Documentation.

author: Guilhem Moulin <guilhem@fripost.org> 2013-11-03 06:02:12 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:50:36 +0200
commit: fa41e97fca909391c9f5cae4681378bfe75586e3 (patch)
tree: 2a9718c8f3fbd9fe4bcaf1958ab04b9bada21d66 /roles
parent: 2bcaaf01a5fcc2d2ce618da6af30a43a70d03d80 (diff)
1 files changed, 27 insertions, 25 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 54a66e8..f7ab925 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -1,17 +1,17 @@
 #!/bin/bash
 #
-# Create iptables (v4 and v6) rules. Unless one of [-f] or [-c] is
+# Create iptables (v4 and v6) rules.  Unless one of [-f] or [-c] is
 # given, or if the ruleset is unchanged, a confirmation is asked after
 # loading the new rulesets; if the user answers No or doesn't answer,
-# the old ruleset is restored. If the user answer Yes (or if the flag
+# the old ruleset is restored.  If the user answer Yes (or if the flag
 # [-f] is given), the new ruleset is made persistent (requires a pre-up
 # hook) by moving it to /etc/iptables/rules.v[46].
 #
-# The [-c] flag switch to dry-run (check) mode. The rulesets are not
-# applied, but merely checked against the existing ones. The return
+# The [-c] flag switch to dry-run (check) mode.  The rulesets are not
+# applied, but merely checked against the existing ones.  The return
 # value is 0 iff. they do not differ.
 #
-# This firewall is only targeted towards end-servers, not gateways. In
+# This firewall is only targeted towards end-servers, not gateways.  In
 # particular, there is no NAT'ing at the moment.
 #
 # Dependencies: netmask(1)
@@ -85,7 +85,7 @@ ipt-chains() {
 ipt-trim() {
     # Remove dynamic chain/rules from the input stream, as they are
     # automatically included by third-party servers (such as strongSwan
-    # or fail2ban). The output is ready to be made persistent.
+    # or fail2ban).  The output is ready to be made persistent.
     grep -Ev -e '^:fail2ban-\S' \
              -e "$IPSec_re" \
              -e '-j fail2ban-\S+$' \
@@ -102,7 +102,7 @@ ipt-diff() {
 }
 
 ipt-persist() {
-    # Make the current ruleset persistent. (Requires a pre-up hook
+    # Make the current ruleset persistent.  (Requires a pre-up hook
     # script to load the rules before the network is configured.)
 
     log "Making ruleset persistent... "
@@ -165,7 +165,7 @@ run() {
     rss+=( [$f]="$old" )
 
     local fail2ban=0
-    # XXX: As of Wheezy, fail2ban is IPv4 only. See
+    # XXX: As of Wheezy, fail2ban is IPv4 only.  See
     #      https://github.com/fail2ban/fail2ban/issues/39 for the current
     #      state of the art.
     if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then
@@ -173,15 +173,15 @@ run() {
     fi
 
     if [ -n "$ipsec" ]; then
-        # We DNAT the IPSec paquets to $ipsec after decapsulation, and
-        # SNAT them before encapsulation. We need to do the NAT'ing
-        # before packets enter the IPSec stack because they are signed
+        # DNAT the IPSec paquets to $ipsec after decapsulation, and SNAT
+        # them before encapsulation.  We need to do the NAT'ing before
+        # packets enter the IPSec stack because they are signed
         # afterwards, and NAT'ing would mess up the signature.
         ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \
                           FORWARD:DROP \
                           OUTPUT:ACCEPT POSTROUTING:ACCEPT
         # Mark all IPSec packets to keep track of them and NAT them
-        # after decapsulation. Unmarked packets that are to be sent to
+        # after decapsulation.  Unmarked packets that are to be sent to
         # $ipsec are dropped.
         iptables -A PREROUTING -p esp -j MARK --set-mark $secmark
         iptables -A INPUT -d "$ipsec" -m mark \! --mark $secmark -j DROP
@@ -189,10 +189,12 @@ run() {
 
         ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \
                        OUTPUT:ACCEPT POSTROUTING:ACCEPT
-        # DNAT all marked packets that have been decapsulated. Packets
-        # originating from our IPSec are SNAT'ed (MASQUERADE). We cannot
-        # mark them here (it won't survivethe NAT'ing), but any reply
-        # not going through IPSec would be dropped (since unmarked).
+        # DNAT all marked packets that have been decapsulated.  Packets
+        # originating from our IPSec are SNAT'ed (MASQUERADE).  XXX:
+        # xfrm lookup occurs *after* NAT POSTROUTING, so sadly we can't
+        # DROP packets not matching an IPSec policy. However, any reply
+        # not going through IPSec would be dropped (since unmarked);
+        # this is the best we can do for now.
         iptables -A PREROUTING \! -p esp -m mark --mark "$secmark" \
                      -j DNAT --to "${ipsec%/*}"
         iptables -A POSTROUTING -s "$ipsec" -j MASQUERADE
@@ -204,7 +206,7 @@ run() {
 
     if [ -z "$if" ]; then
         # If the interface is not configured, we stop here and DROP all
-        # packets by default. Thanks to the pre-up hook this tight
+        # packets by default.  Thanks to the pre-up hook this tight
         # policy will be activated whenever the interface goes up.
         mv "$new" /etc/iptables/rules.v$f
         return 0
@@ -277,20 +279,20 @@ run() {
 
     if [ -n "$ipsec" ]; then
         # ACCEPT any, *marked* traffic destinating to the non-routable
-        # $ipsec. Also ACCEPT all traffic originating from $ipsec, as it
-        # is MASQUERADE'd.
+        # $ipsec.  Also ACCEPT all traffic originating from $ipsec, as
+        # it is MASQUERADE'd.
         iptables -A INPUT  -i "$if" -d "$ipsec" -m mark --mark "$secmark" -j ACCEPT
         iptables -A OUTPUT -s "$ipsec" -o "$if" -j ACCEPT
     fi
 
-    # Prepare fail2ban. We make fail2ban insert its rules in a dedicated
-    # chain, so that it doesn't mess up the existing rules.
+    # Prepare fail2ban.  We make fail2ban insert its rules in a
+    # dedicated chain, so that it doesn't mess up the existing rules.
     [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban
 
     if [ "$f" = 4 ]; then
-        # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done
+        # Allow only ICMP of type 0, 3 and 8.  The rate-limiting is done
         # directly by the kernel (net.ipv4.icmp_ratelimit and
-        # net.ipv4.icmp_ratemask runtime options). See icmp(7).
+        # net.ipv4.icmp_ratemask runtime options).  See icmp(7).
         local t
         for t in  'echo-reply' 'destination-unreachable' 'echo-request'; do
             iptables -A INPUT  -i $if -p icmp -m icmp --icmp-type $t -j ACCEPT
@@ -347,8 +349,8 @@ run() {
     local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f
     local oldz=$(mktemp -t current-rules.v$f.XXXXXX)
 
-    # Reset the counters. They are not useful for comparing and/or
-    # storing persistent ruleset. (We don't use sed -i because we want
+    # Reset the counters.  They are not useful for comparing and/or
+    # storing persistent ruleset.  (We don't use sed -i because we want
     # to restore the counters when reverting.)
     sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \
            -e 's/^\[[0-9]+:[0-9]+\]\s+//' \
author	Guilhem Moulin <guilhem@fripost.org>	2013-11-03 06:02:12 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:50:36 +0200
commit	fa41e97fca909391c9f5cae4681378bfe75586e3 (patch)
tree	2a9718c8f3fbd9fe4bcaf1958ab04b9bada21d66 /roles
parent	2bcaaf01a5fcc2d2ce618da6af30a43a70d03d80 (diff)