summaryrefslogtreecommitdiffstats
path: root/roles/common/templates
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-01-23 04:29:12 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-01-23 05:57:01 +0100
commit7641a5d5d152db349082b1d0ec93a40888b2ef8e (patch)
tree3f80c14c0e50b187a6698346cf8cffb9c5200154 /roles/common/templates
parent456e09fa40d01b70ac1788d0338fba00079e4121 (diff)
Convert firewall to nftables.
Debian Buster uses the nftables framework by default.
Diffstat (limited to 'roles/common/templates')
-rw-r--r--roles/common/templates/etc/ipsec.conf.j22
-rw-r--r--roles/common/templates/etc/iptables/services.j248
-rwxr-xr-xroles/common/templates/etc/network/if-up.d/ipsec.j211
-rwxr-xr-xroles/common/templates/etc/nftables.conf.j2193
4 files changed, 199 insertions, 55 deletions
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
index 0ff9fbb..6b3840f 100644
--- a/roles/common/templates/etc/ipsec.conf.j2
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -20,7 +20,7 @@ conn %default
leftsubnet = {{ ipsec[inventory_hostname_short] | ipv4 }}/32
leftid = {{ inventory_hostname }}
leftsigkey = {{ inventory_hostname_short }}.pem
- leftfirewall = yes
+ leftfirewall = no
lefthostaccess = yes
rightauth = pubkey
auto = route
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
deleted file mode 100644
index 6dd5aae..0000000
--- a/roles/common/templates/etc/iptables/services.j2
+++ /dev/null
@@ -1,48 +0,0 @@
-# {{ ansible_managed }}
-# Do NOT edit this file directly!
-#
-# direction protocol destination port source port
-# (in|out|inout)[46]? (tcp|udp|..) (port|port:port|port,port) (port|port:port|port,port)
-
-{% if groups.all | length > 1 %}
-inout udp 500 500 # ISAKMP
-{% if groups.NATed | length > 0 %}
-inout4 udp 4500 4500 # IPsec NAT Traversal
-{% endif %}
-{% endif %}
-
-out tcp 80,443 # HTTP/HTTPS
-out udp 53 # DNS
-out tcp 53 # DNS
-out udp 67 # DHCP
-out tcp 22 # SSH
-out udp 123 123 # NTP
-
-in tcp {{ ansible_port|default('22') }} # SSH
-{% if 'LDAP-provider' in group_names %}
-in tcp 636 # LDAPS
-{% elif 'MX' in group_names or 'lists' in group_names or 'nextcloud' in group_names %}
-out tcp 636 # LDAPS
-{% endif %}
-{% if 'MX' in group_names %}
-in tcp 25 # SMTP
-{% endif %}
-{% if 'out' in group_names or 'MSA' in group_names %}
-out tcp 25 # SMTP
-{% endif %}
-{% if 'IMAP' in group_names %}
-in tcp 993 # IMAPS
-in tcp 4190 # MANAGESIEVE
-out tcp 2703 # Razor2
-{% endif %}
-{% if 'MSA' in group_names %}
-in tcp 465 # SMTP-AUTH
-in tcp 587 # SMTP-AUTH
-{% endif %}
-{% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names or 'nextcloud' in group_names %}
-in tcp 80,443 # HTTP/HTTPS
-{% endif %}
-{% if 'LDAP-provider' in group_names %}
-out tcp 11371 # HKP
-out tcp 43 # WHOIS
-{% endif %}
diff --git a/roles/common/templates/etc/network/if-up.d/ipsec.j2 b/roles/common/templates/etc/network/if-up.d/ipsec.j2
index caa5129..9f183d3 100755
--- a/roles/common/templates/etc/network/if-up.d/ipsec.j2
+++ b/roles/common/templates/etc/network/if-up.d/ipsec.j2
@@ -25,10 +25,9 @@ PATH=/usr/sbin:/usr/bin:/sbin:/bin
# Only the device with the default, globally-scoped route, is of
# interest here.
-ip="$( ip -4 -o route show to default scope global \
- | sed -nr '/^default via (\S+) dev (\S+).*/ {s//\2 \1/p;q}' )"
-[ "${ip% *}" = "$IFACE" ] || exit 0
-ip="${ip##* }"
+iface="$( ip -o route show to default scope global \
+ | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )"
+[ "$iface" = "$IFACE" ] || exit 0
vip="{{ ipsec[inventory_hostname_short] }}"
vsubnet="{{ ipsec_subnet }}"
@@ -39,9 +38,9 @@ case "$MODE" in
# in the absence of xfrm lookup (i.e., when there is no
# matching IPsec Security Association).
ip route replace prohibit "$vsubnet" proto static || true
- ip route replace table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true
+ ip route replace table 220 to "$vsubnet" dev "$IFACE" proto static src "$vip" || true
;;
- stop) ip route del table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true
+ stop) ip route del table 220 to "$vsubnet" dev "$IFACE" proto static src "$vip" || true
ip route del prohibit "$vsubnet" proto static || true
ip address del "$vip/32" dev "$IFACE" scope global || true
esac
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
new file mode 100755
index 0000000..1e1fde2
--- /dev/null
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -0,0 +1,193 @@
+#!/usr/sbin/nft -f
+
+define in-tcp-ports = {
+ {{ ansible_port|default(22) }}
+{% if 'MX' in group_names %}
+ , 25 # SMTP
+{% endif %}
+{% if 'LDAP-provider' in group_names %}
+ , 636 # ldaps
+{% endif %}
+{% if 'IMAP' in group_names %}
+ , 993 # imaps
+ , 4190 # ManageSieve
+{% endif %}
+{% if 'MSA' in group_names %}
+ , 587 # submission [RFC4409]
+ , 465 # submission over TLS [RFC8314]
+{% endif %}
+{% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names or 'nextcloud' in group_names %}
+ , 80 # HTTP
+ , 443 # HTTP over SSL/TLS
+{% endif %}
+}
+
+define out-tcp-ports = {
+ 22
+ , 80 # HTTP
+ , 443 # HTTP over SSL/TLS
+{% if 'out' in group_names or 'MSA' in group_names %}
+ , 25 # SMTP
+{% endif %}
+{% if 'LDAP-provider' in group_names %}
+ , 11371 # OpenPGP HTTP Keyserver
+ , 43 # whois
+{% elif 'MX' in group_names or 'lists' in group_names or 'nextcloud' in group_names %}
+ , 636 # ldaps
+{% endif %}
+{% if 'IMAP' in group_names %}
+ , 2703 # Razor2
+{% endif %}
+}
+
+
+###############################################################################
+
+flush ruleset
+
+table inet filter {
+ # blackholes
+ set fail2ban { type ipv4_addr; timeout 10m; }
+ set fail2ban6 { type ipv6_addr; timeout 10m; }
+
+ chain input {
+ type filter hook input priority 0
+ policy drop
+
+ iif lo accept
+
+ # XXX Bullseye: this is a hack for the lack of reqid matches in
+ # nftables: we mark the esp packet and accept after decapsulation
+ # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables
+ # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html
+ define IPsec.mark = 0x220
+ meta l4proto esp mark set mark | $IPsec.mark accept
+ ip saddr 172.16.0.0/24 ip daddr 172.16.0.7 mark & $IPsec.mark == $IPsec.mark accept
+
+ # rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options)
+ icmp type { echo-reply, echo-request, destination-unreachable } counter accept
+ icmpv6 type { echo-reply, echo-request, destination-unreachable,
+ packet-too-big, time-exceeded, parameter-problem } counter accept
+
+ # accept neighbour discovery for autoconfiguration, RFC 4890 sec. 4.4.1
+ icmpv6 type { 133,134,135,136,141,142 } ip6 hoplimit 255 counter accept
+
+ jump martian
+ jump invalid
+
+ udp sport 123 udp dport 123 ct state related,established accept
+{% if groups.all | length > 1 %}
+ udp sport 500 udp dport 500 ct state new,related,established accept
+{% if groups.NATed | length > 0 %}
+ udp sport 4500 udp dport 4500 ct state new,related,established accept
+{% endif %}
+{% endif %}
+
+ udp sport 53 ct state related,established accept
+ tcp sport 53 ct state related,established accept
+{% if 'dhclient' in group_names %}
+ udp sport 67 ct state related,established accept
+{% endif %}
+
+ meta l4proto tcp ip saddr @fail2ban counter drop
+ meta l4proto tcp ip6 saddr @fail2ban6 counter drop
+
+ tcp dport $in-tcp-ports ct state related,established accept
+ tcp dport $in-tcp-ports ct state new counter accept
+ tcp sport $out-tcp-ports ct state related,established accept
+ }
+
+ chain output {
+ type filter hook output priority 0
+ policy drop
+
+ oif lo accept
+
+ # XXX Bullseye: unlike for input we can't use marks here,
+ # because by the time we see a packet to 172.16.0.0/24 we don't
+ # know if it'll be encapsulated
+ meta l4proto esp accept
+ ip saddr 172.16.0.7 ip daddr 172.16.0.0/24 accept
+
+ meta l4proto { icmp, icmpv6 } accept
+
+ jump martian
+ jump invalid
+
+ udp sport 123 udp dport 123 ct state new,related,established accept
+ udp sport 500 udp dport 500 ct state new,related,established accept
+ udp sport 4500 udp dport 4500 ct state new,related,established accept
+
+ udp dport 53 ct state new,related,established accept
+ tcp dport 53 ct state new,related,established accept
+{% if 'dhclient' in group_names %}
+ udp dport 67 ct state new,related,established accept
+{% endif %}
+
+ tcp sport $in-tcp-ports ct state related,established accept
+ tcp dport $out-tcp-ports ct state related,established accept
+ tcp dport $out-tcp-ports ct state new counter accept
+
+ meta l4proto tcp counter reject with tcp reset
+ meta l4proto udp counter reject
+ counter reject
+ }
+
+ chain martian {
+ # bogon filter (cf. RFC 6890 for non-global ip addresses)
+ define invalid-ip = {
+ 0.0.0.0/8 # this host, on this network (RFC 1122 sec. 3.2.1.3)
+{% if not ansible_default_ipv4.address | ipaddr('10.0.0.0/8') %}
+ , 10.0.0.0/8 # private-use (RFC 1918)
+{% endif %}
+ , 100.64.0.0/10 # shared address space (RFC 6598)
+ , 127.0.0.0/8 # loopback (RFC 1122, sec. 3.2.1.3)
+ , 169.254.0.0/16 # link local (RFC 3927)
+{% if not ansible_default_ipv4.address | ipaddr('172.16.0.0/12') %}
+ , 172.16.0.0/12 # private-use (RFC 1918)
+{% endif %}
+ , 192.0.0.0/24 # IETF protocol assignments (RFC 6890 sec. 2.1)
+ , 192.0.2.0/24 # documentation (RFC 5737)
+{% if not ansible_default_ipv4.address | ipaddr('192.168.0.0/16') %}
+ , 192.168.0.0/16 # private-use (RFC 1918)
+{% endif %}
+ , 198.18.0.0/15 # benchmarking (RFC 2544)
+ , 198.51.100.0/24 # documentation (RFC 5737)
+ , 203.0.113.0/24 # documentation (RFC 5737)
+ , 240.0.0.0/4 # reserved (RFC 1112, sec. 4)
+ , 255.255.255.255/32 # limited broadcast (RFC 0919, section 7)
+ }
+
+ define invalid-ip6 = {
+ ::1/128 # loopback address (RFC 4291)
+ , ::/128 # unspecified (RFC 4291)
+ , ::ffff:0:0/96 # IPv4-mapped address (RFC 4291)
+ , 100::/64 # discard-only address block (RFC 6666)
+ , 2001::/23 # IETF protocol assignments (RFC 2928)
+ , 2001::/32 # TEREDO (RFC 4380)
+ , 2001:2::/48 # benchmarking (RFC 5180)
+ , 2001:db8::/32 # documentation (RFC 3849)
+ , 2001:10::/28 # ORCHID (RFC 4843)
+ , 2002::/16 # 6to4 (RFC 3056)
+ , fc00::/7 # unique-local (RFC 4193)
+ , fe80::/10 # linked-scoped unicast (RFC 4291)
+ }
+
+ ip saddr $invalid-ip counter drop
+ ip daddr $invalid-ip counter drop
+
+ ip6 saddr $invalid-ip6 counter drop
+ ip6 daddr $invalid-ip6 counter drop
+ }
+
+ chain invalid {
+ ct state invalid counter reject
+
+ # drop bogus TCP packets
+ tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packets
+ tcp flags != syn ct state new counter drop # SYN-flood attacks
+ tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop # XMAS packets
+ tcp flags & (fin|syn) == fin|syn counter drop # bogus
+ tcp flags & (syn|rst) == syn|rst counter drop # bogus
+ }
+}