I'm blocking private IPv4 addresses on my servers by default from now on
Yesterday, I was setting up a new Raspberry Pi Zero 2W in my home network. I'm going to use it to revive an old Brother printer I have lying around and install CUPS on it, so that I can use said printer as a network printer on the cheap.
I just had the Pi flashed with a headless Ubuntu, and preconfigured it to connect to my home network via WiFi. I even gave it an example.local hostname so that I can talk to it as soon as I plug it in. But the hostname didn't seem to be working when I turned it on; I couldn't SSH into the Pi from another computer in my network. That's not a big problem; I didn't know it's resolved IPv4 address, but I can always just run a network scan for it.
So I jumped onto a terminal and did just that:
nmap -p22 192.168.1.0/24Oops.
What I didn't realize was that that terminal was currently live, tunneled into one of my remote servers via ssh. This particular one was a baremetal I was renting off Hetzner. Never mind that I had a live ssh terminal left open, shame on my cow!
That must've rung alarm bells pretty swiftly over on Hetzner, because I got my server locked and isolated as a result.
Protecting myself from myself
As recommended by the support team I talked to, it's probably a good idea to block outgoing network packets from my box to private address spaces, (defined as RFC1918) especially if I don't expect my machine to be talking to other servers inside the same space anyway. This particular one wasn't, so I didn't have a problem with it.
You can do this by setting an outgoing block in your iptables:
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROPOr, if you're like me and prefer using ufw:
ufw deny out to 10.0.0.0/8
ufw deny out to 172.16.0.0/12
ufw deny out to 192.168.0.0/16I'm likely adding those commands into my initialization playbook, which I follow whenever I'm setting up baremetals from scratch.