Block link-local networks. Block traffic from SSH tunnels to VPN clients (#1458)

roles/common/templates/rules.v4.j2

@@ -77,6 +77,13 @@ COMMIT
 
 # Drop traffic between VPN clients
 -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
+# Drop traffic to VPN clients from SSH tunnels
+-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
+
+# Drop traffic to the link-local network
+-A FORWARD -s {{ subnets|join(',') }} -d 169.254.0.0/16 -j DROP
+# Drop traffic to the link-local network from SSH tunnels
+-A OUTPUT -d 169.254.0.0/16 -m owner --gid-owner 15000 -j DROP
 
 # Forward any packet that's part of an established connection
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

roles/common/templates/rules.v6.j2

@@ -87,6 +87,8 @@ COMMIT
 
 # Drop traffic between VPN clients
 -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
+# Drop traffic to VPN clients from SSH tunnels
+-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
 
 -A FORWARD -j ICMPV6-CHECK
 -A FORWARD -p tcp --dport 445 -j DROP

roles/ssh_tunneling/tasks/main.yml

@@ -14,7 +14,10 @@
     - restart ssh
 
 - name: Ensure that the algo group exist
-  group: name=algo state=present
+  group:
+    name: algo
+    state: present
+    gid: 15000
 
 - name: Ensure that the jail directory exist
   file:
@@ -28,7 +31,7 @@
   - name: Ensure that the SSH users exist
     user:
       name: "{{ item }}"
-      groups: algo
+      group: algo
       home: '/var/jail/{{ item }}'
       createhome: yes
       generate_ssh_key: false