diff options
| -rw-r--r-- | group_vars/all.yml | 6 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 13 | ||||
| -rw-r--r-- | roles/common/handlers/main.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 28 | ||||
| -rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 2 | ||||
| -rwxr-xr-x | roles/common/templates/etc/network/if-up.d/ipsec.j2 | 6 |
6 files changed, 28 insertions, 29 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 9458dc0..a9bfda9 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,25 +1,25 @@ --- postfix_instance: # The keys are the group names associated with a Postfix role, and the # values are the name and group (optional) of the instance dedicated # to that role. IMAP: { name: mda, port: 2526 } MX: { name: mx, group: mta } out: { name: out, group: mta, port: 2525 } MSA: { name: msa } lists: { name: lists, port: 2527 } -# Virtual (non-routable) IPv4 subnet for IPSec. It is always nullrouted -# in the absence of xfrm lookup (i.e., when there is no matching IPSec +# Virtual (non-routable) IPv4 subnet for IPsec. It is always nullrouted +# in the absence of xfrm lookup (i.e., when there is no matching IPsec # Security Association) to avoid data leaks. ipsec_subnet: 172.16.0.0/24 ipsec: - # Virtual (non-routable) addresses for IPSec. They all need to be + # Virtual (non-routable) addresses for IPsec. They all need to be # distinct and belong to the above subnet 'ipsec_subnet'. antilop: 172.16.0.1 benjamin: 172.16.0.2 civett: 172.16.0.3 elefant: 172.16.0.4 giraff: 172.16.0.5 mistral: 172.16.0.6 diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 7ca9bab..b27e5ce 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -31,41 +31,41 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. set -ue PATH=/usr/sbin:/usr/bin:/sbin:/bin timeout=10 force=0 check=0 verbose=0 addrfam= secproto=esp # must match /etc/ipsec.conf; ESP is the default (vs AH/IPComp) if [ -x /usr/sbin/ipsec ] && /usr/sbin/ipsec status >/dev/null; then ipsec=y else ipsec=n fi fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S' -IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$" +IPsec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$" declare -A rss=() tables=() usage() { cat >&2 <<- EOF Usage: $0 [OPTIONS] Options: -f force: no confirmation asked -c check: check (dry-run) mode -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only EOF exit 1 } log() { /usr/bin/logger -st firewall -p user.info -- "$@" } fatal() { @@ -87,41 +87,41 @@ inet46() { 4) echo "$2";; 6) echo "$3";; esac } ipt-chains() { # Define new (tables and) chains. while [ $# -gt 0 ]; do case "$1" in ?*:*) echo ":${1%:*} ${1##*:} [0:0]";; ?*) echo "*$1";; esac shift done >> "$new" } ipt-trim() { # Remove dynamic chain/rules from the input stream, as they are # automatically included by third-party servers (such as strongSwan # or fail2ban). The output is ready to be made persistent. grep -Ev -e '^:fail2ban-\S' \ - -e "$IPSec_re" \ + -e "$IPsec_re" \ -e '-j fail2ban-\S+$' \ -e "$fail2ban_re" } ipt-diff() { # Get the difference between two rulesets. if [ $verbose -eq 1 ]; then /usr/bin/diff -u -I '^#' "$1" "$2" else /usr/bin/diff -q -I '^#' "$1" "$2" >/dev/null fi } ipt-persist() { # Make the current ruleset persistent. (Requires a pre-up hook # script to load the rules before the network is configured.) log "Making ruleset persistent... " [ -d /etc/iptables ] || mkdir /etc/iptables @@ -180,63 +180,62 @@ run() { if [ ! "$if" ]; then # If the interface is not configured, we stop here and DROP all # packets by default. Thanks to the pre-up hook this tight # policy will be activated whenever the interface goes up. commit mv "$new" /etc/iptables/rules.v$f return 0 fi # Fail2ban-specific chains and traps if [ $fail2ban -eq 1 ]; then echo ":fail2ban - [0:0]" # Don't remove existing rules & traps in the current rulest grep -- '^:fail2ban-\S' "$old" || true grep -E -- ' -j fail2ban-\S+$' "$old" || true grep -E -- "$fail2ban_re" "$old" || true fi >> "$new" if [ "$f" = 4 -a "$ipsec" = y ]; then - # Our IPSec tunnels are IPv4 only. - # (Host-to-host) IPSec tunnels come first. - grep -E -- "$IPSec_re" "$old" >> "$new" || true + # IPsec tunnels come first (IPv4 only). + grep -E -- "$IPsec_re" "$old" >> "$new" || true # Allow any IPsec $secproto protocol packets to be sent and received. iptables -A INPUT -i $if -p $secproto -j ACCEPT iptables -A OUTPUT -o $if -p $secproto -j ACCEPT fi ######################################################################## # DROP all RFC1918 addresses, martian networks, multicasts, ... # Credits to http://newartisans.com/2007/09/neat-tricks-with-iptables/ # http://baldric.net/loose-iptables-firewall-for-servers/ local ip if [ "$f" = 4 -a "$ipsec" = y ]; then # Private-use networks (RFC 1918) and link local (RFC 3927) - local MyIPSec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )" + local MyIPsec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )" local MyNetwork="$( /bin/ip -4 -o address show dev $if scope global \ | sed -nr "s/^[0-9]+:\s+$if\s+inet\s(\S+).*/\1/p" \ | while read ip; do - for ips in $MyIPSec; do + for ips in $MyIPsec; do [ "$ips" = "$(/usr/bin/netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip" done done )" [ "$MyNetwork" ] && \ for ip in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16; do # Don't lock us out if we are behind a NAT ;-) for myip in $MyNetwork; do [ "$ip" = "$(/usr/bin/netmask -nc "$ip" "$myip" | sed 's/^ *//')" ] \ || iptables -A INPUT -i $if -s "$ip" -j DROP done done # Other martian packets: "This" network, multicast, broadcast (RFCs # 1122, 3171 and 919). for ip in 0.0.0.0/8 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32; do iptables -A INPUT -i $if -s "$ip" -j DROP iptables -A INPUT -i $if -d "$ip" -j DROP done diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 250c77b..73877f8 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -6,41 +6,41 @@ command: /bin/systemctl daemon-reload - name: Refresh hostname service: name=hostname.sh state=restarted - name: apt-get update apt: update_cache=yes - name: Reload samhain service: name=samhain state=reloaded - name: Update rkhunter's data file command: /usr/bin/rkhunter --propupd - name: Update firewall command: /usr/local/sbin/update-firewall.sh -c - name: Restart fail2ban service: name=fail2ban state=restarted -- name: Restart IPSec +- name: Restart IPsec service: name=ipsec state=restarted - name: Reload networking # /etc/init.d/networking doesn't answer the status command; but since # it should be "up" whenever ansible has access to the machine, we use # pattern=init as a dummy assumption. service: name=networking pattern=init state=reloaded - name: Restart rsyslog service: name=rsyslog state=restarted - name: Restart ntp service: name=ntp state=restarted - name: Restart Postfix service: name=postfix state=restarted - name: Reload Postfix service: name=postfix state=reloaded diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index ca03c98..ce158fe 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -1,95 +1,95 @@ - name: Install strongSwan apt: pkg={{ item }} with_items: - strongswan-charon # for the GCM and openssl plugins - libstrongswan-standard-plugins notify: - Update firewall - - Restart IPSec + - Restart IPsec -- name: Auto-create a dedicated virtual subnet for IPSec +- name: Auto-create a dedicated virtual subnet for IPsec template: src=etc/network/if-up.d/ipsec.j2 dest=/etc/network/if-up.d/ipsec owner=root group=root mode=0755 notify: - Reload networking -- name: Auto-deactivate the dedicated virtual subnet for IPSec +- name: Auto-deactivate the dedicated virtual subnet for IPsec file: src=../if-up.d/ipsec dest=/etc/network/if-down.d/ipsec owner=root group=root state=link force=yes - meta: flush_handlers -- name: Configure IPSec +- name: Configure IPsec template: src=etc/ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644 register: r1 notify: - - Restart IPSec + - Restart IPsec -- name: Configure IPSec's secrets +- name: Configure IPsec's secrets template: src=etc/ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=0600 register: r2 notify: - - Restart IPSec + - Restart IPsec - name: Configure Charon copy: src=etc/strongswan.d/{{ item }} dest=/etc/strongswan.d/{{ item }} owner=root group=root mode=0644 with_items: - charon.conf - charon/socket-default.conf register: r3 notify: - - Restart IPSec + - Restart IPsec -- name: Generate a key pair for IPSec public key authentication +- name: Generate a key pair for IPsec public key authentication command: genkeypair.sh keypair --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key -t rsa -b 4096 register: r4 changed_when: r4.rc == 0 failed_when: r4.rc > 1 notify: - - Restart IPSec + - Restart IPsec tags: - genkey -- name: Fetch the public part of IPSec host key +- name: Fetch the public part of IPsec host key # Ensure we don't fetch private data become: False fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem dest=certs/ipsec/{{ inventory_hostname_short }}.pem fail_on_missing=yes flat=yes tags: - genkey # Don't copy our pubkey due to a possible race condition. Only the # remote machine has authority regarding its key. -- name: Copy the public part of IPSec peers' key +- name: Copy the public part of IPsec peers' key copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem owner=root group=root mode=0644 with_items: "{{ groups.all | difference([inventory_hostname]) }}" register: r5 tags: - genkey notify: - - Restart IPSec + - Restart IPsec -- name: Start IPSec +- name: Start IPsec service: name=ipsec state=started when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed) diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index ccbc735..247f98a 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -1,30 +1,30 @@ # {{ ansible_managed }} # Do NOT edit this file directly! # # direction protocol destination port source port # (in|out|inout)[46]? (tcp|udp|..) (port|port:port|port,port) (port|port:port|port,port) {% if groups.all | length > 1 %} inout4 udp 500 500 # ISAKMP {% if groups.NATed | length > 0 %} -inout4 udp 4500 4500 # IPSec NAT Traversal +inout4 udp 4500 4500 # IPsec NAT Traversal {% endif %} {% endif %} out tcp 80,443 # HTTP/HTTPS out tcp 9418 # GIT out udp 53 # DNS out udp 67 # DHCP out tcp 22 # SSH out udp 123 123 # NTP in tcp {{ ansible_port|default('22') }} # SSH {% if 'LDAP-provider' in group_names %} in tcp 636 # LDAPS {% elif 'MX' in group_names or 'lists' in group_names %} out tcp 636 # LDAPS {% endif %} {% if 'MX' in group_names %} in tcp 25 # SMTP {% if 'MDA' not in group_names %} out tcp {{ postfix_instance.IMAP.port }} diff --git a/roles/common/templates/etc/network/if-up.d/ipsec.j2 b/roles/common/templates/etc/network/if-up.d/ipsec.j2 index 7dd41d4..caa5129 100755 --- a/roles/common/templates/etc/network/if-up.d/ipsec.j2 +++ b/roles/common/templates/etc/network/if-up.d/ipsec.j2 @@ -1,47 +1,47 @@ #!/bin/sh # A post-up/down hook to automatically create/delete a virtual subnet -# for IPSec (inet4 only). +# for IPsec (inet4 only). # Copyright © 2016 Guilhem Moulin <guilhem@fripost.org> # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. set -ue PATH=/usr/sbin:/usr/bin:/sbin:/bin # Ignore the loopback interface and non inet4 families. [ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0 # Only the device with the default, globally-scoped route, is of # interest here. ip="$( ip -4 -o route show to default scope global \ | sed -nr '/^default via (\S+) dev (\S+).*/ {s//\2 \1/p;q}' )" [ "${ip% *}" = "$IFACE" ] || exit 0 ip="${ip##* }" vip="{{ ipsec[inventory_hostname_short] }}" vsubnet="{{ ipsec_subnet }}" case "$MODE" in start) ip address add "$vip/32" dev "$IFACE" scope global || true - # Nullroute the subnet used for IPSec to avoid data leaks + # Nullroute the subnet used for IPsec to avoid data leaks # in the absence of xfrm lookup (i.e., when there is no - # matching IPSec Security Association). + # matching IPsec Security Association). ip route replace prohibit "$vsubnet" proto static || true ip route replace table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true ;; stop) ip route del table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true ip route del prohibit "$vsubnet" proto static || true ip address del "$vip/32" dev "$IFACE" scope global || true esac |