From 498cf463911712f69699e73b90c2d61ed7950e44 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com>
Date: Mon, 3 Jun 2019 01:01:08 +0200
Subject: [PATCH] Block link-local networks. Block traffic from SSH tunnels to
 VPN clients (#1458)

---
 roles/common/templates/rules.v4.j2 | 7 +++++++
 roles/common/templates/rules.v6.j2 | 2 ++
 roles/ssh_tunneling/tasks/main.yml | 7 +++++--
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/roles/common/templates/rules.v4.j2 b/roles/common/templates/rules.v4.j2
index d71f51f..05789b7 100644
--- a/roles/common/templates/rules.v4.j2
+++ b/roles/common/templates/rules.v4.j2
@@ -77,6 +77,13 @@ COMMIT
 
 # Drop traffic between VPN clients
 -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
+# Drop traffic to VPN clients from SSH tunnels
+-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
+
+# Drop traffic to the link-local network
+-A FORWARD -s {{ subnets|join(',') }} -d 169.254.0.0/16 -j DROP
+# Drop traffic to the link-local network from SSH tunnels
+-A OUTPUT -d 169.254.0.0/16 -m owner --gid-owner 15000 -j DROP
 
 # Forward any packet that's part of an established connection
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
diff --git a/roles/common/templates/rules.v6.j2 b/roles/common/templates/rules.v6.j2
index adb59f5..4c42f14 100644
--- a/roles/common/templates/rules.v6.j2
+++ b/roles/common/templates/rules.v6.j2
@@ -87,6 +87,8 @@ COMMIT
 
 # Drop traffic between VPN clients
 -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
+# Drop traffic to VPN clients from SSH tunnels
+-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
 
 -A FORWARD -j ICMPV6-CHECK
 -A FORWARD -p tcp --dport 445 -j DROP
diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml
index 437fa47..2226bbe 100644
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@@ -14,7 +14,10 @@
     - restart ssh
 
 - name: Ensure that the algo group exist
-  group: name=algo state=present
+  group:
+    name: algo
+    state: present
+    gid: 15000
 
 - name: Ensure that the jail directory exist
   file:
@@ -28,7 +31,7 @@
   - name: Ensure that the SSH users exist
     user:
       name: "{{ item }}"
-      groups: algo
+      group: algo
       home: '/var/jail/{{ item }}'
       createhome: yes
       generate_ssh_key: false