ip tables setup - Githubissues

bartbutenaers commented 1 week ago

To have some extra security, I added some iptables rules. But haven't tested them yet. And perhaps there are better ways to add extra security in iptables. Would be nice if users could share some expertise here.

TotallyInformation commented 1 week ago

Long time since I used IPTABLES. 😊

Obviously, the general rules apply. Block everything inbound then only open what you know you need to. With most remote service tools, you don't need any firewall settings because you are running a local daemon service that reaches out. Default firewall configs usually allow this without changes. However, you could also consider blocking all outbound traffic as well except for things you know are needed.

Paul-Reed commented 4 days ago

I wrote some time ago notes on using UFW which is an easier way into managing a firewall on a raspberry pi, which may assist.

https://github.com/Paul-Reed/cloudflare-ufw

The notes were in relation to managing Cloudflare IP's using a script, which you don't need of course, but the command process in adding/removing rules, enabling/disabling UFW, etc, is detailed in the readme, but there are many more advanced rule examples available online. Have a look at https://www.luisllamas.es/en/use-ufw-firewall-on-raspberry-pi/ and https://pimylifeup.com/configuring-ufw/

bartbutenaers commented 3 days ago

Hi @Paul-Reed, Thanks for the tip! I also tried UFW while I was writing the tutorial, and it indeed is less cryptic compared to iptables.

However Tailscale also installs some iptables rules. And UFW only shows the rules which you have added via UFW, but not the rules that have been added via iptables. As a result UFW does not show all Tailscale related rules, which I found confusing.

So this why I added this "help wanted" issue, in case anybody with iptables knowledge could create some rules. I think this is something that would be useful:

Wireguard traffic arriving on port 41641
Funnel traffic arriving on port 8443, which should only arrive from the ip range of the Tailscale Funnel relay servers (not searched yet which range that is).
Traffic on other ports (1880, 443, ...) should only be available from the localhost, i.e. requests forwarded by the Tailscale agent's reverse proxy.

That way all the local services on the Raspberry are only accessible via the Tailscale agent's reverse proxy, all over https with LetsEncrypt certificates. And no direct access to them around the agent.

Paul-Reed commented 2 days ago

Ignore if you're already aware... But just found quite an active & knowledgeable Tailscale community on Reddit - https://www.reddit.com/r/Tailscale/ I just searched for iptables in the Tailscale context and it returned quite a few interesting posts https://www.reddit.com/r/Tailscale/search/?q=Iptables&cId=4e8e59fc-7231-402a-b2a3-4c1ca6a030c2&iId=b9935ef0-12f6-4550-862a-6ef28cb9c312

bartbutenaers / Node-RED-Tailscale-Tutorial

ip tables setup #3