rajannpatel / Pi-Hole-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-Wireguard-VPN-Configs

Run your own privacy-first ad blocking service at home, or in the cloud for free with Google Cloud Services.
MIT License
767 stars 76 forks source link

implement local firewall rules directly on the server #5

Closed smadgal closed 4 years ago

smadgal commented 4 years ago

@rajannpatel - currently, you are allowing access from anywhere to port 51515 on the VM. Do you think it also makes sense to implement the iptables rules as recommended at [https://docs.pi-hole.net/guides/vpn/firewall/]? Or is that overkill? Thank you again for this wonderful script.

rajannpatel commented 4 years ago

Coming up with a good set of iptables rules is a good idea to protect any users running this script on a server with a public IP address. For people who deploy this script on Google Cloud, the Google Firewall is adequate. For people who deploy this script at home, port forwarding on their router is adequate.

Regardless of how you gatekeep your traffic, in Google Firewall, iptables, or elsewhere, leaving port 51515 open to the whole world is a necessity at this time. The good news is, unlike OpenVPN, Wireguard is silent in a Port Scan. You need to have the correct key for Wireguard to reveal itself with a response.

If you want to experiment with iptables and provide a proposal about how the iptables rules should look, we can review it together?

smadgal commented 4 years ago

Sound good. My knowledge of iptables is limited, so this would be a learning opportunity. I will certainly look into it.

harssh commented 4 years ago

Can we re-purpose some of the rules from Pi Hole config page : https://docs.pi-hole.net/guides/vpn/firewall/

rajannpatel commented 4 years ago

The only iptables rules you would need to implement would be on the public interface, and only port UDP Port 51515 needs to be open, if every device is going to access Pi-Hole through the VPN. If you are going to allow direct access to your server (not appropriate for cloud installations), then the link provided by @harssh are appropriate as well.

rajannpatel commented 4 years ago

I've been thinking quite a bit about this, and the reality is that it is up to your router (or 3rd party firewall solution like pfSense or Untangle) to protect Pi-Hole. Furthermore, Pi-Hole sets up the proper rules for itself, and you can configure which network Interfaces it will accept responses from.

There isn't any value gained from protecting it from within your own LAN, and where situations like these arise, other solutions such as vLANs should be part of the solution.

Nobody should be installing a Pi-Hole on a server or virtual machine with a public facing IP address - this just isn't good practice. I'm going to mark this as closed, because the title of the issue without context may confuse people, and make them averse to spinning up a VM in the cloud. Happy to continue the discussion and review iptables proposals if somebody does have a burning desire to pursue this.