summaryrefslogtreecommitdiffstats
path: root/roles/common/files/usr
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-11-03 05:54:11 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:50:35 +0200
commit2bcaaf01a5fcc2d2ce618da6af30a43a70d03d80 (patch)
tree020bd450fbc622e49c7284f70785749c31aa4429 /roles/common/files/usr
parent6c30a3f5a131b6e628b588c0723d5e5374e115e1 (diff)
Use a dedicated, non-routable, IPv4 for IPSec.
At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
Diffstat (limited to 'roles/common/files/usr')
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh71
1 files changed, 57 insertions, 14 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 8530277..54a66e8 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -61,12 +61,26 @@ iptables() {
# iptables-restore(8) instead.
echo "$@" >> "$new";
}
+commit() {
+ # End a table
+ echo COMMIT >> "$new"
+}
inet46() {
case "$1" in
4) echo "$2";;
6) echo "$3";;
esac
}
+ipt-chains() {
+ # Define new (tables and) chains.
+ while [ $# -gt 0 ]; do
+ case "$1" in
+ ?*:*) echo ":${1%:*} ${1##*:} [0:0]";;
+ ?*) echo "*$1";;
+ esac
+ shift
+ done >> "$new"
+}
ipt-trim() {
# Remove dynamic chain/rules from the input stream, as they are
@@ -134,15 +148,17 @@ run() {
| sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" )
# The (host-scoped) IP reserved for IPSec.
- local ipsec=
+ local ipsec= secmark
if [ -n "$ifsec" -a $f = 4 ]; then
tables+=( [$f]=' mangle nat' )
ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \
| sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' )
+ secmark=0x1
fi
# Store the old (current) ruleset
- local old=$(mktemp -t current-rules.v$f.XXXXXX)
+ local old=$(mktemp -t current-rules.v$f.XXXXXX) \
+ new=$(mktemp -t new-rules.v$f.XXXXXX)
for table in ${tables[$f]}; do
$ipt-save -ct $table
done > "$old"
@@ -156,14 +172,35 @@ run() {
fail2ban=1
fi
+ if [ -n "$ipsec" ]; then
+ # We DNAT the IPSec paquets to $ipsec after decapsulation, and
+ # SNAT them before encapsulation. We need to do the NAT'ing
+ # before packets enter the IPSec stack because they are signed
+ # afterwards, and NAT'ing would mess up the signature.
+ ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \
+ FORWARD:DROP \
+ OUTPUT:ACCEPT POSTROUTING:ACCEPT
+ # Mark all IPSec packets to keep track of them and NAT them
+ # after decapsulation. Unmarked packets that are to be sent to
+ # $ipsec are dropped.
+ iptables -A PREROUTING -p esp -j MARK --set-mark $secmark
+ iptables -A INPUT -d "$ipsec" -m mark \! --mark $secmark -j DROP
+ commit
+
+ ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \
+ OUTPUT:ACCEPT POSTROUTING:ACCEPT
+ # DNAT all marked packets that have been decapsulated. Packets
+ # originating from our IPSec are SNAT'ed (MASQUERADE). We cannot
+ # mark them here (it won't survivethe NAT'ing), but any reply
+ # not going through IPSec would be dropped (since unmarked).
+ iptables -A PREROUTING \! -p esp -m mark --mark "$secmark" \
+ -j DNAT --to "${ipsec%/*}"
+ iptables -A POSTROUTING -s "$ipsec" -j MASQUERADE
+ commit
+ fi
+
# The usual chains in filter, along with the desired default policies.
- local new=$(mktemp -t new-rules.v$f.XXXXXX)
- cat > "$new" <<- EOF
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT DROP [0:0]
- EOF
+ ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP
if [ -z "$if" ]; then
# If the interface is not configured, we stop here and DROP all
@@ -238,6 +275,14 @@ run() {
iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT
iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT
+ if [ -n "$ipsec" ]; then
+ # ACCEPT any, *marked* traffic destinating to the non-routable
+ # $ipsec. Also ACCEPT all traffic originating from $ipsec, as it
+ # is MASQUERADE'd.
+ iptables -A INPUT -i "$if" -d "$ipsec" -m mark --mark "$secmark" -j ACCEPT
+ iptables -A OUTPUT -s "$ipsec" -o "$if" -j ACCEPT
+ fi
+
# Prepare fail2ban. We make fail2ban insert its rules in a dedicated
# chain, so that it doesn't mess up the existing rules.
[ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban
@@ -296,11 +341,9 @@ run() {
done
########################################################################
+ commit
- # Commit the table 'filter'.
- echo COMMIT >> "$new"
-
local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f
local oldz=$(mktemp -t current-rules.v$f.XXXXXX)
@@ -311,7 +354,7 @@ run() {
-e 's/^\[[0-9]+:[0-9]+\]\s+//' \
"$old" > "$oldz"
- /usr/bin/uniq "$new" | /bin/ip netns exec $netns $ipt-restore
+ /usr/bin/uniq "$new" | /bin/ip netns exec $netns $ipt-restore || ipt-revert
for table in ${tables[$f]}; do
/bin/ip netns exec $netns $ipt-save -t $table
@@ -327,7 +370,7 @@ run() {
local update="Please run '${0##*/}'."
if [ $check -eq 0 ]; then
- /usr/bin/uniq "$new" | $ipt-restore
+ /usr/bin/uniq "$new" | $ipt-restore || ipt-revert
else
if [ $rv1 -ne 0 ]; then
log "WARN: The IPv$f firewall is not up to date! $update"