From 7641a5d5d152db349082b1d0ec93a40888b2ef8e Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 23 Jan 2020 04:29:12 +0100 Subject: Convert firewall to nftables. Debian Buster uses the nftables framework by default. --- roles/common/templates/etc/ipsec.conf.j2 | 2 +- roles/common/templates/etc/iptables/services.j2 | 48 ----- .../common/templates/etc/network/if-up.d/ipsec.j2 | 11 +- roles/common/templates/etc/nftables.conf.j2 | 193 +++++++++++++++++++++ 4 files changed, 199 insertions(+), 55 deletions(-) delete mode 100644 roles/common/templates/etc/iptables/services.j2 create mode 100755 roles/common/templates/etc/nftables.conf.j2 (limited to 'roles/common/templates/etc') diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2 index 0ff9fbb..6b3840f 100644 --- a/roles/common/templates/etc/ipsec.conf.j2 +++ b/roles/common/templates/etc/ipsec.conf.j2 @@ -20,7 +20,7 @@ conn %default leftsubnet = {{ ipsec[inventory_hostname_short] | ipv4 }}/32 leftid = {{ inventory_hostname }} leftsigkey = {{ inventory_hostname_short }}.pem - leftfirewall = yes + leftfirewall = no lefthostaccess = yes rightauth = pubkey auto = route diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 deleted file mode 100644 index 6dd5aae..0000000 --- a/roles/common/templates/etc/iptables/services.j2 +++ /dev/null @@ -1,48 +0,0 @@ -# {{ ansible_managed }} -# Do NOT edit this file directly! -# -# direction protocol destination port source port -# (in|out|inout)[46]? (tcp|udp|..) (port|port:port|port,port) (port|port:port|port,port) - -{% if groups.all | length > 1 %} -inout udp 500 500 # ISAKMP -{% if groups.NATed | length > 0 %} -inout4 udp 4500 4500 # IPsec NAT Traversal -{% endif %} -{% endif %} - -out tcp 80,443 # HTTP/HTTPS -out udp 53 # DNS -out tcp 53 # DNS -out udp 67 # DHCP -out tcp 22 # SSH -out udp 123 123 # NTP - -in tcp {{ ansible_port|default('22') }} # SSH -{% if 'LDAP-provider' in group_names %} -in tcp 636 # LDAPS -{% elif 'MX' in group_names or 'lists' in group_names or 'nextcloud' in group_names %} -out tcp 636 # LDAPS -{% endif %} -{% if 'MX' in group_names %} -in tcp 25 # SMTP -{% endif %} -{% if 'out' in group_names or 'MSA' in group_names %} -out tcp 25 # SMTP -{% endif %} -{% if 'IMAP' in group_names %} -in tcp 993 # IMAPS -in tcp 4190 # MANAGESIEVE -out tcp 2703 # Razor2 -{% endif %} -{% if 'MSA' in group_names %} -in tcp 465 # SMTP-AUTH -in tcp 587 # SMTP-AUTH -{% endif %} -{% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names or 'nextcloud' in group_names %} -in tcp 80,443 # HTTP/HTTPS -{% endif %} -{% if 'LDAP-provider' in group_names %} -out tcp 11371 # HKP -out tcp 43 # WHOIS -{% endif %} diff --git a/roles/common/templates/etc/network/if-up.d/ipsec.j2 b/roles/common/templates/etc/network/if-up.d/ipsec.j2 index caa5129..9f183d3 100755 --- a/roles/common/templates/etc/network/if-up.d/ipsec.j2 +++ b/roles/common/templates/etc/network/if-up.d/ipsec.j2 @@ -25,10 +25,9 @@ PATH=/usr/sbin:/usr/bin:/sbin:/bin # Only the device with the default, globally-scoped route, is of # interest here. -ip="$( ip -4 -o route show to default scope global \ - | sed -nr '/^default via (\S+) dev (\S+).*/ {s//\2 \1/p;q}' )" -[ "${ip% *}" = "$IFACE" ] || exit 0 -ip="${ip##* }" +iface="$( ip -o route show to default scope global \ + | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" +[ "$iface" = "$IFACE" ] || exit 0 vip="{{ ipsec[inventory_hostname_short] }}" vsubnet="{{ ipsec_subnet }}" @@ -39,9 +38,9 @@ case "$MODE" in # in the absence of xfrm lookup (i.e., when there is no # matching IPsec Security Association). ip route replace prohibit "$vsubnet" proto static || true - ip route replace table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true + ip route replace table 220 to "$vsubnet" dev "$IFACE" proto static src "$vip" || true ;; - stop) ip route del table 220 to "$vsubnet" via "$ip" dev "$IFACE" proto static src "$vip" || true + stop) ip route del table 220 to "$vsubnet" dev "$IFACE" proto static src "$vip" || true ip route del prohibit "$vsubnet" proto static || true ip address del "$vip/32" dev "$IFACE" scope global || true esac diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 new file mode 100755 index 0000000..1e1fde2 --- /dev/null +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -0,0 +1,193 @@ +#!/usr/sbin/nft -f + +define in-tcp-ports = { + {{ ansible_port|default(22) }} +{% if 'MX' in group_names %} + , 25 # SMTP +{% endif %} +{% if 'LDAP-provider' in group_names %} + , 636 # ldaps +{% endif %} +{% if 'IMAP' in group_names %} + , 993 # imaps + , 4190 # ManageSieve +{% endif %} +{% if 'MSA' in group_names %} + , 587 # submission [RFC4409] + , 465 # submission over TLS [RFC8314] +{% endif %} +{% if 'webmail' in group_names or 'lists' in group_names or 'wiki' in group_names or 'nextcloud' in group_names %} + , 80 # HTTP + , 443 # HTTP over SSL/TLS +{% endif %} +} + +define out-tcp-ports = { + 22 + , 80 # HTTP + , 443 # HTTP over SSL/TLS +{% if 'out' in group_names or 'MSA' in group_names %} + , 25 # SMTP +{% endif %} +{% if 'LDAP-provider' in group_names %} + , 11371 # OpenPGP HTTP Keyserver + , 43 # whois +{% elif 'MX' in group_names or 'lists' in group_names or 'nextcloud' in group_names %} + , 636 # ldaps +{% endif %} +{% if 'IMAP' in group_names %} + , 2703 # Razor2 +{% endif %} +} + + +############################################################################### + +flush ruleset + +table inet filter { + # blackholes + set fail2ban { type ipv4_addr; timeout 10m; } + set fail2ban6 { type ipv6_addr; timeout 10m; } + + chain input { + type filter hook input priority 0 + policy drop + + iif lo accept + + # XXX Bullseye: this is a hack for the lack of reqid matches in + # nftables: we mark the esp packet and accept after decapsulation + # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables + # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html + define IPsec.mark = 0x220 + meta l4proto esp mark set mark | $IPsec.mark accept + ip saddr 172.16.0.0/24 ip daddr 172.16.0.7 mark & $IPsec.mark == $IPsec.mark accept + + # rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options) + icmp type { echo-reply, echo-request, destination-unreachable } counter accept + icmpv6 type { echo-reply, echo-request, destination-unreachable, + packet-too-big, time-exceeded, parameter-problem } counter accept + + # accept neighbour discovery for autoconfiguration, RFC 4890 sec. 4.4.1 + icmpv6 type { 133,134,135,136,141,142 } ip6 hoplimit 255 counter accept + + jump martian + jump invalid + + udp sport 123 udp dport 123 ct state related,established accept +{% if groups.all | length > 1 %} + udp sport 500 udp dport 500 ct state new,related,established accept +{% if groups.NATed | length > 0 %} + udp sport 4500 udp dport 4500 ct state new,related,established accept +{% endif %} +{% endif %} + + udp sport 53 ct state related,established accept + tcp sport 53 ct state related,established accept +{% if 'dhclient' in group_names %} + udp sport 67 ct state related,established accept +{% endif %} + + meta l4proto tcp ip saddr @fail2ban counter drop + meta l4proto tcp ip6 saddr @fail2ban6 counter drop + + tcp dport $in-tcp-ports ct state related,established accept + tcp dport $in-tcp-ports ct state new counter accept + tcp sport $out-tcp-ports ct state related,established accept + } + + chain output { + type filter hook output priority 0 + policy drop + + oif lo accept + + # XXX Bullseye: unlike for input we can't use marks here, + # because by the time we see a packet to 172.16.0.0/24 we don't + # know if it'll be encapsulated + meta l4proto esp accept + ip saddr 172.16.0.7 ip daddr 172.16.0.0/24 accept + + meta l4proto { icmp, icmpv6 } accept + + jump martian + jump invalid + + udp sport 123 udp dport 123 ct state new,related,established accept + udp sport 500 udp dport 500 ct state new,related,established accept + udp sport 4500 udp dport 4500 ct state new,related,established accept + + udp dport 53 ct state new,related,established accept + tcp dport 53 ct state new,related,established accept +{% if 'dhclient' in group_names %} + udp dport 67 ct state new,related,established accept +{% endif %} + + tcp sport $in-tcp-ports ct state related,established accept + tcp dport $out-tcp-ports ct state related,established accept + tcp dport $out-tcp-ports ct state new counter accept + + meta l4proto tcp counter reject with tcp reset + meta l4proto udp counter reject + counter reject + } + + chain martian { + # bogon filter (cf. RFC 6890 for non-global ip addresses) + define invalid-ip = { + 0.0.0.0/8 # this host, on this network (RFC 1122 sec. 3.2.1.3) +{% if not ansible_default_ipv4.address | ipaddr('10.0.0.0/8') %} + , 10.0.0.0/8 # private-use (RFC 1918) +{% endif %} + , 100.64.0.0/10 # shared address space (RFC 6598) + , 127.0.0.0/8 # loopback (RFC 1122, sec. 3.2.1.3) + , 169.254.0.0/16 # link local (RFC 3927) +{% if not ansible_default_ipv4.address | ipaddr('172.16.0.0/12') %} + , 172.16.0.0/12 # private-use (RFC 1918) +{% endif %} + , 192.0.0.0/24 # IETF protocol assignments (RFC 6890 sec. 2.1) + , 192.0.2.0/24 # documentation (RFC 5737) +{% if not ansible_default_ipv4.address | ipaddr('192.168.0.0/16') %} + , 192.168.0.0/16 # private-use (RFC 1918) +{% endif %} + , 198.18.0.0/15 # benchmarking (RFC 2544) + , 198.51.100.0/24 # documentation (RFC 5737) + , 203.0.113.0/24 # documentation (RFC 5737) + , 240.0.0.0/4 # reserved (RFC 1112, sec. 4) + , 255.255.255.255/32 # limited broadcast (RFC 0919, section 7) + } + + define invalid-ip6 = { + ::1/128 # loopback address (RFC 4291) + , ::/128 # unspecified (RFC 4291) + , ::ffff:0:0/96 # IPv4-mapped address (RFC 4291) + , 100::/64 # discard-only address block (RFC 6666) + , 2001::/23 # IETF protocol assignments (RFC 2928) + , 2001::/32 # TEREDO (RFC 4380) + , 2001:2::/48 # benchmarking (RFC 5180) + , 2001:db8::/32 # documentation (RFC 3849) + , 2001:10::/28 # ORCHID (RFC 4843) + , 2002::/16 # 6to4 (RFC 3056) + , fc00::/7 # unique-local (RFC 4193) + , fe80::/10 # linked-scoped unicast (RFC 4291) + } + + ip saddr $invalid-ip counter drop + ip daddr $invalid-ip counter drop + + ip6 saddr $invalid-ip6 counter drop + ip6 daddr $invalid-ip6 counter drop + } + + chain invalid { + ct state invalid counter reject + + # drop bogus TCP packets + tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop # null packets + tcp flags != syn ct state new counter drop # SYN-flood attacks + tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop # XMAS packets + tcp flags & (fin|syn) == fin|syn counter drop # bogus + tcp flags & (syn|rst) == syn|rst counter drop # bogus + } +} -- cgit v1.2.3