summaryrefslogtreecommitdiffstats
path: root/roles/common
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-11-04 00:31:43 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:50:38 +0200
commit67c5135625d3553dcb6f2bfc193df24c0e1ab826 (patch)
tree21d5c3c18a1531e445cd1c0dad9ac76a358f7321 /roles/common
parentad9c840c40d923e0fd1b04a57274cc2ec2e381ec (diff)
Prohibit binding against the IP reserved for IPSec.
Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666
Diffstat (limited to 'roles/common')
-rwxr-xr-xroles/common/files/etc/network/if-up.d/ipsec44
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh29
-rw-r--r--roles/common/tasks/ipsec.yml4
3 files changed, 50 insertions, 27 deletions
diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec
index e21d6ea..98bf42c 100755
--- a/roles/common/files/etc/network/if-up.d/ipsec
+++ b/roles/common/files/etc/network/if-up.d/ipsec
@@ -11,8 +11,11 @@
set -ue
PATH=/usr/sbin:/usr/bin:/sbin:/bin
-if=sec0
-ip=172.16.0.1/32
+ifsec=sec0
+ipsec=172.16.0.1/32
+
+# /!\ This mark much match that in /usr/local/sbin/update-firewall.sh.
+secmark=0xA99
# Ignore the loopback interface and non inet4 families.
[ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0
@@ -25,20 +28,29 @@ ip=172.16.0.1/32
"$IFACE" ] || exit 0
case "$MODE" in
- start) # Don't create $if if it's already there
- /bin/ip -o link show | grep -qE "^[0-9]+:\s+$if" && exit 0
-
- # Create a new VLAN $IFACE on physical device $if. This is
- # required otherwise charon thinks the left peer is that
- # host-scoped, non-routable IP.
- /bin/ip link add link "$IFACE" name "$if" type vlan id 2713
- /bin/ip address add "$ip" dev "$if" scope host
- /bin/ip link set dev "$if" up
+ start) # Don't create $ifsec if it's already there
+ if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
+ # Create a new VLAN $IFACE on physical device $ifsec. This is
+ # required otherwise charon thinks the left peer is that
+ # host-scoped, non-routable IP.
+ /bin/ip link add link "$IFACE" name "$ifsec" type vlan id 2713
+ /bin/ip address add "$ipsec" dev "$ifsec" scope host
+ /bin/ip link set dev "$ifsec" up
+ fi
+
+ # If a packet retained its mark that far, it means it has
+ # been SNAT'ed from $ipsec, and didn't have a xfrm
+ # association. Hence we nullroute it to avoid leaking data.
+ /bin/ip rule add fwmark "$secmark" table 666 priority 666 || true
+ /bin/ip route add prohibit default table 666 || true
;;
- stop) # Don't create $if if it's no there
- /bin/ip -o link show | grep -qE "^[0-9]+:\s+$if" || exit 0
-
- # Deactivate the VLAN
- /bin/ip link set dev "$if" down
+ stop) if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
+ # Deactivate the VLAN
+ /bin/ip link set dev "$ifsec" down
+ fi
+
+ # Delete the 'prohibit' rule
+ /bin/ip rule del fwmark "$secmark" table 666 priority 666 || true
+ /bin/ip route flush table 666
;;
esac
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index a8123f9..0907ffc 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -147,11 +147,13 @@ run() {
| sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" )
# The (host-scoped) IP reserved for IPSec.
- local ipsec=
+ local ipsec= secmark
if [ -n "$ifsec" -a $f = 4 ]; then
tables[$f]='mangle nat filter'
ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \
| sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' )
+ # /!\ This mark much match that in /etc/network/if-up.d/ipsec.
+ secmark=0xA99
fi
# Store the old (current) ruleset
@@ -251,7 +253,7 @@ run() {
# $ipsec. Also ACCEPT all traffic originating from $ipsec, as
# it is MASQUERADE'd.
iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol ipsec -j ACCEPT
- iptables -A OUTPUT -s "$ipsec" -o $if -j ACCEPT
+ iptables -A OUTPUT -m mark --mark "$secmark" -o $if -j ACCEPT
fi
# Prepare fail2ban. We make fail2ban insert its rules in a
@@ -322,22 +324,31 @@ run() {
ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \
FORWARD:DROP \
OUTPUT:ACCEPT POSTROUTING:ACCEPT
+
# Packets which destination is $ipsec *must* be associated with
# an IPSec policy.
iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol none -j DROP
+
+ # Packets originating from our (non-routable) $ipsec are marked;
+ # if there is no xfrm lookup (i.e., no matching IPSec
+ # association), the packet will retain its mark and be null
+ # routed later on. Otherwise, the packet is re-queued unmarked.
+ iptables -A OUTPUT -o $if -j MARK --set-mark 0x0
+ iptables -A OUTPUT -s "$ipsec" -o $if -m policy --dir out --pol none \
+ -j MARK --set-mark $secmark
commit
ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \
OUTPUT:ACCEPT POSTROUTING:ACCEPT
- # DNAT all marked packets after decapsulation. Packets
- # originating from our IPSec are SNAT'ed (MASQUERADE). XXX:
- # xfrm lookup occurs *after* NAT POSTROUTING, so sadly we can't
- # DROP packets not matching an IPSec policy. However, any reply
- # not going through IPSec would be DROPped (thanks to the rule
- # in mangle:INPUT above); this is the best we can do for now.
+
+ # DNAT all marked packets after decapsulation.
iptables -A PREROUTING \! -d "$ipsec" -i $if \
-m policy --dir in --pol ipsec -j DNAT --to "${ipsec%/*}"
- iptables -A POSTROUTING -s "$ipsec" -o $if -j MASQUERADE
+
+ # Packets originating from our IPSec are SNAT'ed (MASQUERADE).
+ # (And null-routed later on unless there is an xfrm
+ # association.)
+ iptables -A POSTROUTING -m mark --mark $secmark -o $if -j MASQUERADE
commit
fi
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 3d7a1dd..4c0a946 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -43,6 +43,8 @@
dest=/etc/network/if-up.d/ipsec
owner=root group=root
mode=0755
+ notify:
+ - Reload networking
# XXX: As of 1.3.1 ansible doesn't accept relative src.
# See https://github.com/ansible/ansible/issues/4459
@@ -51,5 +53,3 @@
src=/etc/network/if-up.d/ipsec
dest=/etc/network/if-down.d/ipsec
owner=root group=root state=link
- notify:
- - Reload networking