diff --git a/Dockerfile b/Dockerfile index 14036294..6fa1d0fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ RUN apk --no-cache add ${BUILD_PACKAGES} && \ python -m pip --no-cache-dir install virtualenv && \ python -m virtualenv env && \ source env/bin/activate && \ - python -m pip --no-cache-dir install -r requirements.txt --no-use-pep51 && \ + python -m pip --no-cache-dir install -r requirements.txt && \ apk del ${BUILD_PACKAGES} COPY . . RUN chmod 0755 /algo/algo-docker.sh diff --git a/docs/deploy-from-ansible.md b/docs/deploy-from-ansible.md index f26de00d..8429430a 100644 --- a/docs/deploy-from-ansible.md +++ b/docs/deploy-from-ansible.md @@ -83,9 +83,11 @@ Note: The `strongswan` role generates Apple profiles with On-Demand Wifi and Cel - role: local, provider: local -Required variables: +This role is intended to be run for local install onto an Ubuntu server, or onto an unsupported cloud provider's Ubuntu instance. Required variables: -- server - IP address of your server +- server - IP address of your server (or "localhost" if deploying to the local machine) +- endpoint - public IP address of the server you're installing on +- ssh_user - name of the SSH user you will use to install on the machine (passwordless login required). If `server=localhost`, this isn't required. - ca_password - Password for the private CA key Note that by default, the iptables rules on your existing server will be overwritten. If you don't want to overwrite the iptables rules, you can use the `--skip-tags iptables` flag. @@ -249,16 +251,6 @@ Required variables: You need to source the rc file prior to run Algo. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh) - -### Local - -Required variables: - -- server - IP or hostname to access the server via SSH -- endpoint - Public IP address or domain name of your server -- ssh_user - - ### Update users Playbook: diff --git a/roles/common/templates/rules.v4.j2 b/roles/common/templates/rules.v4.j2 index d71f51fb..05789b7f 100644 --- a/roles/common/templates/rules.v4.j2 +++ b/roles/common/templates/rules.v4.j2 @@ -77,6 +77,13 @@ COMMIT # Drop traffic between VPN clients -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} +# Drop traffic to VPN clients from SSH tunnels +-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} + +# Drop traffic to the link-local network +-A FORWARD -s {{ subnets|join(',') }} -d 169.254.0.0/16 -j DROP +# Drop traffic to the link-local network from SSH tunnels +-A OUTPUT -d 169.254.0.0/16 -m owner --gid-owner 15000 -j DROP # Forward any packet that's part of an established connection -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/roles/common/templates/rules.v6.j2 b/roles/common/templates/rules.v6.j2 index adb59f5d..4c42f14e 100644 --- a/roles/common/templates/rules.v6.j2 +++ b/roles/common/templates/rules.v6.j2 @@ -87,6 +87,8 @@ COMMIT # Drop traffic between VPN clients -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} +# Drop traffic to VPN clients from SSH tunnels +-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} -A FORWARD -j ICMPV6-CHECK -A FORWARD -p tcp --dport 445 -j DROP diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 437fa47f..2226bbe7 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -14,7 +14,10 @@ - restart ssh - name: Ensure that the algo group exist - group: name=algo state=present + group: + name: algo + state: present + gid: 15000 - name: Ensure that the jail directory exist file: @@ -28,7 +31,7 @@ - name: Ensure that the SSH users exist user: name: "{{ item }}" - groups: algo + group: algo home: '/var/jail/{{ item }}' createhome: yes generate_ssh_key: false