diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2013-11-04 00:31:43 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:50:38 +0200 |
commit | 67c5135625d3553dcb6f2bfc193df24c0e1ab826 (patch) | |
tree | 21d5c3c18a1531e445cd1c0dad9ac76a358f7321 /roles | |
parent | ad9c840c40d923e0fd1b04a57274cc2ec2e381ec (diff) |
Prohibit binding against the IP reserved for IPSec.
Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to
ip rule add fwmark "$secmark" table 666 priority 666
ip route add blackhole default table 666
Diffstat (limited to 'roles')
-rwxr-xr-x | roles/common/files/etc/network/if-up.d/ipsec | 44 | ||||
-rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 29 | ||||
-rw-r--r-- | roles/common/tasks/ipsec.yml | 4 |
3 files changed, 50 insertions, 27 deletions
diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec index e21d6ea..98bf42c 100755 --- a/roles/common/files/etc/network/if-up.d/ipsec +++ b/roles/common/files/etc/network/if-up.d/ipsec @@ -11,8 +11,11 @@ set -ue PATH=/usr/sbin:/usr/bin:/sbin:/bin -if=sec0 -ip=172.16.0.1/32 +ifsec=sec0 +ipsec=172.16.0.1/32 + +# /!\ This mark much match that in /usr/local/sbin/update-firewall.sh. +secmark=0xA99 # Ignore the loopback interface and non inet4 families. [ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0 @@ -25,20 +28,29 @@ ip=172.16.0.1/32 "$IFACE" ] || exit 0 case "$MODE" in - start) # Don't create $if if it's already there - /bin/ip -o link show | grep -qE "^[0-9]+:\s+$if" && exit 0 - - # Create a new VLAN $IFACE on physical device $if. This is - # required otherwise charon thinks the left peer is that - # host-scoped, non-routable IP. - /bin/ip link add link "$IFACE" name "$if" type vlan id 2713 - /bin/ip address add "$ip" dev "$if" scope host - /bin/ip link set dev "$if" up + start) # Don't create $ifsec if it's already there + if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then + # Create a new VLAN $IFACE on physical device $ifsec. This is + # required otherwise charon thinks the left peer is that + # host-scoped, non-routable IP. + /bin/ip link add link "$IFACE" name "$ifsec" type vlan id 2713 + /bin/ip address add "$ipsec" dev "$ifsec" scope host + /bin/ip link set dev "$ifsec" up + fi + + # If a packet retained its mark that far, it means it has + # been SNAT'ed from $ipsec, and didn't have a xfrm + # association. Hence we nullroute it to avoid leaking data. + /bin/ip rule add fwmark "$secmark" table 666 priority 666 || true + /bin/ip route add prohibit default table 666 || true ;; - stop) # Don't create $if if it's no there - /bin/ip -o link show | grep -qE "^[0-9]+:\s+$if" || exit 0 - - # Deactivate the VLAN - /bin/ip link set dev "$if" down + stop) if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then + # Deactivate the VLAN + /bin/ip link set dev "$ifsec" down + fi + + # Delete the 'prohibit' rule + /bin/ip rule del fwmark "$secmark" table 666 priority 666 || true + /bin/ip route flush table 666 ;; esac diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index a8123f9..0907ffc 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -147,11 +147,13 @@ run() { | sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" ) # The (host-scoped) IP reserved for IPSec. - local ipsec= + local ipsec= secmark if [ -n "$ifsec" -a $f = 4 ]; then tables[$f]='mangle nat filter' ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \ | sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' ) + # /!\ This mark much match that in /etc/network/if-up.d/ipsec. + secmark=0xA99 fi # Store the old (current) ruleset @@ -251,7 +253,7 @@ run() { # $ipsec. Also ACCEPT all traffic originating from $ipsec, as # it is MASQUERADE'd. iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol ipsec -j ACCEPT - iptables -A OUTPUT -s "$ipsec" -o $if -j ACCEPT + iptables -A OUTPUT -m mark --mark "$secmark" -o $if -j ACCEPT fi # Prepare fail2ban. We make fail2ban insert its rules in a @@ -322,22 +324,31 @@ run() { ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \ FORWARD:DROP \ OUTPUT:ACCEPT POSTROUTING:ACCEPT + # Packets which destination is $ipsec *must* be associated with # an IPSec policy. iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol none -j DROP + + # Packets originating from our (non-routable) $ipsec are marked; + # if there is no xfrm lookup (i.e., no matching IPSec + # association), the packet will retain its mark and be null + # routed later on. Otherwise, the packet is re-queued unmarked. + iptables -A OUTPUT -o $if -j MARK --set-mark 0x0 + iptables -A OUTPUT -s "$ipsec" -o $if -m policy --dir out --pol none \ + -j MARK --set-mark $secmark commit ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \ OUTPUT:ACCEPT POSTROUTING:ACCEPT - # DNAT all marked packets after decapsulation. Packets - # originating from our IPSec are SNAT'ed (MASQUERADE). XXX: - # xfrm lookup occurs *after* NAT POSTROUTING, so sadly we can't - # DROP packets not matching an IPSec policy. However, any reply - # not going through IPSec would be DROPped (thanks to the rule - # in mangle:INPUT above); this is the best we can do for now. + + # DNAT all marked packets after decapsulation. iptables -A PREROUTING \! -d "$ipsec" -i $if \ -m policy --dir in --pol ipsec -j DNAT --to "${ipsec%/*}" - iptables -A POSTROUTING -s "$ipsec" -o $if -j MASQUERADE + + # Packets originating from our IPSec are SNAT'ed (MASQUERADE). + # (And null-routed later on unless there is an xfrm + # association.) + iptables -A POSTROUTING -m mark --mark $secmark -o $if -j MASQUERADE commit fi diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index 3d7a1dd..4c0a946 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -43,6 +43,8 @@ dest=/etc/network/if-up.d/ipsec owner=root group=root mode=0755 + notify: + - Reload networking # XXX: As of 1.3.1 ansible doesn't accept relative src. # See https://github.com/ansible/ansible/issues/4459 @@ -51,5 +53,3 @@ src=/etc/network/if-up.d/ipsec dest=/etc/network/if-down.d/ipsec owner=root group=root state=link - notify: - - Reload networking |