Differences

This shows you the differences between two versions of the page.

Link to this comparison view

how_to_allow_whatsapp_on_iptables_with_policy_drop_en [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== How to Allow WhatsApp on iptables with Policy Drop ======
 +
 +Hey guys, so today I will share with you an issue that a client of mine had with the WhatsApp.
 +
 +The problem was in the beginning the client did not want the employees connect to the WhatsApp, but as the things changed we needed to enable the access to WhatsApp only to a bunch of employees using iptables controlling by ip address.
 +
 +The mobile phone has an reservation on the dhcp and we allow only these ips on the iptables.
 +
 +The first step is get the cird from WhatsApp on the website https://​www.whatsapp.com/​cidr.txt here I shall allow only the ipv4 protocol.
 +
 +Now we need to create the structure to store the firewall configuration such as
 +<sxh bash>
 +mkdir /​etc/​firewall
 +</​sxh>​
 +
 +Now we need to create the file to store the WhatsApp cird
 +<sxh bash>
 +vim /​etc/​firewall/​whatsapp_cidr
 +# /​etc/​firewall/​whatsapp_cidr
 +31.13.64.51/​32
 +31.13.65.49/​32
 +31.13.66.49/​32
 +31.13.67.51/​32
 +31.13.68.52/​32
 +31.13.69.240/​32
 +31.13.70.49/​32
 +31.13.71.49/​32
 +31.13.72.52/​32
 +31.13.73.49/​32
 +31.13.74.49/​32
 +31.13.75.52/​32
 +31.13.76.81/​32
 +31.13.77.49/​32
 +31.13.78.53/​32
 +31.13.79.195/​32
 +31.13.80.53/​32
 +31.13.81.53/​32
 +31.13.82.51/​32
 +31.13.83.51/​32
 +31.13.84.51/​32
 +31.13.85.51/​32
 +31.13.86.51/​32
 +31.13.87.51/​32
 +31.13.88.49/​32
 +31.13.90.51/​32
 +31.13.91.51/​32
 +31.13.92.52/​32
 +31.13.93.51/​32
 +31.13.95.63/​32
 +50.22.198.204/​30
 +50.22.210.32/​30
 +50.22.210.128/​27
 +50.22.225.64/​27
 +50.22.235.248/​30
 +50.22.240.160/​27
 +50.23.90.128/​27
 +50.97.57.128/​27
 +64.233.190.0/​24
 +75.126.39.32/​27
 +108.168.174.0/​27
 +108.168.176.192/​26
 +108.168.177.0/​27
 +108.168.180.96/​27
 +108.168.254.65/​32
 +108.168.255.224/​32
 +108.168.255.227/​32
 +158.85.0.96/​27
 +158.85.5.192/​27
 +158.85.46.128/​27
 +158.85.48.224/​27
 +158.85.58.0/​25
 +158.85.61.192/​27
 +158.85.224.160/​27
 +158.85.233.32/​27
 +158.85.249.128/​27
 +158.85.249.224/​27
 +158.85.254.64/​27
 +169.44.36.0/​25
 +169.44.57.64/​27
 +169.44.58.64/​27
 +169.44.80.0/​26
 +169.44.82.96/​27
 +169.44.82.128/​27
 +169.44.82.192/​26
 +169.44.83.0/​26
 +169.44.83.96/​27
 +169.45.71.32/​27
 +169.45.71.96/​27
 +169.45.87.128/​26
 +169.45.169.192/​27
 +169.45.182.96/​27
 +169.45.210.64/​27
 +169.45.214.224/​27
 +169.45.219.224/​27
 +169.45.237.192/​27
 +169.45.238.32/​27
 +169.53.29.128/​27
 +169.53.48.32/​27
 +169.53.71.224/​27
 +169.53.250.128/​26
 +169.53.252.64/​27
 +169.53.255.64/​27
 +169.54.2.160/​27
 +169.54.44.224/​27
 +169.54.51.32/​27
 +169.54.55.192/​27
 +169.54.193.160/​27
 +169.54.210.0/​27
 +169.54.222.128/​27
 +169.55.69.128/​26
 +169.55.74.32/​27
 +169.55.126.64/​26
 +169.55.210.96/​27
 +169.55.235.160/​27
 +173.192.162.32/​27
 +173.192.219.128/​27
 +173.192.222.160/​27
 +173.192.231.32/​27
 +173.193.205.0/​27
 +173.193.230.96/​27
 +173.193.230.128/​27
 +173.193.230.192/​27
 +173.193.239.0/​27
 +174.36.208.128/​27
 +174.36.210.32/​27
 +174.36.251.192/​27
 +174.37.199.192/​27
 +174.37.217.64/​27
 +174.37.231.64/​27
 +174.37.243.64/​27
 +174.37.251.0/​27
 +179.60.192.51/​32
 +179.60.193.51/​32
 +179.60.195.51/​32
 +184.173.136.64/​27
 +184.173.147.32/​27
 +184.173.161.64/​32
 +184.173.161.160/​27
 +184.173.173.116/​32
 +184.173.179.32/​27
 +185.60.216.53/​32
 +192.155.212.192/​27
 +198.11.193.182/​31
 +198.11.251.32/​27
 +198.23.80.0/​27
 +208.43.115.192/​27
 +208.43.117.79/​32
 +208.43.122.128/​27
 +172.217.28.0/​24
 +</​sxh>​
 +
 +Now we need to create a file with the employees mobile phone ip addresses
 +<sxh bash>
 +vim /​etc/​firewall/​whatsapp_clients
 +# /​etc/​firewall/​whatsapp_clients
 +10.0.2.31
 +10.0.1.77
 +</​sxh>​
 +
 +How let's create an simple script to process all that information and create the rules automatically when is necessary.
 +<sxh bash>
 +vim /​etc/​firewall/​firewall.sh
 +#/bin/bash
 +# VARIABLES
 +IPTABLES="/​sbin/​iptables"​
 +COM="​-m comment --comment"​
 +GREP="/​bin/​grep"​
 +CAT="/​bin/​cat"​
 +LO="​127.0.0.0/​8"​
 +
 +WHATSAPP_CIDR=/​etc/​firewall/​whatsapp_cidr
 +WHATSAPP_CLIENTS=/​etc/​firewall/​whatsapp_clients
 +
 +# ENABLING THE FORWARDING
 +echo 1 > /​proc/​sys/​net/​ipv4/​ip_forward
 +
 +### CLEANING OLD RULES ###
 +${IPTABLES} -t filter -F
 +${IPTABLES} -t nat -F
 +${IPTABLES} -t mangle -F
 +${IPTABLES} -t filter -X
 +${IPTABLES} -t nat -X
 +${IPTABLES} -t mangle -X
 +
 +### CUSTOM CHAINS
 +${IPTABLES} -t filter -N whatsapp
 +${IPTABLES} -t nat -N whatsapp
 +
 +
 +### SET DEFAULT POLICY AS DROP ###
 +${IPTABLES} -P INPUT DROP
 +${IPTABLES} -P FORWARD DROP
 +${IPTABLES} -P OUTPUT ACCEPT
 +
 +### ALLOW RETURN OF CONNECTIONS ###
 +${IPTABLES} -A INPUT   -m state --state ESTABLISHED,​RELATED -j ACCEPT
 +${IPTABLES} -A FORWARD -m state --state ESTABLISHED,​RELATED -j ACCEPT
 +${IPTABLES} -A OUTPUT ​ -m state --state ESTABLISHED,​RELATED -j ACCEPT
 +
 +### ALLOW LOOPBACK ###
 +${IPTABLES} -A INPUT -s ${LO} -j ACCEPT ${COM} "ALLOW LOOPBACK"​
 +
 +### WHATSAPP RULES
 +${IPTABLES} -A whatsapp -m string --algo bm --string "​whatsapp.com"​ -j ACCEPT ${COM} "​WHATSAPP CHAIN"
 +${IPTABLES} -A whatsapp -m string --algo bm --string "​whatsapp.net"​ -j ACCEPT ${COM} "​WHATSAPP CHAIN"
 +
 +for IP in $(${CAT} ${WHATSAPP_CIDR} | ${GREP -v "​^#"​);​ do
 +  ${IPTABLES} -t filter -A whatsapp -d ${IP} -j ACCEPT ${COM} "​WHATSAPP CHAIN"
 +  ${IPTABLES} -t nat -A whatsapp -d ${IP} -j ACCEPT ${COM} "​WHATSAPP CHAIN"
 +done
 +
 +for IP in $(${CAT} ${WHATSAPP_CLIENTS} | ${GREP} -v "​^#"​);​ do
 +  ${IPTABLES} -t filter -A FORWARD -s ${IP} -j whatsapp ${COM} "​WHATSAPP CLIENT"​
 +  ${IPTABLES} -t nat -A PREROUTING -s ${IP} -j whatsapp ${COM} "​WHATSAPP CLIENT"​
 +  ${IPTABLES} -t nat -A POSTROUTING -s ${IP} -j MASQUERADE ${COM} "​WHATSAPP CLIENT"​
 +done
 +### END WHATSAPP RULES
 +</​sxh>​
 +
 +Now we need to change the permission of the script to ensure that it will be executable.
 +<sxh bash>
 +chmod +x /​etc/​firewall/​firewall.sh
 +</​sxh>​
 +
 +Now just execute it
 +<sxh bash>
 +/​etc/​firewall/​firewall.sh
 +</​sxh>​
 +
 +To check the rules from the table filter
 +<sxh bash>
 +iptables -t filter -L -n -v
 +</​sxh>​
 +
 +To check the rules from the table nat
 +<sxh bash>
 +iptables -t nat -L -n -v
 +</​sxh>​
 +====== References ======
 +  - https://​www.whatsapp.com/​cidr.txt
 +  - https://​github.com/​ukanth/​afwall/​wiki/​HOWTO-blocking-WhatsApp