1 files changed, 17 insertions, 13 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 0907ffc..1c57646 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -13,42 +13,45 @@
 #
 # This firewall is only targeted towards end-servers, not gateways.  In
 # particular, there is no NAT'ing at the moment.
 #
 # Dependencies: netmask(1)
 #
 # Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
 #
 # Licensed under the GNU GPL version 3 or higher.
 #
 
 set -ue
 PATH=/usr/sbin:/usr/bin:/sbin:/bin
 timeout=10
 
 force=0
 check=0
 verbose=0
 addrfam=
 
+secmark=0xA99   # must match that in /etc/network/if-up.d/ipsec
+secproto=esp    # must match /etc/ipsec.conf; ESP is the default (vs AH/IPComp)
+
 fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S'
-IPSec_re=' -m policy --dir (in|out) --pol ipsec .* --proto esp -j ACCEPT$'
+IPSec_re=" -m policy --dir (in|out) --pol ipsec .* --proto $secproto -j ACCEPT$"
 declare -A rss=() tables=()
 
 usage() {
     cat >&2 <<- EOF
 		Usage: $0 [OPTIONS]
 
 		Options:
 		    -f force:   no confirmation asked
 		    -c check:   check (dry-run) mode
 		    -v verbose: see the difference between old and new ruleset
 		    -4 IPv4 only
 		    -6 IPv6 only
 	EOF
     exit 1
 }
 
 log() {
     /usr/bin/logger -st firewall -p syslog.info -- "$@"
 }
 fatal() {
@@ -130,47 +133,45 @@ ipt-revert() {
         rm -f "${rss[$f]}"
     done
     exit 1
 }
 
 run() {
     # Build and apply the firewall for IPv4/6.
     local f="$1"
     local ipt=/sbin/$(inet46 $f iptables ip6tables)
     tables[$f]=filter
 
     # The default interface associated with this address.
     local if=$( /bin/ip -$f route show to default scope global \
               | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )
 
     # The virtual interface reserved for IPSec.
     local ifsec=$( /bin/ip -o -$f link show \
                  | sed -nr "/^[0-9]+:\s+(sec[0-9]+)@$if:\s.*/ {s//\1/p;q}" )
 
     # The (host-scoped) IP reserved for IPSec.
-    local ipsec= secmark
+    local ipsec=
     if [ -n "$ifsec" -a $f = 4 ]; then
         tables[$f]='mangle nat filter'
         ipsec=$( /bin/ip -$f address show dev "$ifsec" scope host \
                | sed -nr '/^\s+inet\s(\S+).*/ {s//\1/p;q}' )
-        # /!\ This mark much match that in /etc/network/if-up.d/ipsec.
-        secmark=0xA99
     fi
 
     # Store the old (current) ruleset
     local old=$(mktemp -t current-rules.v$f.XXXXXX) \
           new=$(mktemp -t new-rules.v$f.XXXXXX)
     for table in ${tables[$f]}; do
         $ipt-save -ct $table
     done > "$old"
     rss[$f]="$old"
 
     local fail2ban=0
     # XXX: As of Wheezy, fail2ban is IPv4 only.  See
     #      https://github.com/fail2ban/fail2ban/issues/39 for the current
     #      state of the art.
     if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then
         fail2ban=1
     fi
 
     # The usual chains in filter, along with the desired default policies.
     ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP
@@ -179,43 +180,43 @@ run() {
         # If the interface is not configured, we stop here and DROP all
         # packets by default.  Thanks to the pre-up hook this tight
         # policy will be activated whenever the interface goes up.
         mv "$new" /etc/iptables/rules.v$f
         return 0
     fi
 
     # Fail2ban-specific chains and traps
     if [ $fail2ban -eq 1 ]; then
         echo ":fail2ban - [0:0]"
         # Don't remove existing rules & traps in the current rulest
         grep    -- '^:fail2ban-\S'      "$old" || true
         grep -E -- ' -j fail2ban-\S+$'  "$old" || true
         grep -E -- "$fail2ban_re"       "$old" || true
     fi >> "$new"
 
     if [ -n "$ifsec" ]; then
         # (Host-to-host) IPSec tunnels come first. TODO: test IPSec with IPv6.
         grep -E -- "$IPSec_re" "$old" >> "$new" || true
 
-        # Allow any IPsec ESP protocol packets to be sent and received.
-        iptables -A INPUT  -i $if -p esp -j ACCEPT
-        iptables -A OUTPUT -o $if -p esp -j ACCEPT
+        # Allow any IPsec $secproto protocol packets to be sent and received.
+        iptables -A INPUT  -i $if -p $secproto -j ACCEPT
+        iptables -A OUTPUT -o $if -p $secproto -j ACCEPT
     fi
 
 
     ########################################################################
     # DROP all RFC1918 addresses, martian networks, multicasts, ...
     # Credits to http://newartisans.com/2007/09/neat-tricks-with-iptables/
     #            http://baldric.net/loose-iptables-firewall-for-servers/
 
     local ip
     if [ "$f" = 4 ]; then
         # Private-use networks (RFC 1918) and link local (RFC 3927)
         local MyNetwork=$( /bin/ip -4 address show dev $if scope global \
                          | sed -nr 's/^\s+inet\s(\S+).*/\1/p')
         [ -n "$MyNetwork" ] && \
         for ip in 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16; do
             # Don't lock us out if we are behind a NAT ;-)
             [ "$ip" = "$(/usr/bin/netmask -nc $ip $MyNetwork | sed 's/ //g')" ] \
             || iptables -A INPUT -i $if -s "$ip" -j DROP
         done
 
@@ -235,41 +236,42 @@ run() {
         done
     fi
 
     # DROP INVALID packets immediately.
     iptables -A INPUT  -m state --state INVALID -j DROP
     iptables -A OUTPUT -m state --state INVALID -j DROP
 
     # DROP bogus TCP packets.
     iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
     iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
     # Allow all input/output to/from the loopback interface.
     local localhost=$(inet46 $f '127.0.0.1/32' '::1/128')
     iptables -A INPUT  -i lo -s "$localhost" -d "$localhost" -j ACCEPT
     iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT
 
     if [ -n "$ipsec" ]; then
         # ACCEPT any, *IPSec* traffic destinating to the non-routable
         # $ipsec.  Also ACCEPT all traffic originating from $ipsec, as
         # it is MASQUERADE'd.
-        iptables -A INPUT  -d "$ipsec" -i $if -m policy --dir in --pol ipsec -j ACCEPT
+        iptables -A INPUT  -d "$ipsec" -i $if -m policy --dir in \
+            --pol ipsec --proto $secproto -j ACCEPT
         iptables -A OUTPUT -m mark --mark "$secmark" -o $if -j ACCEPT
     fi
 
     # Prepare fail2ban.  We make fail2ban insert its rules in a
     # dedicated chain, so that it doesn't mess up the existing rules.
     [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban
 
     if [ "$f" = 4 ]; then
         # Allow only ICMP of type 0, 3 and 8.  The rate-limiting is done
         # directly by the kernel (net.ipv4.icmp_ratelimit and
         # net.ipv4.icmp_ratemask runtime options).  See icmp(7).
         local t
         for t in  'echo-reply' 'destination-unreachable' 'echo-request'; do
             iptables -A INPUT  -i $if -p icmp -m icmp --icmp-type $t -j ACCEPT
             iptables -A OUTPUT -o $if -p icmp -m icmp --icmp-type $t -j ACCEPT
         done
     elif [ $f = 6 ]; then
         iptables -A INPUT -i $ip -p icmpv6 -j ACCEPT
     fi
 
@@ -310,57 +312,59 @@ run() {
         esac
 
         iptables $iptNew $if -p $proto $optsNew -m state --state $stNew -j ACCEPT
         iptables $iptEst $if -p $proto $optsEst -m state --state $stEst -j ACCEPT
     done
 
     ########################################################################
     commit
 
     if [ -n "$ipsec" ]; then
         # DNAT the IPSec paquets to $ipsec after decapsulation, and SNAT
         # them before encapsulation.  We need to do the NAT'ing before
         # packets enter the IPSec stack because they are signed
         # afterwards, and NAT'ing would mess up the signature.
         ipt-chains mangle PREROUTING:ACCEPT INPUT:ACCEPT \
                           FORWARD:DROP \
                           OUTPUT:ACCEPT POSTROUTING:ACCEPT
 
         # Packets which destination is $ipsec *must* be associated with
         # an IPSec policy.
-        iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in --pol none -j DROP
+        iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in \
+            --pol ipsec --proto $secproto -j ACCEPT
+        iptables -A INPUT -d "$ipsec" -i $if -j DROP
 
         # Packets originating from our (non-routable) $ipsec are marked;
         # if there is no xfrm lookup (i.e., no matching IPSec
         # association), the packet will retain its mark and be null
         # routed later on.  Otherwise, the packet is re-queued unmarked.
         iptables -A OUTPUT -o $if -j MARK --set-mark 0x0
-        iptables -A OUTPUT -s "$ipsec" -o $if  -m policy --dir out --pol none \
-                     -j MARK --set-mark $secmark
+        iptables -A OUTPUT -s "$ipsec" -o $if -m policy --dir out \
+            --pol none -j MARK --set-mark $secmark
         commit
 
         ipt-chains nat PREROUTING:ACCEPT INPUT:ACCEPT \
                        OUTPUT:ACCEPT POSTROUTING:ACCEPT
 
         # DNAT all marked packets after decapsulation.
-        iptables -A PREROUTING \! -d "$ipsec" -i $if \
-                     -m policy --dir in --pol ipsec -j DNAT --to "${ipsec%/*}"
+        iptables -A PREROUTING \! -d "$ipsec" -i $if -m policy --dir in \
+            --pol ipsec --proto $secproto -j DNAT --to "${ipsec%/*}"
 
         # Packets originating from our IPSec are SNAT'ed (MASQUERADE).
         # (And null-routed later on unless there is an xfrm
         # association.)
         iptables -A POSTROUTING -m mark --mark $secmark -o $if -j MASQUERADE
         commit
     fi
 
     ########################################################################
 
 
     local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f
     local oldz=$(mktemp -t current-rules.v$f.XXXXXX)
 
     # Reset the counters.  They are not useful for comparing and/or
     # storing persistent ruleset.  (We don't use sed -i because we want
     # to restore the counters when reverting.)
     sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \
            -e 's/^\[[0-9]+:[0-9]+\]\s+//' \
            "$old" > "$oldz"