Firewall: Harden IPsec configuration by pining the reqids.

author: Guilhem Moulin <guilhem@fripost.org> 2024-09-08 02:32:24 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2024-09-08 02:32:24 +0200
commit: bc41db5237d188c339d25d96a20465e488ea5475 (patch)
tree: 47765c4acb8a21166435b00aa9d184543d87bf7e /roles
parent: 7a36aa2b69d16b768c1e23829087d26a9e87423f (diff)
2 files changed, 16 insertions, 14 deletions
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
index e7505b4..eaa9a08 100644
--- a/roles/common/templates/etc/ipsec.conf.j2
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -20,25 +20,26 @@ conn %default
     leftsubnet     = {{ ipsec[inventory_hostname_short] | ansible.utils.ipv4 }}/32
     leftid         = {{ inventory_hostname }}
     leftsigkey     = {{ inventory_hostname_short }}.pem
     leftfirewall   = no
     lefthostaccess = yes
     rightauth      = pubkey
     auto           = route
     dpdaction      = hold
     inactivity     = 30m
     modeconfig     = push
 
 {% for host in groups.all | difference([inventory_hostname]) | sort %}
 
 conn {{ hostvars[host].inventory_hostname_short }}
     right         = {{ hostvars[host].inventory_hostname }}
 {% if 'DynDNS' in hostvars[host].group_names %}
     rightallowany = yes
 {% endif %}
     rightsigkey   = {{ hostvars[host].inventory_hostname_short }}.pem
     rightsubnet   = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ansible.utils.ipv4 }}/32
+    reqid         = {{ ipsec[ hostvars[host].inventory_hostname_short ].replace(":",".").split(".")[-1] }}
 {% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %}
     mobike        = yes
 {% endif %}
 
 {%- endfor %}
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index 805d1a8..f603ed9 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -138,100 +138,101 @@ table inet raw {
     chain PREROUTING {
         type filter hook prerouting priority -199 # > NF_IP_PRI_CONNTRACK (-200)
         policy accept
 
         # stateful filter
         ct state invalid counter drop
     }
 }
 
 table inet filter {
     # blackholes (timeout must match /etc/fail2ban/jail.local)
     set fail2ban  { type ipv4_addr; timeout 10m; }
     set fail2ban6 { type ipv6_addr; timeout 10m; }
 
     chain input {
         type filter hook input priority 0
         policy drop
 
         iif lo accept
 
-        # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions
-        # to match match inbound resp. outbound policies and source resp. destination tunnel addresses.
-        # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables
-        # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html
-        # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP
-        # encapsulation.)  We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way
-        # peers can't impersonate each other.
         meta l4proto esp accept
-        # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept
-        ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept
+        ip daddr {{ ipsec[inventory_hostname_short] }} jump ipsec-in
 
         # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already
         meta l4proto { icmp, icmpv6 } counter accept
 
         # NTP (ntpd uses sport 123 but systemd-timesyncd does not)
         udp sport 123 ct state related,established accept
 
 {% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
 {% if groups.NATed | length > 0 %}
         udp sport 4500 udp dport 4500 ct state new,related,established accept
 {% endif %}
 {% endif %}
 
         udp sport 53 ct state related,established accept
         tcp sport 53 ct state related,established accept
 {% if 'dhclient' in group_names %}
         ip  version 4 udp sport  67 udp dport  68 ct state related,established accept
         ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept
 {% endif %}
 
         ip  saddr @fail2ban  counter drop
         ip6 saddr @fail2ban6 counter drop
 
         tcp dport $in-tcp-ports  ct state related,established accept
         tcp dport $in-tcp-ports  ct state new counter accept
         tcp sport $out-tcp-ports ct state related,established accept
     }
 
     chain output {
         type filter hook output priority 0
         policy drop
 
         oif lo accept
 
-        # XXX Bullseye: unlike for input we can't use marks or test for
-        # secpath existence here, because by the time we see a packet to
-        # 172.16.0.0/24 we don't know if it'll be encapsulated
         meta l4proto esp accept
-        # ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} ipsec out reqid $i accept
-        ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept
+        ip saddr {{ ipsec[inventory_hostname_short] }} jump ipsec-out
 
         meta l4proto { icmp, icmpv6 } counter accept
 
         # NTP (ntpd uses sport 123 but systemd-timesyncd does not)
         udp dport 123 ct state new,related,established accept
 
 {% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
 {% if groups.NATed | length > 0 %}
         udp sport 4500 udp dport 4500 ct state new,related,established accept
 {% endif %}
 {% endif %}
 
         udp dport 53 ct state new,related,established accept
         tcp dport 53 ct state new,related,established accept
 {% if 'dhclient' in group_names %}
         ip  version 4 udp sport  68 udp dport  67 ct state new,related,established accept
         ip6 version 6 udp sport 546 udp dport 547 ct state new,related,established accept
 {% endif %}
 
         tcp sport $in-tcp-ports  ct state related,established accept
         tcp dport $out-tcp-ports ct state related,established accept
         tcp dport $out-tcp-ports ct state new counter accept
 
         meta l4proto tcp counter reject with tcp reset
         meta l4proto udp counter reject
         counter reject
     }
+
+    chain ipsec-in {
+{% for h in ipsec.keys() | difference([inventory_hostname_short]) | sort %}
+        ip saddr {{ ipsec[h] }} ipsec in reqid {{ ipsec[h].replace(":",".").split(".")[-1] }} counter accept
+{% endfor %}
+        log prefix "ipsec-in " drop
+    }
+    chain ipsec-out {
+{% for h in ipsec.keys() | difference([inventory_hostname_short]) | sort %}
+        ip daddr {{ ipsec[h] }} ipsec out reqid {{ ipsec[h].replace(":",".").split(".")[-1] }} counter accept
+{% endfor %}
+        log prefix "ipsec-out " drop
+    }
 }
author	Guilhem Moulin <guilhem@fripost.org>	2024-09-08 02:32:24 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2024-09-08 02:32:24 +0200
commit	bc41db5237d188c339d25d96a20465e488ea5475 (patch)
tree	47765c4acb8a21166435b00aa9d184543d87bf7e /roles
parent	7a36aa2b69d16b768c1e23829087d26a9e87423f (diff)