From a592b010350296d06fef987b5bd6b21f7cfca8a8 Mon Sep 17 00:00:00 2001
From: Remi Bergsma <rbergsma@schubergphilis.com>
Date: Mon, 8 Dec 2014 19:06:55 +0100
Subject: [PATCH] made iptables for the VPN connection more secure

Added destination and source definition. Flag -S can be used
to ignore this. It's the new default as it is more secure
and does not impact the way things work (backwords compatible).

(cherry picked from commit ef3b4bb4e3342f166489034fa7149540d2ef1383)
---
 .../config/opt/cloud/bin/ipsectunnel.sh       | 26 +++++++++++++------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh
index a95c65ea350..e0af6a2d20f 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh
@@ -23,7 +23,7 @@ vpnoutmark="0x525"
 vpninmark="0x524"
 
 usage() {
-    printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime> -s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check if up on creation ]\n" $(basename $0) >&2
+    printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime> -s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check if up on creation> -S <disable vpn ports iptables> ]\n" $(basename $0) >&2
 }
 
 #set -x
@@ -61,13 +61,16 @@ enable_iptables_subnets() {
   return 0
 }
 
+#
+# Add the right side here to close the gap, so we're sure no one else comes in
+#   also double check the default behaviour of ipsec to drop if wrong....
 check_and_enable_iptables() {
   sudo iptables-save | grep "A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT"
   if [ $? -ne 0 ]
   then
-      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
-      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
-      sudo iptables -A INPUT -i $outIf -p 50 -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT
       # Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain
       sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
   fi
@@ -90,9 +93,9 @@ check_and_disable_iptables() {
   if [ $? -ne 0 ]
   then
     #Nobody else use s2s vpn now, so delete the iptables rules
-    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
-    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
-    sudo iptables -D INPUT -i $outIf -p 50 -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT
     sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
   fi
   return 0
@@ -213,8 +216,9 @@ sflag=
 passive=0
 op=""
 checkup=0
+secure=1
 
-while getopts 'ADpcl:n:g:r:N:e:i:t:T:s:d:' OPTION
+while getopts 'ADSpcl:n:g:r:N:e:i:t:T:s:d:' OPTION
 do
   case $OPTION in
   A)    opflag=1
@@ -260,6 +264,8 @@ do
         ;;
   c)    checkup=1
         ;;
+  S)    secure=0
+        ;;
   ?)    usage
         exit 2
         ;;
@@ -267,6 +273,10 @@ do
 done
 
 logger -t cloud "$(basename $0): parameters $*"
+if [ $secure -eq 1 ]
+then
+   iptables_secure=" -s $rightpeer -d $leftpeer "
+fi
 
 # get interface for public ip
 ip link|grep BROADCAST|grep -v eth0|cut -d ":" -f 2 > /tmp/iflist