diff options
| -rwxr-xr-x | roles/common/files/etc/network/if-post-down.d/iptables | 27 | ||||
| -rwxr-xr-x | roles/common/files/etc/network/if-up.d/ipsec | 44 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 71 | ||||
| -rw-r--r-- | roles/common/handlers/main.yml | 6 | ||||
| -rw-r--r-- | roles/common/tasks/firewall.yml | 8 | ||||
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 16 | ||||
| -rw-r--r-- | site.yml | 2 |
7 files changed, 157 insertions, 17 deletions
diff --git a/roles/common/files/etc/network/if-post-down.d/iptables b/roles/common/files/etc/network/if-post-down.d/iptables new file mode 100755 index 0000000..944ff3a --- /dev/null +++ b/roles/common/files/etc/network/if-post-down.d/iptables @@ -0,0 +1,27 @@ +#!/bin/sh +# +# A post-down hook to flush ip tables and delete custom chains in the +# loaded v4 and v6 rulesets. +# +# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# +# Licensed under the GNU GPL version 3 or higher. +# + +set -ue +PATH=/usr/sbin:/usr/bin:/sbin:/bin + +# Ignore the loopback interface; run the script for ifdown only. +[ "$IFACE" != lo -a "$MODE" = stop ] || exit 0 + +case "$ADDRFAM" in + inet) ipts=/sbin/iptables-save; ipt=/sbin/iptables;; + inet6) ipts=/sbin/ip6tables-save; ipt=/sbin/ip6tables;; + *) exit 0 +esac + +$ipts | sed -nr 's/^\*//p' | \ +while read table; do + $ipt -t "$table" -F + $ipt -t "$table" -X +done diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec new file mode 100755 index 0000000..e21d6ea --- /dev/null +++ b/roles/common/files/etc/network/if-up.d/ipsec @@ -0,0 +1,44 @@ +#!/bin/sh +# +# A post-up/down hook to automatically create/delete a 'sec' VLAN +# device, and a dedicated, host-scoped, IP for IPSec (v4 only). +# +# Copyright 2013 Guilhem Moulin <guilhem@fripost.org> +# +# Licensed under the GNU GPL version 3 or higher. +# + +set -ue +PATH=/usr/sbin:/usr/bin:/sbin:/bin + +if=sec0 +ip=172.16.0.1/32 + +# Ignore the loopback interface and non inet4 families. +[ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0 + +# Only the device with the default, globally-scoped route, is of +# interest here. +[ "$( /bin/ip -4 route show to default scope global \ + | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \ + = \ + "$IFACE" ] || exit 0 + +case "$MODE" in + start) # Don't create $if if it's already there + /bin/ip -o link show | grep -qE "^[0-9]+:\s+$if" && exit 0 + + # Create a new VLAN $IFACE on physical device $if. This is + # required otherwise charon thinks the left peer is that + # host-scoped, non-routable IP. + /bin/ip link add link "$IFACE" name "$if" type vlan id 2713 + /bin/ip address add "$ip" dev "$if" scope host + /bin/ip link set dev "$if" up + ;; + stop) # Don't create $if if it's no there + /bin/ip -o link show | grep -qE "^[0-9]+:\s+$if" || exit 0 + + # Deactivate the VLAN + /bin/ip link set dev "$if" down + ;; +esac diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 8530277..54a66e8 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -44,46 +44,60 @@ usage() { -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only EOF exit 1 } log() { /usr/bin/logger -st firewall -p syslog.info -- "$@" } fatal() { /usr/bin/logger -st firewall -p syslog.err -- "$@" exit 1 } iptables() { # Fake iptables/ip6tables(8); use the more efficient # iptables-restore(8) instead. echo "$@" >> "$new"; } +commit() { + # End a table + echo COMMIT >> "$new" +} inet46() { case "$1" in 4) echo "$2";; 6) echo "$3";; esac } +ipt-chains() { + # Define new (tables and) chains. + while [ $# -gt 0 ]; do + case "$1" in + ?*:*) echo ":${1%:*} ${1##*:} [0:0]";; + ?*) echo "*$1";; + esac + shift + done >> "$new" +} ipt-trim() { # Remove dynamic chain/rules from the input stream, as they are # automatically included by third-party servers (such as strongSwan # or fail2ban). The output is ready to be made persistent. grep -Ev -e '^:fail2ban-\S' \ -e "$IPSec_re" \ -e '-j fail2ban-\S+$' \ -e "$fail2ban_re" } ipt-diff() { # Get the difference between two rulesets. if [ $verbose -eq 1 ]; then /usr/bin/diff -u -I '^#' "$1" "$2" else /usr/bin/diff -q -I '^#' "$1" "$2" >/dev/null fi } @@ -117,70 +131,93 @@ ipt-revert() { done exit 1 } run() { # Build and apply the firewall for IPv4/6. local f="$1" local ipt=/sbin/$(inet46 $f iptables ip6tables) tables+=( [$f]=filter ) # The default interface associated with this address. local if=$( /bin/ip -$f route show to default scope global \ | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' ) [ -n "$if" ] || return 0 # The virtual interface reserved for IPSec. local ifsec=$( /bin/ip -o -$f link show \ | sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" ) # The (host-scoped) IP reserved for IPSec. - local ipsec= + local ipsec= secmark if [ -n "$ifsec" -a $f = 4 ]; then tables+=( [$f]=' mangle nat' ) ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \ | sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' ) + secmark=0x1 fi # Store the old (current) ruleset - local old=$(mktemp -t current-rules.v$f.XXXXXX) + local old=$(mktemp -t current-rules.v$f.XXXXXX) \ + new=$(mktemp -t new-rules.v$f.XXXXXX) for table in ${tables[$f]}; do $ipt-save -ct $table done > "$old" rss+=( [$f]="$old" ) local fail2ban=0 # XXX: As of Wheezy, fail2ban is IPv4 only. See # https://github.com/fail2ban/fail2ban/issues/39 for the current # state of the art. if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then fail2ban=1 fi + if [ -n "$ipsec" ]; then + # We DNAT the IPSec paquets to $ipsec after decapsulation, and + # SNAT them before encapsulation. We need to do the NAT'ing + # before packets enter the IPSec stack because they are signed + # afterwards, and NAT'ing would mess up the signature. + ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \ + FORWARD:DROP \ + OUTPUT:ACCEPT POSTROUTING:ACCEPT + # Mark all IPSec packets to keep track of them and NAT them + # after decapsulation. Unmarked packets that are to be sent to + # $ipsec are dropped. + iptables -A PREROUTING -p esp -j MARK --set-mark $secmark + iptables -A INPUT -d "$ipsec" -m mark \! --mark $secmark -j DROP + commit + + ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \ + OUTPUT:ACCEPT POSTROUTING:ACCEPT + # DNAT all marked packets that have been decapsulated. Packets + # originating from our IPSec are SNAT'ed (MASQUERADE). We cannot + # mark them here (it won't survivethe NAT'ing), but any reply + # not going through IPSec would be dropped (since unmarked). + iptables -A PREROUTING \! -p esp -m mark --mark "$secmark" \ + -j DNAT --to "${ipsec%/*}" + iptables -A POSTROUTING -s "$ipsec" -j MASQUERADE + commit + fi + # The usual chains in filter, along with the desired default policies. - local new=$(mktemp -t new-rules.v$f.XXXXXX) - cat > "$new" <<- EOF - *filter - :INPUT DROP [0:0] - :FORWARD DROP [0:0] - :OUTPUT DROP [0:0] - EOF + ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP if [ -z "$if" ]; then # If the interface is not configured, we stop here and DROP all # packets by default. Thanks to the pre-up hook this tight # policy will be activated whenever the interface goes up. mv "$new" /etc/iptables/rules.v$f return 0 fi # Fail2ban-specific chains and traps if [ $fail2ban -eq 1 ]; then echo ":fail2ban - [0:0]" # Don't remove existing rules & traps in the current rulest grep -- '^:fail2ban-\S' "$old" || true grep -E -- ' -j fail2ban-\S+$' "$old" || true grep -E -- "$fail2ban_re" "$old" || true fi >> "$new" if [ -n "$ifsec" ]; then # (Host-to-host) IPSec tunnels come first. TODO: test IPSec with IPv6. @@ -221,40 +258,48 @@ run() { # (RFC 3879). for ip in fc00::/7 fec0::/10; do iptables -A INPUT -i $if -s "$ip" -j DROP iptables -A INPUT -i $if -d "$ip" -j DROP done fi # DROP INVALID packets immediately. iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # DROP bogus TCP packets. iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP # Allow all input/output to/from the loopback interface. local localhost=$(inet46 $f '127.0.0.1/32' '::1/128') iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT + if [ -n "$ipsec" ]; then + # ACCEPT any, *marked* traffic destinating to the non-routable + # $ipsec. Also ACCEPT all traffic originating from $ipsec, as it + # is MASQUERADE'd. + iptables -A INPUT -i "$if" -d "$ipsec" -m mark --mark "$secmark" -j ACCEPT + iptables -A OUTPUT -s "$ipsec" -o "$if" -j ACCEPT + fi + # Prepare fail2ban. We make fail2ban insert its rules in a dedicated # chain, so that it doesn't mess up the existing rules. [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban if [ "$f" = 4 ]; then # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done # directly by the kernel (net.ipv4.icmp_ratelimit and # net.ipv4.icmp_ratemask runtime options). See icmp(7). local t for t in 'echo-reply' 'destination-unreachable' 'echo-request'; do iptables -A INPUT -i $if -p icmp -m icmp --icmp-type $t -j ACCEPT iptables -A OUTPUT -o $if -p icmp -m icmp --icmp-type $t -j ACCEPT done elif [ $f = 6 ]; then iptables -A INPUT -i $ip -p icmpv6 -j ACCEPT fi ######################################################################## # ACCEPT new connections to the services we provide, or to those we want @@ -279,72 +324,70 @@ run() { ?*) optsNew="--dport $dport" optsEst="--sport $dport";; esac case "$sport" in *,*|*:*) optsNew+=" --match multiport --sports $sport" optsEst+=" --match multiport --dports $sport";; ?*) optsNew+=" --sport $sport" optsEst+=" --dport $sport";; esac case "$dir" in in|inout) iptNew="-A INPUT -i"; iptEst="-A OUTPUT -o";; out) iptNew="-A OUTPUT -o"; iptEst="-A INPUT -i";; *) fatal "Error: Unknown direction: '$dir'." esac iptables $iptNew $if -p $proto $optsNew -m state --state $stNew -j ACCEPT iptables $iptEst $if -p $proto $optsEst -m state --state $stEst -j ACCEPT done ######################################################################## + commit - # Commit the table 'filter'. - echo COMMIT >> "$new" - local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f local oldz=$(mktemp -t current-rules.v$f.XXXXXX) # Reset the counters. They are not useful for comparing and/or # storing persistent ruleset. (We don't use sed -i because we want # to restore the counters when reverting.) sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \ -e 's/^\[[0-9]+:[0-9]+\]\s+//' \ "$old" > "$oldz" - /usr/bin/uniq "$new" | /bin/ip netns exec $netns $ipt-restore + /usr/bin/uniq "$new" | /bin/ip netns exec $netns $ipt-restore || ipt-revert for table in ${tables[$f]}; do /bin/ip netns exec $netns $ipt-save -t $table done > "$new" ipt-diff "$oldz" "$new" || rv1=$? if ! [ -f "$persistent" -a -x /etc/network/if-pre-up.d/iptables ]; then rv2=1 else ipt-trim < "$oldz" | ipt-diff - "$persistent" || rv2=$? fi local update="Please run '${0##*/}'." if [ $check -eq 0 ]; then - /usr/bin/uniq "$new" | $ipt-restore + /usr/bin/uniq "$new" | $ipt-restore || ipt-revert else if [ $rv1 -ne 0 ]; then log "WARN: The IPv$f firewall is not up to date! $update" fi if [ $rv2 -ne 0 ]; then log "WARN: The current IPv$f firewall is not persistent! $update" fi fi rm -f "$oldz" "$new" return $(( $rv1 | $rv2 )) } # Parse options while [ $# -gt 0 ]; do case "$1" in -?*) for (( k=1; k<${#1}; k++ )); do o="${1:$k:1}" case "$o" in diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index a64a236..9cae8bf 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -2,20 +2,26 @@ - name: Refresh hostname service: name=hostname.sh state=restarted - name: apt-get update apt: update_cache=yes - name: Reload samhain service: name=samhain state=reloaded - name: Update rkhunter's data file command: /usr/bin/rkhunter --propupd - name: Restart fail2ban service: name=fail2ban state=restarted - name: Missing IPSec certificate fail: msg="strongswan IPsec is lacking public or private keys on '{{ ansible_fqdn }}'." - name: Restart IPSec service: name=ipsec state=restarted + +- name: Reload networking + # /etc/init.d/networking doesn't answer the status command; but since + # it should be "up" whenever ansible has access to the machine, we use + # pattern=init as a dummy assumption. + service: name=networking pattern=init state=reloaded diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml index b1cd9b1..5029932 100644 --- a/roles/common/tasks/firewall.yml +++ b/roles/common/tasks/firewall.yml @@ -7,31 +7,35 @@ - name: Create directory /etc/iptables file: path=/etc/iptables owner=root group=root state=directory mode=0755 - name: Generate /etc/iptables/services template: src=etc/iptables/services.j2 dest=/etc/iptables/services owner=root group=root mode=0600 - name: Copy /usr/local/sbin/update-firewall.sh copy: src=usr/local/sbin/update-firewall.sh dest=/usr/local/sbin/update-firewall.sh owner=root group=root mode=0755 - name: Make the iptable ruleset persistent - copy: src=etc/network/if-pre-up.d/iptables - dest=/etc/network/if-pre-up.d/iptables + copy: src=etc/network/{{ item }} + dest=/etc/network/{{ item }} owner=root group=root mode=0755 + with_items: + - if-pre-up.d/iptables + - if-post-down.d/iptables + - name: Ensure the firewall is up to date command: /usr/local/sbin/update-firewall.sh -c register: rv # A non-zero return value will make ansible stop and show stderr. This # is what we want. changed_when: rv.rc diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index d4270d7..3d7a1dd 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -20,20 +20,36 @@ owner=root group=root mode=0644 notify: - Missing IPSec certificate - name: Configure IPSec's secrets template: src=etc/ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=0600 notify: - Restart IPSec - name: Configure IPSec template: src=etc/ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644 notify: - Restart IPSec + +- name: Auto-create a dedicated interface for IPSec + copy: src=etc/network/if-up.d/ipsec + dest=/etc/network/if-up.d/ipsec + owner=root group=root + mode=0755 + +# XXX: As of 1.3.1 ansible doesn't accept relative src. +# See https://github.com/ansible/ansible/issues/4459 +- name: Auto-deactivate the dedicated interface for IPSec + file: #src=../if-up.d/ipsec + src=/etc/network/if-up.d/ipsec + dest=/etc/network/if-down.d/ipsec + owner=root group=root state=link + notify: + - Reload networking @@ -1,7 +1,7 @@ ---- +--- # ansible-playbook -i stage_vms site.yml -t rkhunter - name: all hosts: all sudo: True roles: - common |