diff options
Diffstat (limited to 'roles/common/files/usr/local/sbin')
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 68 |
1 files changed, 33 insertions, 35 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index c6d9de8..a8123f9 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -124,100 +124,69 @@ ipt-revert() { [ $check -eq 0 ] || return log "Reverting to old ruleset... " local rs for f in "${!rss[@]}"; do /sbin/$(inet46 $f iptables ip6tables)-restore -c < "${rss[$f]}" rm -f "${rss[$f]}" done exit 1 } run() { # Build and apply the firewall for IPv4/6. local f="$1" local ipt=/sbin/$(inet46 $f iptables ip6tables) tables[$f]=filter # The default interface associated with this address. local if=$( /bin/ip -$f route show to default scope global \ | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' ) - [ -n "$if" ] || return 0 # The virtual interface reserved for IPSec. local ifsec=$( /bin/ip -o -$f link show \ | sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" ) # The (host-scoped) IP reserved for IPSec. - local ipsec= secmark + local ipsec= if [ -n "$ifsec" -a $f = 4 ]; then tables[$f]='mangle nat filter' ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \ | sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' ) - secmark=0x1 fi # Store the old (current) ruleset local old=$(mktemp -t current-rules.v$f.XXXXXX) \ new=$(mktemp -t new-rules.v$f.XXXXXX) for table in ${tables[$f]}; do $ipt-save -ct $table done > "$old" rss[$f]="$old" local fail2ban=0 # XXX: As of Wheezy, fail2ban is IPv4 only. See # https://github.com/fail2ban/fail2ban/issues/39 for the current # state of the art. if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then fail2ban=1 fi - if [ -n "$ipsec" ]; then - # DNAT the IPSec paquets to $ipsec after decapsulation, and SNAT - # them before encapsulation. We need to do the NAT'ing before - # packets enter the IPSec stack because they are signed - # afterwards, and NAT'ing would mess up the signature. - ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \ - FORWARD:DROP \ - OUTPUT:ACCEPT POSTROUTING:ACCEPT - # Mark all IPSec packets to keep track of them and NAT them - # after decapsulation. Unmarked packets that are to be sent to - # $ipsec are dropped. - iptables -A PREROUTING -p esp -j MARK --set-mark $secmark - iptables -A INPUT -d "$ipsec" -m mark \! --mark $secmark -j DROP - commit - - ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \ - OUTPUT:ACCEPT POSTROUTING:ACCEPT - # DNAT all marked packets that have been decapsulated. Packets - # originating from our IPSec are SNAT'ed (MASQUERADE). XXX: - # xfrm lookup occurs *after* NAT POSTROUTING, so sadly we can't - # DROP packets not matching an IPSec policy. However, any reply - # not going through IPSec would be dropped (since unmarked); - # this is the best we can do for now. - iptables -A PREROUTING \! -p esp -m mark --mark "$secmark" \ - -j DNAT --to "${ipsec%/*}" - iptables -A POSTROUTING -s "$ipsec" -j MASQUERADE - commit - fi - # The usual chains in filter, along with the desired default policies. ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP if [ -z "$if" ]; then # If the interface is not configured, we stop here and DROP all # packets by default. Thanks to the pre-up hook this tight # policy will be activated whenever the interface goes up. mv "$new" /etc/iptables/rules.v$f return 0 fi # Fail2ban-specific chains and traps if [ $fail2ban -eq 1 ]; then echo ":fail2ban - [0:0]" # Don't remove existing rules & traps in the current rulest grep -- '^:fail2ban-\S' "$old" || true grep -E -- ' -j fail2ban-\S+$' "$old" || true grep -E -- "$fail2ban_re" "$old" || true fi >> "$new" @@ -261,45 +230,45 @@ run() { for ip in fc00::/7 fec0::/10; do iptables -A INPUT -i $if -s "$ip" -j DROP iptables -A INPUT -i $if -d "$ip" -j DROP done fi # DROP INVALID packets immediately. iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # DROP bogus TCP packets. iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP # Allow all input/output to/from the loopback interface. local localhost=$(inet46 $f '127.0.0.1/32' '::1/128') iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT if [ -n "$ipsec" ]; then - # ACCEPT any, *marked* traffic destinating to the non-routable + # ACCEPT any, *IPSec* traffic destinating to the non-routable # $ipsec. Also ACCEPT all traffic originating from $ipsec, as # it is MASQUERADE'd. - iptables -A INPUT -i "$if" -d "$ipsec" -m mark --mark "$secmark" -j ACCEPT - iptables -A OUTPUT -s "$ipsec" -o "$if" -j ACCEPT + iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol ipsec -j ACCEPT + iptables -A OUTPUT -s "$ipsec" -o $if -j ACCEPT fi # Prepare fail2ban. We make fail2ban insert its rules in a # dedicated chain, so that it doesn't mess up the existing rules. [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban if [ "$f" = 4 ]; then # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done # directly by the kernel (net.ipv4.icmp_ratelimit and # net.ipv4.icmp_ratemask runtime options). See icmp(7). local t for t in 'echo-reply' 'destination-unreachable' 'echo-request'; do iptables -A INPUT -i $if -p icmp -m icmp --icmp-type $t -j ACCEPT iptables -A OUTPUT -o $if -p icmp -m icmp --icmp-type $t -j ACCEPT done elif [ $f = 6 ]; then iptables -A INPUT -i $ip -p icmpv6 -j ACCEPT fi @@ -328,40 +297,69 @@ run() { esac case "$sport" in *,*|*:*) optsNew+=" --match multiport --sports $sport" optsEst+=" --match multiport --dports $sport";; ?*) optsNew+=" --sport $sport" optsEst+=" --dport $sport";; esac case "$dir" in in|inout) iptNew="-A INPUT -i"; iptEst="-A OUTPUT -o";; out) iptNew="-A OUTPUT -o"; iptEst="-A INPUT -i";; *) fatal "Error: Unknown direction: '$dir'." esac iptables $iptNew $if -p $proto $optsNew -m state --state $stNew -j ACCEPT iptables $iptEst $if -p $proto $optsEst -m state --state $stEst -j ACCEPT done ######################################################################## commit + if [ -n "$ipsec" ]; then + # DNAT the IPSec paquets to $ipsec after decapsulation, and SNAT + # them before encapsulation. We need to do the NAT'ing before + # packets enter the IPSec stack because they are signed + # afterwards, and NAT'ing would mess up the signature. + ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \ + FORWARD:DROP \ + OUTPUT:ACCEPT POSTROUTING:ACCEPT + # Packets which destination is $ipsec *must* be associated with + # an IPSec policy. + iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol none -j DROP + commit + + ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \ + OUTPUT:ACCEPT POSTROUTING:ACCEPT + # DNAT all marked packets after decapsulation. Packets + # originating from our IPSec are SNAT'ed (MASQUERADE). XXX: + # xfrm lookup occurs *after* NAT POSTROUTING, so sadly we can't + # DROP packets not matching an IPSec policy. However, any reply + # not going through IPSec would be DROPped (thanks to the rule + # in mangle:INPUT above); this is the best we can do for now. + iptables -A PREROUTING \! -d "$ipsec" -i $if \ + -m policy --dir in --pol ipsec -j DNAT --to "${ipsec%/*}" + iptables -A POSTROUTING -s "$ipsec" -o $if -j MASQUERADE + commit + fi + + ######################################################################## + local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f local oldz=$(mktemp -t current-rules.v$f.XXXXXX) # Reset the counters. They are not useful for comparing and/or # storing persistent ruleset. (We don't use sed -i because we want # to restore the counters when reverting.) sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \ -e 's/^\[[0-9]+:[0-9]+\]\s+//' \ "$old" > "$oldz" /usr/bin/uniq "$new" | /bin/ip netns exec $netns $ipt-restore || ipt-revert for table in ${tables[$f]}; do /bin/ip netns exec $netns $ipt-save -t $table done > "$new" ipt-diff "$oldz" "$new" || rv1=$? if ! [ -f "$persistent" -a -x /etc/network/if-pre-up.d/iptables ]; then |