How to Allow WhatsApp on iptables with Policy Drop

Hey guys, so today I will share with you an issue that a client of mine had with the WhatsApp.

The problem was in the beginning the client did not want the employees connect to the WhatsApp, but as the things changed we needed to enable the access to WhatsApp only to a bunch of employees using iptables controlling by ip address.

The mobile phone has an reservation on the dhcp and we allow only these ips on the iptables.

The first step is get the cird from WhatsApp on the website https://www.whatsapp.com/cidr.txt here I shall allow only the ipv4 protocol.

Now we need to create the structure to store the firewall configuration such as

mkdir /etc/firewall

Now we need to create the file to store the WhatsApp cird

vim /etc/firewall/whatsapp_cidr
# /etc/firewall/whatsapp_cidr
31.13.64.51/32
31.13.65.49/32
31.13.66.49/32
31.13.67.51/32
31.13.68.52/32
31.13.69.240/32
31.13.70.49/32
31.13.71.49/32
31.13.72.52/32
31.13.73.49/32
31.13.74.49/32
31.13.75.52/32
31.13.76.81/32
31.13.77.49/32
31.13.78.53/32
31.13.79.195/32
31.13.80.53/32
31.13.81.53/32
31.13.82.51/32
31.13.83.51/32
31.13.84.51/32
31.13.85.51/32
31.13.86.51/32
31.13.87.51/32
31.13.88.49/32
31.13.90.51/32
31.13.91.51/32
31.13.92.52/32
31.13.93.51/32
31.13.95.63/32
50.22.198.204/30
50.22.210.32/30
50.22.210.128/27
50.22.225.64/27
50.22.235.248/30
50.22.240.160/27
50.23.90.128/27
50.97.57.128/27
64.233.190.0/24
75.126.39.32/27
108.168.174.0/27
108.168.176.192/26
108.168.177.0/27
108.168.180.96/27
108.168.254.65/32
108.168.255.224/32
108.168.255.227/32
158.85.0.96/27
158.85.5.192/27
158.85.46.128/27
158.85.48.224/27
158.85.58.0/25
158.85.61.192/27
158.85.224.160/27
158.85.233.32/27
158.85.249.128/27
158.85.249.224/27
158.85.254.64/27
169.44.36.0/25
169.44.57.64/27
169.44.58.64/27
169.44.80.0/26
169.44.82.96/27
169.44.82.128/27
169.44.82.192/26
169.44.83.0/26
169.44.83.96/27
169.45.71.32/27
169.45.71.96/27
169.45.87.128/26
169.45.169.192/27
169.45.182.96/27
169.45.210.64/27
169.45.214.224/27
169.45.219.224/27
169.45.237.192/27
169.45.238.32/27
169.53.29.128/27
169.53.48.32/27
169.53.71.224/27
169.53.250.128/26
169.53.252.64/27
169.53.255.64/27
169.54.2.160/27
169.54.44.224/27
169.54.51.32/27
169.54.55.192/27
169.54.193.160/27
169.54.210.0/27
169.54.222.128/27
169.55.69.128/26
169.55.74.32/27
169.55.126.64/26
169.55.210.96/27
169.55.235.160/27
173.192.162.32/27
173.192.219.128/27
173.192.222.160/27
173.192.231.32/27
173.193.205.0/27
173.193.230.96/27
173.193.230.128/27
173.193.230.192/27
173.193.239.0/27
174.36.208.128/27
174.36.210.32/27
174.36.251.192/27
174.37.199.192/27
174.37.217.64/27
174.37.231.64/27
174.37.243.64/27
174.37.251.0/27
179.60.192.51/32
179.60.193.51/32
179.60.195.51/32
184.173.136.64/27
184.173.147.32/27
184.173.161.64/32
184.173.161.160/27
184.173.173.116/32
184.173.179.32/27
185.60.216.53/32
192.155.212.192/27
198.11.193.182/31
198.11.251.32/27
198.23.80.0/27
208.43.115.192/27
208.43.117.79/32
208.43.122.128/27
172.217.28.0/24

Now we need to create a file with the employees mobile phone ip addresses

vim /etc/firewall/whatsapp_clients
# /etc/firewall/whatsapp_clients
10.0.2.31
10.0.1.77

How let's create an simple script to process all that information and create the rules automatically when is necessary.

vim /etc/firewall/firewall.sh
#/bin/bash
# VARIABLES
IPTABLES="/sbin/iptables"
COM="-m comment --comment"
GREP="/bin/grep"
CAT="/bin/cat"
LO="127.0.0.0/8"

WHATSAPP_CIDR=/etc/firewall/whatsapp_cidr
WHATSAPP_CLIENTS=/etc/firewall/whatsapp_clients

# ENABLING THE FORWARDING
echo 1 > /proc/sys/net/ipv4/ip_forward

### CLEANING OLD RULES ###
${IPTABLES} -t filter -F
${IPTABLES} -t nat -F
${IPTABLES} -t mangle -F
${IPTABLES} -t filter -X
${IPTABLES} -t nat -X
${IPTABLES} -t mangle -X

### CUSTOM CHAINS
${IPTABLES} -t filter -N whatsapp
${IPTABLES} -t nat -N whatsapp


### SET DEFAULT POLICY AS DROP ###
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT

### ALLOW RETURN OF CONNECTIONS ###
${IPTABLES} -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

### ALLOW LOOPBACK ###
${IPTABLES} -A INPUT -s ${LO} -j ACCEPT ${COM} "ALLOW LOOPBACK"

### WHATSAPP RULES
${IPTABLES} -A whatsapp -m string --algo bm --string "whatsapp.com" -j ACCEPT ${COM} "WHATSAPP CHAIN"
${IPTABLES} -A whatsapp -m string --algo bm --string "whatsapp.net" -j ACCEPT ${COM} "WHATSAPP CHAIN"

for IP in $(${CAT} ${WHATSAPP_CIDR} | ${GREP -v "^#"); do
  ${IPTABLES} -t filter -A whatsapp -d ${IP} -j ACCEPT ${COM} "WHATSAPP CHAIN"
  ${IPTABLES} -t nat -A whatsapp -d ${IP} -j ACCEPT ${COM} "WHATSAPP CHAIN"
done

for IP in $(${CAT} ${WHATSAPP_CLIENTS} | ${GREP} -v "^#"); do
  ${IPTABLES} -t filter -A FORWARD -s ${IP} -j whatsapp ${COM} "WHATSAPP CLIENT"
  ${IPTABLES} -t nat -A PREROUTING -s ${IP} -j whatsapp ${COM} "WHATSAPP CLIENT"
  ${IPTABLES} -t nat -A POSTROUTING -s ${IP} -j MASQUERADE ${COM} "WHATSAPP CLIENT"
done
### END WHATSAPP RULES

Now we need to change the permission of the script to ensure that it will be executable.

chmod +x /etc/firewall/firewall.sh

Now just execute it

/etc/firewall/firewall.sh

To check the rules from the table filter

iptables -t filter -L -n -v

To check the rules from the table nat

iptables -t nat -L -n -v

References