diff options
| -rwxr-xr-x | roles/common/files/etc/network/if-up.d/ipsec | 5 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 30 | ||||
| -rw-r--r-- | roles/common/tasks/firewall.yml | 3 |
3 files changed, 22 insertions, 16 deletions
diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec index 98bf42c..a43af6c 100755 --- a/roles/common/files/etc/network/if-up.d/ipsec +++ b/roles/common/files/etc/network/if-up.d/ipsec @@ -23,34 +23,37 @@ secmark=0xA99 # Only the device with the default, globally-scoped route, is of # interest here. [ "$( /bin/ip -4 route show to default scope global \ | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \ = \ "$IFACE" ] || exit 0 case "$MODE" in start) # Don't create $ifsec if it's already there if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then # Create a new VLAN $IFACE on physical device $ifsec. This is # required otherwise charon thinks the left peer is that # host-scoped, non-routable IP. /bin/ip link add link "$IFACE" name "$ifsec" type vlan id 2713 /bin/ip address add "$ipsec" dev "$ifsec" scope host /bin/ip link set dev "$ifsec" up fi # If a packet retained its mark that far, it means it has # been SNAT'ed from $ipsec, and didn't have a xfrm - # association. Hence we nullroute it to avoid leaking data. + # association. Hence we nullroute it to avoid to leak data + # intented to be tunneled through IPSec. /!\ The priority + # must be >220 (strongSwan IPSec's policy) since xfrm lookup + # must take precedence. /bin/ip rule add fwmark "$secmark" table 666 priority 666 || true /bin/ip route add prohibit default table 666 || true ;; stop) if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then # Deactivate the VLAN /bin/ip link set dev "$ifsec" down fi # Delete the 'prohibit' rule /bin/ip rule del fwmark "$secmark" table 666 priority 666 || true /bin/ip route flush table 666 ;; esac diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 0907ffc..1c57646 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -13,42 +13,45 @@ # # This firewall is only targeted towards end-servers, not gateways. In # particular, there is no NAT'ing at the moment. # # Dependencies: netmask(1) # # Copyright 2013 Guilhem Moulin <guilhem@fripost.org> # # Licensed under the GNU GPL version 3 or higher. # set -ue PATH=/usr/sbin:/usr/bin:/sbin:/bin timeout=10 force=0 check=0 verbose=0 addrfam= +secmark=0xA99 # must match that in /etc/network/if-up.d/ipsec +secproto=esp # must match /etc/ipsec.conf; ESP is the default (vs AH/IPComp) + fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S' -IPSec_re=' -m policy --dir (in|out) --pol ipsec .* --proto esp -j ACCEPT$' +IPSec_re=" -m policy --dir (in|out) --pol ipsec .* --proto $secproto -j ACCEPT$" declare -A rss=() tables=() usage() { cat >&2 <<- EOF Usage: $0 [OPTIONS] Options: -f force: no confirmation asked -c check: check (dry-run) mode -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only EOF exit 1 } log() { /usr/bin/logger -st firewall -p syslog.info -- "$@" } fatal() { @@ -130,47 +133,45 @@ ipt-revert() { rm -f "${rss[$f]}" done exit 1 } run() { # Build and apply the firewall for IPv4/6. local f="$1" local ipt=/sbin/$(inet46 $f iptables ip6tables) tables[$f]=filter # The default interface associated with this address. local if=$( /bin/ip -$f route show to default scope global \ | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' ) # The virtual interface reserved for IPSec. local ifsec=$( /bin/ip -o -$f link show \ | sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" ) # The (host-scoped) IP reserved for IPSec. - local ipsec= secmark + local ipsec= if [ -n "$ifsec" -a $f = 4 ]; then tables[$f]='mangle nat filter' ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \ | sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' ) - # /!\ This mark much match that in /etc/network/if-up.d/ipsec. - secmark=0xA99 fi # Store the old (current) ruleset local old=$(mktemp -t current-rules.v$f.XXXXXX) \ new=$(mktemp -t new-rules.v$f.XXXXXX) for table in ${tables[$f]}; do $ipt-save -ct $table done > "$old" rss[$f]="$old" local fail2ban=0 # XXX: As of Wheezy, fail2ban is IPv4 only. See # https://github.com/fail2ban/fail2ban/issues/39 for the current # state of the art. if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then fail2ban=1 fi # The usual chains in filter, along with the desired default policies. ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP @@ -179,43 +180,43 @@ run() { # If the interface is not configured, we stop here and DROP all # packets by default. Thanks to the pre-up hook this tight # policy will be activated whenever the interface goes up. mv "$new" /etc/iptables/rules.v$f return 0 fi # Fail2ban-specific chains and traps if [ $fail2ban -eq 1 ]; then echo ":fail2ban - [0:0]" # Don't remove existing rules & traps in the current rulest grep -- '^:fail2ban-\S' "$old" || true grep -E -- ' -j fail2ban-\S+$' "$old" || true grep -E -- "$fail2ban_re" "$old" || true fi >> "$new" if [ -n "$ifsec" ]; then # (Host-to-host) IPSec tunnels come first. TODO: test IPSec with IPv6. grep -E -- "$IPSec_re" "$old" >> "$new" || true - # Allow any IPsec ESP protocol packets to be sent and received. - iptables -A INPUT -i $if -p esp -j ACCEPT - iptables -A OUTPUT -o $if -p esp -j ACCEPT + # Allow any IPsec $secproto protocol packets to be sent and received. + iptables -A INPUT -i $if -p $secproto -j ACCEPT + iptables -A OUTPUT -o $if -p $secproto -j ACCEPT fi ######################################################################## # DROP all RFC1918 addresses, martian networks, multicasts, ... # Credits to http://newartisans.com/2007/09/neat-tricks-with-iptables/ # http://baldric.net/loose-iptables-firewall-for-servers/ local ip if [ "$f" = 4 ]; then # Private-use networks (RFC 1918) and link local (RFC 3927) local MyNetwork=$( /bin/ip -4 address show dev $if scope global \ | sed -nr 's/^\s+inet\s(\S+).*/\1/p') [ -n "$MyNetwork" ] && \ for ip in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16; do # Don't lock us out if we are behind a NAT ;-) [ "$ip" = "$(/usr/bin/netmask -nc $ip $MyNetwork | sed 's/ //g')" ] \ || iptables -A INPUT -i $if -s "$ip" -j DROP done @@ -235,41 +236,42 @@ run() { done fi # DROP INVALID packets immediately. iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # DROP bogus TCP packets. iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP # Allow all input/output to/from the loopback interface. local localhost=$(inet46 $f '127.0.0.1/32' '::1/128') iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT if [ -n "$ipsec" ]; then # ACCEPT any, *IPSec* traffic destinating to the non-routable # $ipsec. Also ACCEPT all traffic originating from $ipsec, as # it is MASQUERADE'd. - iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol ipsec -j ACCEPT + iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in \ + --pol ipsec --proto $secproto -j ACCEPT iptables -A OUTPUT -m mark --mark "$secmark" -o $if -j ACCEPT fi # Prepare fail2ban. We make fail2ban insert its rules in a # dedicated chain, so that it doesn't mess up the existing rules. [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban if [ "$f" = 4 ]; then # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done # directly by the kernel (net.ipv4.icmp_ratelimit and # net.ipv4.icmp_ratemask runtime options). See icmp(7). local t for t in 'echo-reply' 'destination-unreachable' 'echo-request'; do iptables -A INPUT -i $if -p icmp -m icmp --icmp-type $t -j ACCEPT iptables -A OUTPUT -o $if -p icmp -m icmp --icmp-type $t -j ACCEPT done elif [ $f = 6 ]; then iptables -A INPUT -i $ip -p icmpv6 -j ACCEPT fi @@ -310,57 +312,59 @@ run() { esac iptables $iptNew $if -p $proto $optsNew -m state --state $stNew -j ACCEPT iptables $iptEst $if -p $proto $optsEst -m state --state $stEst -j ACCEPT done ######################################################################## commit if [ -n "$ipsec" ]; then # DNAT the IPSec paquets to $ipsec after decapsulation, and SNAT # them before encapsulation. We need to do the NAT'ing before # packets enter the IPSec stack because they are signed # afterwards, and NAT'ing would mess up the signature. ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \ FORWARD:DROP \ OUTPUT:ACCEPT POSTROUTING:ACCEPT # Packets which destination is $ipsec *must* be associated with # an IPSec policy. - iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol none -j DROP + iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in \ + --pol ipsec --proto $secproto -j ACCEPT + iptables -A INPUT -d "$ipsec" -i $if -j DROP # Packets originating from our (non-routable) $ipsec are marked; # if there is no xfrm lookup (i.e., no matching IPSec # association), the packet will retain its mark and be null # routed later on. Otherwise, the packet is re-queued unmarked. iptables -A OUTPUT -o $if -j MARK --set-mark 0x0 - iptables -A OUTPUT -s "$ipsec" -o $if -m policy --dir out --pol none \ - -j MARK --set-mark $secmark + iptables -A OUTPUT -s "$ipsec" -o $if -m policy --dir out \ + --pol none -j MARK --set-mark $secmark commit ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \ OUTPUT:ACCEPT POSTROUTING:ACCEPT # DNAT all marked packets after decapsulation. - iptables -A PREROUTING \! -d "$ipsec" -i $if \ - -m policy --dir in --pol ipsec -j DNAT --to "${ipsec%/*}" + iptables -A PREROUTING \! -d "$ipsec" -i $if -m policy --dir in \ + --pol ipsec --proto $secproto -j DNAT --to "${ipsec%/*}" # Packets originating from our IPSec are SNAT'ed (MASQUERADE). # (And null-routed later on unless there is an xfrm # association.) iptables -A POSTROUTING -m mark --mark $secmark -o $if -j MASQUERADE commit fi ######################################################################## local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f local oldz=$(mktemp -t current-rules.v$f.XXXXXX) # Reset the counters. They are not useful for comparing and/or # storing persistent ruleset. (We don't use sed -i because we want # to restore the counters when reverting.) sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \ -e 's/^\[[0-9]+:[0-9]+\]\s+//' \ "$old" > "$oldz" diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml index 5029932..9ed2f72 100644 --- a/roles/common/tasks/firewall.yml +++ b/roles/common/tasks/firewall.yml @@ -6,36 +6,35 @@ - bsdutils - name: Create directory /etc/iptables file: path=/etc/iptables owner=root group=root state=directory mode=0755 - name: Generate /etc/iptables/services template: src=etc/iptables/services.j2 dest=/etc/iptables/services owner=root group=root mode=0600 - name: Copy /usr/local/sbin/update-firewall.sh copy: src=usr/local/sbin/update-firewall.sh dest=/usr/local/sbin/update-firewall.sh owner=root group=root mode=0755 -- name: Make the iptable ruleset persistent +- name: Make the rulesets persistent copy: src=etc/network/{{ item }} dest=/etc/network/{{ item }} owner=root group=root mode=0755 with_items: - if-pre-up.d/iptables - if-post-down.d/iptables - - name: Ensure the firewall is up to date command: /usr/local/sbin/update-firewall.sh -c register: rv # A non-zero return value will make ansible stop and show stderr. This # is what we want. changed_when: rv.rc |