etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

made iptables for the VPN connection more secure 

Added destination and source definition. Flag -S can be used
to ignore this. It's the new default as it is more secure
and does not impact the way things work (backwords compatible).
This commit is contained in:
Remi Bergsma 2014-12-08 19:06:55 +01:00
parent 7f33f7c396
commit ef3b4bb4e3
1 changed files with 18 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh
View File

@ -23,7 +23,7 @@ vpnoutmark="0x525"
vpninmark="0x524"
usage() {
printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime> -s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check if up on creation ]\n" $(basename $0) >&2
printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime> -s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check if up on creation> -S <disable vpn ports iptables> ]\n" $(basename $0) >&2
}
#set -x
@ -61,13 +61,16 @@ enable_iptables_subnets() {
return 0
}
#
# Add the right side here to close the gap, so we're sure no one else comes in
# also double check the default behaviour of ipsec to drop if wrong....
check_and_enable_iptables() {
sudo iptables-save | grep "A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT"
if [ $? -ne 0 ]
then
sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
sudo iptables -A INPUT -i $outIf -p 50 -j ACCEPT
sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT
sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT
sudo iptables -A INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT
# Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain
sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
fi
@ -90,9 +93,9 @@ check_and_disable_iptables() {
if [ $? -ne 0 ]
then
#Nobody else use s2s vpn now, so delete the iptables rules
sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
sudo iptables -D INPUT -i $outIf -p 50 -j ACCEPT
sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT
sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT
sudo iptables -D INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT
sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
fi
return 0
@ -213,8 +216,9 @@ sflag=
passive=0
op=""
checkup=0
secure=1
while getopts 'ADpcl:n:g:r:N:e:i:t:T:s:d:' OPTION
while getopts 'ADSpcl:n:g:r:N:e:i:t:T:s:d:' OPTION
do
case $OPTION in
A) opflag=1
@ -260,6 +264,8 @@ do
;;
c) checkup=1
;;
S) secure=0
;;
?) usage
exit 2
;;
@ -267,6 +273,10 @@ do
done
logger -t cloud "$(basename $0): parameters $*"
if [ $secure -eq 1 ]
then
iptables_secure=" -s $rightpeer -d $leftpeer "
fi
# get interface for public ip
ip link|grep BROADCAST|grep -v eth0|cut -d ":" -f 2 > /tmp/iflist