Prohibit binding against the IP reserved for IPSec.

Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666
author: Guilhem Moulin <guilhem@fripost.org> 2013-11-04 00:31:43 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:50:38 +0200
commit: 67c5135625d3553dcb6f2bfc193df24c0e1ab826 (patch)
tree: 21d5c3c18a1531e445cd1c0dad9ac76a358f7321 /roles
parent: ad9c840c40d923e0fd1b04a57274cc2ec2e381ec (diff)
3 files changed, 50 insertions, 27 deletions
diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec
index e21d6ea..98bf42c 100755
--- a/roles/common/files/etc/network/if-up.d/ipsec
+++ b/roles/common/files/etc/network/if-up.d/ipsec
@@ -11,8 +11,11 @@
 set -ue
 PATH=/usr/sbin:/usr/bin:/sbin:/bin
 
-if=sec0
-ip=172.16.0.1/32
+ifsec=sec0
+ipsec=172.16.0.1/32
+
+# /!\ This mark much match that in /usr/local/sbin/update-firewall.sh.
+secmark=0xA99
 
 # Ignore the loopback interface and non inet4 families.
 [ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0
@@ -25,20 +28,29 @@ ip=172.16.0.1/32
   "$IFACE" ] || exit 0
 
 case "$MODE" in
-    start) # Don't create $if if it's already there
-           /bin/ip -o link show | grep -qE "^[0-9]+:\s+$if" && exit 0
-        
-           # Create a new VLAN $IFACE on physical device $if. This is
-           # required otherwise charon thinks the left peer is that
-           # host-scoped, non-routable IP.
-           /bin/ip link    add link "$IFACE" name "$if" type vlan id 2713
-           /bin/ip address add "$ip" dev "$if" scope host
-           /bin/ip link    set dev "$if" up
+    start) # Don't create $ifsec if it's already there
+           if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
+               # Create a new VLAN $IFACE on physical device $ifsec. This is
+               # required otherwise charon thinks the left peer is that
+               # host-scoped, non-routable IP.
+               /bin/ip link    add link "$IFACE" name "$ifsec" type vlan id 2713
+               /bin/ip address add "$ipsec" dev "$ifsec" scope host
+               /bin/ip link    set dev "$ifsec" up
+           fi
+
+           # If a packet retained its mark that far, it means it has
+           # been SNAT'ed from $ipsec, and didn't have a xfrm
+           # association.  Hence we nullroute it to avoid leaking data.
+           /bin/ip rule  add fwmark "$secmark" table 666 priority 666 || true
+           /bin/ip route add prohibit default  table 666              || true
     ;;
-    stop)  # Don't create $if if it's no there
-           /bin/ip -o link show | grep -qE "^[0-9]+:\s+$if" || exit 0
-        
-           # Deactivate the VLAN
-           /bin/ip link set dev "$if" down
+    stop)  if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
+               # Deactivate the VLAN
+               /bin/ip link set dev "$ifsec" down
+           fi
+
+           # Delete the 'prohibit' rule
+           /bin/ip rule  del fwmark "$secmark" table 666 priority 666 || true
+           /bin/ip route flush table 666
     ;;
 esac
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index a8123f9..0907ffc 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -147,11 +147,13 @@ run() {
                  | sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" )
 
     # The (host-scoped) IP reserved for IPSec.
-    local ipsec=
+    local ipsec= secmark
     if [ -n "$ifsec" -a $f = 4 ]; then
         tables[$f]='mangle nat filter'
         ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \
                | sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' )
+        # /!\ This mark much match that in /etc/network/if-up.d/ipsec.
+        secmark=0xA99
     fi
 
     # Store the old (current) ruleset
@@ -251,7 +253,7 @@ run() {
         # $ipsec.  Also ACCEPT all traffic originating from $ipsec, as
         # it is MASQUERADE'd.
         iptables -A INPUT  -d "$ipsec" -i $if -m policy --dir in --pol ipsec -j ACCEPT
-        iptables -A OUTPUT -s "$ipsec" -o $if -j ACCEPT
+        iptables -A OUTPUT -m mark --mark "$secmark" -o $if -j ACCEPT
     fi
 
     # Prepare fail2ban.  We make fail2ban insert its rules in a
@@ -322,22 +324,31 @@ run() {
         ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \
                           FORWARD:DROP \
                           OUTPUT:ACCEPT POSTROUTING:ACCEPT
+
         # Packets which destination is $ipsec *must* be associated with
         # an IPSec policy.
         iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol none -j DROP
+
+        # Packets originating from our (non-routable) $ipsec are marked;
+        # if there is no xfrm lookup (i.e., no matching IPSec
+        # association), the packet will retain its mark and be null
+        # routed later on.  Otherwise, the packet is re-queued unmarked.
+        iptables -A OUTPUT -o $if -j MARK --set-mark 0x0
+        iptables -A OUTPUT -s "$ipsec" -o $if  -m policy --dir out --pol none \
+                     -j MARK --set-mark $secmark
         commit
 
         ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \
                        OUTPUT:ACCEPT POSTROUTING:ACCEPT
-        # DNAT all marked packets after decapsulation.  Packets
-        # originating from our IPSec are SNAT'ed (MASQUERADE).  XXX:
-        # xfrm lookup occurs *after* NAT POSTROUTING, so sadly we can't
-        # DROP packets not matching an IPSec policy. However, any reply
-        # not going through IPSec would be DROPped (thanks to the rule
-        # in mangle:INPUT above); this is the best we can do for now.
+
+        # DNAT all marked packets after decapsulation.
         iptables -A PREROUTING \! -d "$ipsec" -i $if \
                      -m policy --dir in --pol ipsec -j DNAT --to "${ipsec%/*}"
-        iptables -A POSTROUTING -s "$ipsec" -o $if -j MASQUERADE
+
+        # Packets originating from our IPSec are SNAT'ed (MASQUERADE).
+        # (And null-routed later on unless there is an xfrm
+        # association.)
+        iptables -A POSTROUTING -m mark --mark $secmark -o $if -j MASQUERADE
         commit
     fi
 
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 3d7a1dd..4c0a946 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -43,6 +43,8 @@
         dest=/etc/network/if-up.d/ipsec
         owner=root group=root
         mode=0755
+  notify:
+    - Reload networking
 
 # XXX: As of 1.3.1 ansible doesn't accept relative src.
 # See https://github.com/ansible/ansible/issues/4459
@@ -51,5 +53,3 @@
         src=/etc/network/if-up.d/ipsec
         dest=/etc/network/if-down.d/ipsec
         owner=root group=root state=link
-  notify:
-    - Reload networking
author	Guilhem Moulin <guilhem@fripost.org>	2013-11-04 00:31:43 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:50:38 +0200
commit	67c5135625d3553dcb6f2bfc193df24c0e1ab826 (patch)
tree	21d5c3c18a1531e445cd1c0dad9ac76a358f7321 /roles
parent	ad9c840c40d923e0fd1b04a57274cc2ec2e381ec (diff)