made iptables for the VPN connection more secure

Added destination and source definition. Flag -S can be used to ignore this. It's the new default as it is more secure and does not impact the way things work (backwords compatible). (cherry picked from commit ef3b4bb4e3)
2014-12-08 19:06:55 +01:00 · 2014-12-08 19:06:55 +01:00 · a592b01035
parent 85ba1f76a4
commit a592b01035
1 changed files with 18 additions and 8 deletions
--- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh
@ -23,7 +23,7 @@ vpnoutmark="0x525"
 vpninmark="0x524"

 usage() {
-    printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime> -s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check if up on creation ]\n" $(basename $0) >&2
+    printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime> -s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check if up on creation> -S <disable vpn ports iptables> ]\n" $(basename $0) >&2
 }

 #set -x
@ -61,13 +61,16 @@ enable_iptables_subnets() {
  return 0
 }

+#
+# Add the right side here to close the gap, so we're sure no one else comes in
+#   also double check the default behaviour of ipsec to drop if wrong....
 check_and_enable_iptables() {
  sudo iptables-save | grep "A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT"
  if [ $? -ne 0 ]
  then
-      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
-      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
-      sudo iptables -A INPUT -i $outIf -p 50 -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT
      # Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain
      sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
  fi
@ -90,9 +93,9 @@ check_and_disable_iptables() {
  if [ $? -ne 0 ]
  then
    #Nobody else use s2s vpn now, so delete the iptables rules
-    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
-    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
-    sudo iptables -D INPUT -i $outIf -p 50 -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT
    sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
  fi
  return 0
@ -213,8 +216,9 @@ sflag=
 passive=0
 op=""
 checkup=0
+secure=1

-while getopts 'ADpcl:n:g:r:N:e:i:t:T:s:d:' OPTION
+while getopts 'ADSpcl:n:g:r:N:e:i:t:T:s:d:' OPTION
 do
  case $OPTION in
  A)    opflag=1
@ -260,6 +264,8 @@ do
        ;;
  c)    checkup=1
        ;;
+  S)    secure=0
+        ;;
  ?)    usage
        exit 2
        ;;
@ -267,6 +273,10 @@ do
 done

 logger -t cloud "$(basename $0): parameters $*"
+if [ $secure -eq 1 ]
+then
+   iptables_secure=" -s $rightpeer -d $leftpeer "
+fi

 # get interface for public ip
 ip link|grep BROADCAST|grep -v eth0|cut -d ":" -f 2 > /tmp/iflist