diff options
| -rwxr-xr-x | roles/common/files/etc/network/if-up.d/ipsec | 4 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 4 | ||||
| -rw-r--r-- | roles/common/templates/etc/fail2ban/jail.local.j2 | 6 |
3 files changed, 7 insertions, 7 deletions
diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec index a43af6c..db9f979 100755 --- a/roles/common/files/etc/network/if-up.d/ipsec +++ b/roles/common/files/etc/network/if-up.d/ipsec @@ -25,35 +25,35 @@ secmark=0xA99 [ "$( /bin/ip -4 route show to default scope global \ | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \ = \ "$IFACE" ] || exit 0 case "$MODE" in start) # Don't create $ifsec if it's already there if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then # Create a new VLAN $IFACE on physical device $ifsec. This is # required otherwise charon thinks the left peer is that # host-scoped, non-routable IP. /bin/ip link add link "$IFACE" name "$ifsec" type vlan id 2713 /bin/ip address add "$ipsec" dev "$ifsec" scope host /bin/ip link set dev "$ifsec" up fi # If a packet retained its mark that far, it means it has # been SNAT'ed from $ipsec, and didn't have a xfrm # association. Hence we nullroute it to avoid to leak data # intented to be tunneled through IPSec. /!\ The priority - # must be >220 (strongSwan IPSec's policy) since xfrm lookup - # must take precedence. + # must be >220 (which the one used by strongSwan IPSec) since + # xfrm lookup must take precedence. /bin/ip rule add fwmark "$secmark" table 666 priority 666 || true /bin/ip route add prohibit default table 666 || true ;; stop) if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then # Deactivate the VLAN /bin/ip link set dev "$ifsec" down fi # Delete the 'prohibit' rule /bin/ip rule del fwmark "$secmark" table 666 priority 666 || true /bin/ip route flush table 666 ;; esac diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 1c57646..2e16711 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -17,41 +17,41 @@ # Dependencies: netmask(1) # # Copyright 2013 Guilhem Moulin <guilhem@fripost.org> # # Licensed under the GNU GPL version 3 or higher. # set -ue PATH=/usr/sbin:/usr/bin:/sbin:/bin timeout=10 force=0 check=0 verbose=0 addrfam= secmark=0xA99 # must match that in /etc/network/if-up.d/ipsec secproto=esp # must match /etc/ipsec.conf; ESP is the default (vs AH/IPComp) fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S' -IPSec_re=" -m policy --dir (in|out) --pol ipsec .* --proto $secproto -j ACCEPT$" +IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$" declare -A rss=() tables=() usage() { cat >&2 <<- EOF Usage: $0 [OPTIONS] Options: -f force: no confirmation asked -c check: check (dry-run) mode -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only EOF exit 1 } log() { /usr/bin/logger -st firewall -p syslog.info -- "$@" } fatal() { @@ -176,41 +176,41 @@ run() { # The usual chains in filter, along with the desired default policies. ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP if [ -z "$if" ]; then # If the interface is not configured, we stop here and DROP all # packets by default. Thanks to the pre-up hook this tight # policy will be activated whenever the interface goes up. mv "$new" /etc/iptables/rules.v$f return 0 fi # Fail2ban-specific chains and traps if [ $fail2ban -eq 1 ]; then echo ":fail2ban - [0:0]" # Don't remove existing rules & traps in the current rulest grep -- '^:fail2ban-\S' "$old" || true grep -E -- ' -j fail2ban-\S+$' "$old" || true grep -E -- "$fail2ban_re" "$old" || true fi >> "$new" - if [ -n "$ifsec" ]; then + if [ -n "$ipsec" ]; then # (Host-to-host) IPSec tunnels come first. TODO: test IPSec with IPv6. grep -E -- "$IPSec_re" "$old" >> "$new" || true # Allow any IPsec $secproto protocol packets to be sent and received. iptables -A INPUT -i $if -p $secproto -j ACCEPT iptables -A OUTPUT -o $if -p $secproto -j ACCEPT fi ######################################################################## # DROP all RFC1918 addresses, martian networks, multicasts, ... # Credits to http://newartisans.com/2007/09/neat-tricks-with-iptables/ # http://baldric.net/loose-iptables-firewall-for-servers/ local ip if [ "$f" = 4 ]; then # Private-use networks (RFC 1918) and link local (RFC 3927) local MyNetwork=$( /bin/ip -4 address show dev $if scope global \ | sed -nr 's/^\s+inet\s(\S+).*/\1/p') [ -n "$MyNetwork" ] && \ diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 1cbcd88..0dcab8d 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -3,47 +3,47 @@ [DEFAULT] # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = admin@fripost.org # Specify chain where jumps would need to be added in iptables-* actions chain = fail2ban # Choose default action. action = %(action_)s # # JAILS # [ssh] enabled = true -port = {{ ansible_ssh_port|default('22') }} -filter = sshd +port = {{ ansible_ssh_port|default('22') }} +filter = sshd logpath = /var/log/auth.log maxretry = 5 [ssh-ddos] enabled = true port = {{ ansible_ssh_port|default('22') }} filter = sshd-ddos logpath = /var/log/auth.log maxretry = 2 # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = true # pam-generic filter can be customized to monitor specific subset of 'tty's -filter = pam-generic +filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6 |