diff options
-rw-r--r-- | group_vars/all.yml | 6 | ||||
-rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 13 | ||||
-rw-r--r-- | roles/common/handlers/main.yml | 2 | ||||
-rw-r--r-- | roles/common/tasks/ipsec.yml | 28 | ||||
-rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 2 | ||||
-rwxr-xr-x | roles/common/templates/etc/network/if-up.d/ipsec.j2 | 6 |
6 files changed, 28 insertions, 29 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 9458dc0..a9bfda9 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -10,12 +10,12 @@ postfix_instance: lists: { name: lists, port: 2527 } -# Virtual (non-routable) IPv4 subnet for IPSec. It is always nullrouted -# in the absence of xfrm lookup (i.e., when there is no matching IPSec +# Virtual (non-routable) IPv4 subnet for IPsec. It is always nullrouted +# in the absence of xfrm lookup (i.e., when there is no matching IPsec # Security Association) to avoid data leaks. ipsec_subnet: 172.16.0.0/24 ipsec: - # Virtual (non-routable) addresses for IPSec. They all need to be + # Virtual (non-routable) addresses for IPsec. They all need to be # distinct and belong to the above subnet 'ipsec_subnet'. antilop: 172.16.0.1 benjamin: 172.16.0.2 diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 7ca9bab..b27e5ce 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -48,7 +48,7 @@ else fi fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S' -IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$" +IPsec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$" declare -A rss=() tables=() usage() { @@ -104,7 +104,7 @@ ipt-trim() { # automatically included by third-party servers (such as strongSwan # or fail2ban). The output is ready to be made persistent. grep -Ev -e '^:fail2ban-\S' \ - -e "$IPSec_re" \ + -e "$IPsec_re" \ -e '-j fail2ban-\S+$' \ -e "$fail2ban_re" } @@ -197,9 +197,8 @@ run() { fi >> "$new" if [ "$f" = 4 -a "$ipsec" = y ]; then - # Our IPSec tunnels are IPv4 only. - # (Host-to-host) IPSec tunnels come first. - grep -E -- "$IPSec_re" "$old" >> "$new" || true + # IPsec tunnels come first (IPv4 only). + grep -E -- "$IPsec_re" "$old" >> "$new" || true # Allow any IPsec $secproto protocol packets to be sent and received. iptables -A INPUT -i $if -p $secproto -j ACCEPT @@ -215,11 +214,11 @@ run() { local ip if [ "$f" = 4 -a "$ipsec" = y ]; then # Private-use networks (RFC 1918) and link local (RFC 3927) - local MyIPSec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )" + local MyIPsec="$( /bin/ip -4 -o route show table 220 dev $if | sed 's/\s.*//' )" local MyNetwork="$( /bin/ip -4 -o address show dev $if scope global \ | sed -nr "s/^[0-9]+:\s+$if\s+inet\s(\S+).*/\1/p" \ | while read ip; do - for ips in $MyIPSec; do + for ips in $MyIPsec; do [ "$ips" = "$(/usr/bin/netmask -nc "$ip" "$ips" | sed 's/^ *//')" ] || echo "$ip" done done diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 250c77b..73877f8 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -23,7 +23,7 @@ - name: Restart fail2ban service: name=fail2ban state=restarted -- name: Restart IPSec +- name: Restart IPsec service: name=ipsec state=restarted - name: Reload networking diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index ca03c98..ce158fe 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -6,9 +6,9 @@ - libstrongswan-standard-plugins notify: - Update firewall - - Restart IPSec + - Restart IPsec -- name: Auto-create a dedicated virtual subnet for IPSec +- name: Auto-create a dedicated virtual subnet for IPsec template: src=etc/network/if-up.d/ipsec.j2 dest=/etc/network/if-up.d/ipsec owner=root group=root @@ -16,7 +16,7 @@ notify: - Reload networking -- name: Auto-deactivate the dedicated virtual subnet for IPSec +- name: Auto-deactivate the dedicated virtual subnet for IPsec file: src=../if-up.d/ipsec dest=/etc/network/if-down.d/ipsec owner=root group=root state=link force=yes @@ -24,23 +24,23 @@ - meta: flush_handlers -- name: Configure IPSec +- name: Configure IPsec template: src=etc/ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644 register: r1 notify: - - Restart IPSec + - Restart IPsec -- name: Configure IPSec's secrets +- name: Configure IPsec's secrets template: src=etc/ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=0600 register: r2 notify: - - Restart IPSec + - Restart IPsec - name: Configure Charon copy: src=etc/strongswan.d/{{ item }} @@ -52,9 +52,9 @@ - charon/socket-default.conf register: r3 notify: - - Restart IPSec + - Restart IPsec -- name: Generate a key pair for IPSec public key authentication +- name: Generate a key pair for IPsec public key authentication command: genkeypair.sh keypair --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key @@ -63,11 +63,11 @@ changed_when: r4.rc == 0 failed_when: r4.rc > 1 notify: - - Restart IPSec + - Restart IPsec tags: - genkey -- name: Fetch the public part of IPSec host key +- name: Fetch the public part of IPsec host key # Ensure we don't fetch private data become: False fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem @@ -78,7 +78,7 @@ # Don't copy our pubkey due to a possible race condition. Only the # remote machine has authority regarding its key. -- name: Copy the public part of IPSec peers' key +- name: Copy the public part of IPsec peers' key copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem owner=root group=root @@ -88,8 +88,8 @@ tags: - genkey notify: - - Restart IPSec + - Restart IPsec -- name: Start IPSec +- name: Start IPsec service: name=ipsec state=started when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed) diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index ccbc735..247f98a 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -7,7 +7,7 @@ {% if groups.all | length > 1 %} inout4 udp 500 500 # ISAKMP {% if groups.NATed | length > 0 %} -inout4 udp 4500 4500 # IPSec NAT Traversal +inout4 udp 4500 4500 # IPsec NAT Traversal {% endif %} {% endif %} diff --git a/roles/common/templates/etc/network/if-up.d/ipsec.j2 b/roles/common/templates/etc/network/if-up.d/ipsec.j2 index 7dd41d4..caa5129 100755 --- a/roles/common/templates/etc/network/if-up.d/ipsec.j2 +++ b/roles/common/templates/etc/network/if-up.d/ipsec.j2 @@ -1,7 +1,7 @@ #!/bin/sh # A post-up/down hook to automatically create/delete a virtual subnet -# for IPSec (inet4 only). +# for IPsec (inet4 only). # Copyright © 2016 Guilhem Moulin <guilhem@fripost.org> # # This program is free software: you can redistribute it and/or modify @@ -35,9 +35,9 @@ vsubnet="{{ ipsec_subnet }}" case "$MODE" in start) ip address add "$vip/32" dev "$IFACE" scope global || true - # Nullroute the subnet used for IPSec to avoid data leaks + # Nullroute the subnet used for IPsec to avoid data leaks # in the absence of xfrm lookup (i.e., when there is no - # matching IPSec Security Association). + # matching IPsec Security Association). ip route replace prohibit "$vsubnet" proto static || true ip route replace table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true ;; |