Nicholai/block-nuke-telemetry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
block-nuke-telemetry/scripts/firewall_block_nuke.sh
Nicholai 6fada7889a Initial public release - Nuke telemetry monitoring toolkit 
This toolkit provides comprehensive monitoring, analysis, and blocking capabilities
for network telemetry sent by The Foundry's Nuke compositor on Linux.

Key features:
- Network monitoring scripts with automated alerts
- Multi-tier blocking methods (hosts, firewall, namespace, AppArmor)
- Detailed packet capture analysis and documentation
- EULA legal analysis and privacy assessment
- Sanitized example captures and comprehensive guides

All sensitive data (personal IPs, usernames, packet captures) removed.
Ready for public sharing on Gitea.
2025-11-26 15:28:21 -07:00

240 lines
8.0 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
#
# Nuke Telemetry Firewall Blocker
# Blocks Foundry telemetry at the firewall level using iptables or nftables
#
# Usage:
# sudo bash firewall_block_nuke.sh # Apply blocks
# sudo bash firewall_block_nuke.sh --restore # Remove blocks
# sudo bash firewall_block_nuke.sh --status # Check current rules
#
set -e
# Known Foundry telemetry IPs (from packet capture analysis)
LEARN_FOUNDRY_IP="52.50.232.31" # learn.foundry.com (AWS Ireland)
HONEYCOMB_IP="52.205.16.9" # api.honeycomb.io (AWS Virginia)
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Logging
LOG_FILE="/var/log/nuke_firewall_block.log"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | sudo tee -a "$LOG_FILE" >/dev/null
echo -e "$1"
}
check_root() {
if [ "$EUID" -ne 0 ]; then
echo -e "${RED}Error: This script must be run as root${NC}"
echo "Usage: sudo bash $0"
exit 1
fi
}
detect_firewall() {
if command -v nft &>/dev/null && nft list tables 2>/dev/null | grep -q "inet filter"; then
echo "nftables"
elif command -v iptables &>/dev/null; then
echo "iptables"
else
echo "none"
fi
}
apply_iptables_blocks() {
log "${GREEN}Applying iptables blocks...${NC}"
# Check if rules already exist
if iptables -C OUTPUT -d "$LEARN_FOUNDRY_IP" -j REJECT --reject-with icmp-host-unreachable 2>/dev/null; then
log "${YELLOW}iptables rules already exist, skipping...${NC}"
else
# Block learn.foundry.com
iptables -A OUTPUT -d "$LEARN_FOUNDRY_IP" -j REJECT --reject-with icmp-host-unreachable
log "Blocked $LEARN_FOUNDRY_IP (learn.foundry.com)"
# Block api.honeycomb.io
iptables -A OUTPUT -d "$HONEYCOMB_IP" -j REJECT --reject-with icmp-host-unreachable
log "Blocked $HONEYCOMB_IP (api.honeycomb.io)"
# Block sentry.foundry.com by domain (using string match)
iptables -A OUTPUT -p tcp --dport 443 -m string --string "sentry.foundry.com" --algo bm -j REJECT --reject-with tcp-reset
log "Blocked sentry.foundry.com (HTTPS string match)"
fi
# Make persistent
if [ -d "/etc/iptables" ]; then
iptables-save > /etc/iptables/iptables.rules
log "Rules saved to /etc/iptables/iptables.rules"
# Enable iptables service if available
if systemctl is-enabled iptables.service &>/dev/null; then
systemctl enable iptables.service
fi
else
log "${YELLOW}Warning: /etc/iptables/ directory not found. Rules may not persist across reboots.${NC}"
log "${YELLOW}Consider installing iptables-persistent or enabling iptables.service${NC}"
fi
}
apply_nftables_blocks() {
log "${GREEN}Applying nftables blocks...${NC}"
# Create table and chain if they don't exist
nft add table inet filter 2>/dev/null || true
nft add chain inet filter output { type filter hook output priority 0 \; } 2>/dev/null || true
# Check if rules already exist
if nft list chain inet filter output 2>/dev/null | grep -q "$LEARN_FOUNDRY_IP"; then
log "${YELLOW}nftables rules already exist, skipping...${NC}"
else
# Block learn.foundry.com
nft add rule inet filter output ip daddr "$LEARN_FOUNDRY_IP" counter reject
log "Blocked $LEARN_FOUNDRY_IP (learn.foundry.com)"
# Block api.honeycomb.io
nft add rule inet filter output ip daddr "$HONEYCOMB_IP" counter reject
log "Blocked $HONEYCOMB_IP (api.honeycomb.io)"
# Note: nftables doesn't have direct string matching like iptables
# For sentry.foundry.com, rely on DNS/hosts file blocking
log "${YELLOW}Note: sentry.foundry.com blocking requires DNS/hosts file (nftables limitation)${NC}"
fi
# Make persistent
nft list ruleset > /etc/nftables.conf
log "Rules saved to /etc/nftables.conf"
# Enable nftables service
if systemctl is-enabled nftables.service &>/dev/null; then
systemctl enable nftables.service
fi
}
remove_iptables_blocks() {
log "${YELLOW}Removing iptables blocks...${NC}"
# Remove specific rules
iptables -D OUTPUT -d "$LEARN_FOUNDRY_IP" -j REJECT --reject-with icmp-host-unreachable 2>/dev/null || true
iptables -D OUTPUT -d "$HONEYCOMB_IP" -j REJECT --reject-with icmp-host-unreachable 2>/dev/null || true
iptables -D OUTPUT -p tcp --dport 443 -m string --string "sentry.foundry.com" --algo bm -j REJECT --reject-with tcp-reset 2>/dev/null || true
log "iptables blocks removed"
# Save updated rules
if [ -d "/etc/iptables" ]; then
iptables-save > /etc/iptables/iptables.rules
log "Updated rules saved"
fi
}
remove_nftables_blocks() {
log "${YELLOW}Removing nftables blocks...${NC}"
# Get rule handles and delete
nft -a list chain inet filter output 2>/dev/null | grep "$LEARN_FOUNDRY_IP" | awk '{print $NF}' | while read handle; do
nft delete rule inet filter output handle "$handle" 2>/dev/null || true
done
nft -a list chain inet filter output 2>/dev/null | grep "$HONEYCOMB_IP" | awk '{print $NF}' | while read handle; do
nft delete rule inet filter output handle "$handle" 2>/dev/null || true
done
log "nftables blocks removed"
# Save updated rules
nft list ruleset > /etc/nftables.conf
log "Updated rules saved"
}
show_status() {
FIREWALL=$(detect_firewall)
log "${GREEN}=== Firewall Status ===${NC}"
log "Active firewall: $FIREWALL"
echo ""
if [ "$FIREWALL" = "iptables" ]; then
log "iptables OUTPUT chain (Nuke-related rules):"
iptables -L OUTPUT -v -n | grep -E "$LEARN_FOUNDRY_IP|$HONEYCOMB_IP|sentry.foundry.com" || echo "No Nuke blocking rules found"
elif [ "$FIREWALL" = "nftables" ]; then
log "nftables rules (Nuke-related):"
nft list chain inet filter output 2>/dev/null | grep -E "$LEARN_FOUNDRY_IP|$HONEYCOMB_IP" || echo "No Nuke blocking rules found"
else
log "${RED}No firewall detected${NC}"
fi
echo ""
log "Testing connectivity to blocked IPs:"
timeout 2 ping -c 1 "$LEARN_FOUNDRY_IP" &>/dev/null && echo " $LEARN_FOUNDRY_IP: REACHABLE (NOT BLOCKED)" || echo " $LEARN_FOUNDRY_IP: BLOCKED ✓"
timeout 2 ping -c 1 "$HONEYCOMB_IP" &>/dev/null && echo " $HONEYCOMB_IP: REACHABLE (NOT BLOCKED)" || echo " $HONEYCOMB_IP: BLOCKED ✓"
}
main() {
check_root
FIREWALL=$(detect_firewall)
if [ "$1" = "--restore" ] || [ "$1" = "--remove" ]; then
log "${YELLOW}=== Removing Nuke Telemetry Blocks ===${NC}"
if [ "$FIREWALL" = "iptables" ]; then
remove_iptables_blocks
elif [ "$FIREWALL" = "nftables" ]; then
remove_nftables_blocks
else
log "${RED}No firewall detected, nothing to remove${NC}"
exit 1
fi
log "${GREEN}Blocks removed successfully${NC}"
elif [ "$1" = "--status" ]; then
show_status
else
log "${GREEN}=== Nuke Telemetry Firewall Blocker ===${NC}"
log "This will block Foundry telemetry at the firewall level"
log "Known endpoints: learn.foundry.com, api.honeycomb.io, sentry.foundry.com"
echo ""
if [ "$FIREWALL" = "none" ]; then
log "${RED}Error: No firewall detected${NC}"
log "Install iptables or nftables first:"
log " Arch: sudo pacman -S iptables-nft"
log " Ubuntu: sudo apt install iptables"
exit 1
fi
log "Detected firewall: $FIREWALL"
echo ""
read -p "Continue? (y/n): " confirm
if [ "$confirm" != "y" ]; then
log "Aborted"
exit 0
fi
if [ "$FIREWALL" = "iptables" ]; then
apply_iptables_blocks
elif [ "$FIREWALL" = "nftables" ]; then
apply_nftables_blocks
fi
log ""
log "${GREEN}✓ Firewall blocks applied successfully${NC}"
log ""
log "Verify with: sudo bash $0 --status"
log "Remove with: sudo bash $0 --restore"
log ""
log "Log file: $LOG_FILE"
fi
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink