Last active
April 4, 2020 16:54
-
-
Save quantum77/f5c1ba1ccad10e1c41c21dd9147338e2 to your computer and use it in GitHub Desktop.
An extension to Lunar's Tesla scripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # In lieu of block-tesla-ssh.sh | |
| # Clean up tables | |
| /sbin/iptables -D INPUT -p udp --dport 18466 -m string --algo bm --string 'req' -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D OUTPUT -s 10.2.3.0/24 -d 10.2.3.1/32 -j ACCEPT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -s 10.2.3.1/32 -d 10.2.3.0/24 -j ACCEPT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i parrot -p tcp -m tcp --dport 4035 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i tun0 -p tcp -m tcp --dport 4035 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i wwan0 -p tcp -m tcp --dport 4035 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i parrot -p tcp -m tcp --dport 7654 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i tun0 -p tcp -m tcp --dport 7654 -j LOG_REJECT> /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i wwan0 -p tcp -m tcp --dport 7654 -j LOG_REJECT> /dev/null 2>&1 | |
| /sbin/iptables -D OUTPUT -p tcp --dport 4567 -m string --algo bm --string 'POST /notify' -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i parrot -p tcp -m tcp --dport 25956 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i tun0 -p tcp -m tcp --dport 25956 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i wwan0 -p tcp -m tcp --dport 25956 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i parrot -p tcp -m tcp --dport 4070 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i tun0 -p tcp -m tcp --dport 4070 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i wwan0 -p tcp -m tcp --dport 4070 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i parrot -p tcp -m tcp --dport 22 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i tun0 -p tcp -m tcp --dport 22 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D INPUT -i wwan0 -p tcp -m tcp --dport 22 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -D LOG_REJECT -j REJECT --reject-with icmp-port-unreachable > /dev/null 2>&1 | |
| /sbin/iptables -D LOG_REJECT -m limit --limit 4/min > /dev/null 2>&1 | |
| /sbin/iptables --flush LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -X LOG_REJECT > /dev/null 2>&1 | |
| if [ "$FIREWALL_ON" = "true" ]; then | |
| # Enable logging | |
| /sbin/iptables -N LOG_REJECT | |
| /sbin/iptables -A LOG_REJECT -m limit --limit 5/min | |
| /sbin/iptables -A LOG_REJECT -j REJECT --reject-with icmp-port-unreachable | |
| # Block Tesla ssh | |
| /sbin/iptables -A INPUT -i parrot -p tcp -m tcp --dport 22 -j LOG_REJECT | |
| /sbin/iptables -A INPUT -i tun0 -p tcp -m tcp --dport 22 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -A INPUT -i wwan0 -p tcp -m tcp --dport 22 -j LOG_REJECT | |
| # Block Tesla cid-updater | |
| /sbin/iptables -A INPUT -i parrot -p tcp -m tcp --dport 4070 -j LOG_REJECT | |
| /sbin/iptables -A INPUT -i tun0 -p tcp -m tcp --dport 4070 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -A INPUT -i wwan0 -p tcp -m tcp --dport 4070 -j LOG_REJECT | |
| /sbin/iptables -A INPUT -i parrot -p tcp -m tcp --dport 25956 -j LOG_REJECT | |
| /sbin/iptables -A INPUT -i tun0 -p tcp -m tcp --dport 25956 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -A INPUT -i wwan0 -p tcp -m tcp --dport 25956 -j LOG_REJECT | |
| # Block message and log notification to tesla | |
| /sbin/iptables -I OUTPUT -p tcp --dport 4567 -m string --algo bm --string 'POST /notify' -j LOG_REJECT | |
| # Block traffic to carservice ports for lvs and config changes | |
| # Note: Stops Tesla remote app from functioning | |
| /sbin/iptables -I INPUT -i parrot -p tcp -m tcp --dport 7654 -j LOG_REJECT | |
| /sbin/iptables -I INPUT -i tun0 -p tcp -m tcp --dport 7654 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -I INPUT -i wwan0 -p tcp -m tcp --dport 7654 -j LOG_REJECT | |
| /sbin/iptables -I INPUT -i parrot -p tcp -m tcp --dport 4035 -j LOG_REJECT | |
| /sbin/iptables -I INPUT -i tun0 -p tcp -m tcp --dport 4035 -j LOG_REJECT > /dev/null 2>&1 | |
| /sbin/iptables -I INPUT -i wwan0 -p tcp -m tcp --dport 4035 -j LOG_REJECT | |
| # Allow custom WireGuard tunnel IPs. | |
| /sbin/iptables -I INPUT -s 10.2.3.1/32 -d 10.2.3.0/24 -j ACCEPT | |
| /sbin/iptables -I OUTPUT -s 10.2.3.0/24 -d 10.2.3.1/32 -j ACCEPT | |
| # Block NONCE traffic from Toolbox to prevent closing the diag port. | |
| /sbin/iptables -I INPUT -p udp --dport 18466 -m string --algo bm --string 'req' -j LOG_REJECT | |
| # Remove NONCE firewall block to -re-enable diag port for Toolbox. | |
| # /sbin/iptables -D INPUT -p udp --dport 18466 -m string --algo bm --string 'req' -j LOG_REJECT | |
| fi | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment