatever... Or am I high? :-x

In any event, I wrote up a hacky bash script that does something similar (along with some verifications n whatnot) just ffs:

Code: Select all

#!/bin/bash
if [ `id -u` != "0" ]; then
        echo "Error: you must be root to run this script!"
        exit 1
fi
if [ $OSTYPE != "linux-gnu" ]; then
        echo "Error: this script is only for Linux!"
        exit 1
fi
IPT=`command -v iptables`
if [ $? -ne 0 ]; then
        echo "Error: cannot find iptables on this system."
        exit 1
fi
echo -e "\033[31mWARNING:\033[00m";
echo -e "This script will disconnect you if you are remotely connected to this system\n"
read -rp "Clear current iptables rules? [Y/n]" idunno
idunno=${idunno,,}
if [[ $idunno =~ ^(yes|y|^$) ]]; then
        echo "Flushing existing rules..."
        $IPT -F
else
        read -rp "Continue with script [Y/n]" whatever
        whatever=${whatever,,}
        if ! [[ $whatever =~ ^(y|yes|^$) ]]; then
                echo "Ok, exiting..."
                exit 1
        fi
fi
read -rp "Apply rules now [Y/n]" surewhynot
surewhynot=${surewhynot,,}
if ! [[ $surewhynot =~ ^(y|yes|^$) ]]; then
        echo "Ok, exiting..."
        exit 1
fi
echo "Applying rules..."
$IPT -A OUTPUT -d 46.165.222.248 -j ACCEPT
$IPT -A OUTPUT -d 46.165.222.245 -j ACCEPT
$IPT -A OUTPUT -d 46.165.222.246 -j ACCEPT
$IPT -A OUTPUT -d 79.134.235.133 -j ACCEPT
$IPT -A OUTPUT -d 79.134.235.134 -j ACCEPT
$IPT -A OUTPUT -d 79.134.235.131 -j ACCEPT
$IPT -A OUTPUT -d 212.83.167.81 -j ACCEPT
$IPT -A OUTPUT -d 212.83.163.209 -j ACCEPT
$IPT -A OUTPUT -d 212.129.46.86 -j ACCEPT
$IPT -A OUTPUT -d 212.83.161.53 -j ACCEPT
$IPT -A OUTPUT -d 212.129.25.237 -j ACCEPT
$IPT -A OUTPUT -d 212.129.46.32 -j ACCEPT
$IPT -A OUTPUT -d 198.27.89.56 -j ACCEPT
$IPT -A OUTPUT -d 198.27.76.1 -j ACCEPT
$IPT -A OUTPUT -d 198.100.159.249 -j ACCEPT
$IPT -A OUTPUT -d 130.180.201.117 -j ACCEPT
$IPT -A OUTPUT -d 130.180.201.118 -j ACCEPT
$IPT -A OUTPUT -d 31.24.34.50 -j ACCEPT
$IPT -A OUTPUT -d 109.71.42.163 -j ACCEPT
$IPT -A OUTPUT -d 109.71.42.164 -j ACCEPT
$IPT -A OUTPUT -d 109.71.42.228 -j ACCEPT
$IPT -A OUTPUT -d 91.214.70.206 -j ACCEPT
$IPT -A OUTPUT -d 91.214.70.207 -j ACCEPT
$IPT -A OUTPUT -d 91.214.70.199 -j ACCEPT
$IPT -A OUTPUT -d 76.164.234.12 -j ACCEPT
$IPT -A OUTPUT -d 76.164.234.13 -j ACCEPT
$IPT -A OUTPUT -d 76.164.234.11 -j ACCEPT
$IPT -A OUTPUT -d 103.254.153.243 -j ACCEPT
$IPT -A OUTPUT -d 103.254.153.242 -j ACCEPT
$IPT -A OUTPUT -d 103.254.153.244 -j ACCEPT
$IPT -A OUTPUT -d 142.54.172.52 -j ACCEPT
$IPT -A OUTPUT -d 142.54.172.51 -j ACCEPT
$IPT -A OUTPUT -d 142.54.172.53 -j ACCEPT
$IPT -A OUTPUT -d 212.129.34.154 -j ACCEPT
$IPT -A OUTPUT -d 195.154.33.73 -j ACCEPT
$IPT -A OUTPUT -d 212.129.10.40 -j ACCEPT
$IPT -A OUTPUT -d 195.154.33.76 -j ACCEPT
$IPT -A OUTPUT -j DROP
echo "Done!"


Pretty sure that won't break your entire system.... maybe.

User avatar

jlg
Posts: 90
Joined: Mon May 05, 2014 2:44 am

Re: Fermi's github -This is a git repository containing Cryptostorm related stuff.-

Postby jlg » Sat Jun 20, 2015 4:04 pm

This thread got me thinking about starting a github for conf files for myself. Purely because Github > Owncloud for storing them.

User avatar

jlg
Posts: 90
Joined: Mon May 05, 2014 2:44 am

Re: Fermi's github -This is a git repository containing Cryptostorm related stuff.-

Postby jlg » Sat Jun 20, 2015 4:05 pm

(I'll post back if my github for CS stuff ever happens).

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: Fermi's github -This is a git repository containing Cryptostorm related stuff.-

Postby DesuStrike » Sun Jun 21, 2015 1:31 pm

df wrote:I'm probably wrong, but I think these lines will allow leaks:

Code: Select all

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT -m comment --comment "allow all local traffic"Shouldn't this be mitigated by enforcing a set of DNS IPs on the client and telling it to disregard any DHCP pushed DNS?
home is where the artillery hits

User avatar

Topic Author
Fermi
ForumHelper
Posts: 176
Joined: Tue Jun 17, 2014 11:42 am

Re: Fermi's github -This is a git repository containing Cryptostorm related stuff.-

Postby Fermi » Thu Jul 09, 2015 10:30 pm

Improved version:
https://github.com/cryptostorm/cryptoha ... tostorm.sh
or
https://github.com/fermi-cryptostorm/fe ... tostorm.sh

also drops IPv6 traffic, in case IPv6 wasn't disabled in the kernel.

again, use :thumbup: /abuse :thumbdown: it ...

/Fermi


Return to “cryptostorm in-depth: announcements, how it works, what it is”

Who is online

Users browsing this forum: Bing [Bot] and 5 guests

Login