From 83d7535d84791cf27e0d1ded5fe700233947a1d9 Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Wed, 4 Jun 2025 14:06:27 +0200
Subject: [PATCH] turn: add outbound ratelimit

coturn will send 401 when receiving UDP packets with forged source IP.
this can cause a flood of 401s at the victim. the primary concern appears
to be that these packets are quite large compared to handshake packets
below.

TCP is also affected but effects are minimal because they will get
discarded at the connection handshake level.

UDP/TLS (DTLS) has similar handshake mechanism of TCP and effects are
minimal.

https://forum.cloudron.io/topic/13855/reflection-attack-via-stun-turn
https://github.com/coturn/coturn/pull/1588
---
 setup/start/cloudron-firewall.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index 2e2efd34c..919cacfd5 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -187,3 +187,15 @@ $ip6tables -t filter -C INPUT -j CLOUDRON_RATELIMIT 2>/dev/null || $ip6tables -t
 # Workaround issue where Docker insists on adding itself first in FORWARD table
 ipxtables -D FORWARD -j CLOUDRON_RATELIMIT || true
 ipxtables -I FORWARD 1 -j CLOUDRON_RATELIMIT
+
+echo "==> Adding cloudron output chain"
+ipxtables -t filter -N CLOUDRON_OUTPUT || true
+ipxtables -t filter -F CLOUDRON_OUTPUT # empty any existing rules
+
+# turn - mitigate reflection/amplification attack with UDP . The 5349 port is DTLS/UDP and not affected. https://github.com/coturn/coturn/pull/1588
+# hashlimit-above is applied _after_ allowing a hashlimit-burst
+sudo iptables -t filter -A CLOUDRON_OUTPUT -p udp --sport 3478 -m hashlimit --hashlimit-name turn-401 --hashlimit-above 10/second --hashlimit-burst 30 --hashlimit-mode dstip -j CLOUDRON_RATELIMIT_LOG
+
+# Add the ouput rate limit chain to output chain
+$iptables -t filter -C OUTPUT -j CLOUDRON_OUTPUT 2>/dev/null || $iptables -t filter -I OUTPUT 1 -j CLOUDRON_OUTPUT
+$ip6tables -t filter -C INPUT -j CLOUDRON_OUTPUT 2>/dev/null || $ip6tables -t filter -I OUTPUT 1 -j CLOUDRON_OUTPUT