From 498cf463911712f69699e73b90c2d61ed7950e44 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 3 Jun 2019 01:01:08 +0200 Subject: [PATCH 1/3] Block link-local networks. Block traffic from SSH tunnels to VPN clients (#1458) --- roles/common/templates/rules.v4.j2 | 7 +++++++ roles/common/templates/rules.v6.j2 | 2 ++ roles/ssh_tunneling/tasks/main.yml | 7 +++++-- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/roles/common/templates/rules.v4.j2 b/roles/common/templates/rules.v4.j2 index d71f51fb..05789b7f 100644 --- a/roles/common/templates/rules.v4.j2 +++ b/roles/common/templates/rules.v4.j2 @@ -77,6 +77,13 @@ COMMIT # Drop traffic between VPN clients -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} +# Drop traffic to VPN clients from SSH tunnels +-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} + +# Drop traffic to the link-local network +-A FORWARD -s {{ subnets|join(',') }} -d 169.254.0.0/16 -j DROP +# Drop traffic to the link-local network from SSH tunnels +-A OUTPUT -d 169.254.0.0/16 -m owner --gid-owner 15000 -j DROP # Forward any packet that's part of an established connection -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/roles/common/templates/rules.v6.j2 b/roles/common/templates/rules.v6.j2 index adb59f5d..4c42f14e 100644 --- a/roles/common/templates/rules.v6.j2 +++ b/roles/common/templates/rules.v6.j2 @@ -87,6 +87,8 @@ COMMIT # Drop traffic between VPN clients -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} +# Drop traffic to VPN clients from SSH tunnels +-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }} -A FORWARD -j ICMPV6-CHECK -A FORWARD -p tcp --dport 445 -j DROP diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 437fa47f..2226bbe7 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -14,7 +14,10 @@ - restart ssh - name: Ensure that the algo group exist - group: name=algo state=present + group: + name: algo + state: present + gid: 15000 - name: Ensure that the jail directory exist file: @@ -28,7 +31,7 @@ - name: Ensure that the SSH users exist user: name: "{{ item }}" - groups: algo + group: algo home: '/var/jail/{{ item }}' createhome: yes generate_ssh_key: false From fb00d667477ffab22040b8b75714d2baf45b3a4a Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 3 Jun 2019 20:08:06 +0200 Subject: [PATCH 2/3] Update Dockerfile (#1466) --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 14036294..6fa1d0fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ RUN apk --no-cache add ${BUILD_PACKAGES} && \ python -m pip --no-cache-dir install virtualenv && \ python -m virtualenv env && \ source env/bin/activate && \ - python -m pip --no-cache-dir install -r requirements.txt --no-use-pep51 && \ + python -m pip --no-cache-dir install -r requirements.txt && \ apk del ${BUILD_PACKAGES} COPY . . RUN chmod 0755 /algo/algo-docker.sh From 6b2defe470f7fc2d4f9053c69f860e1810a953a6 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Mon, 3 Jun 2019 14:08:53 -0400 Subject: [PATCH 3/3] Update deploy-from-ansible.md (#1464) Merged redundant and contradictory "Local install" instructions. --- docs/deploy-from-ansible.md | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/docs/deploy-from-ansible.md b/docs/deploy-from-ansible.md index f26de00d..8429430a 100644 --- a/docs/deploy-from-ansible.md +++ b/docs/deploy-from-ansible.md @@ -83,9 +83,11 @@ Note: The `strongswan` role generates Apple profiles with On-Demand Wifi and Cel - role: local, provider: local -Required variables: +This role is intended to be run for local install onto an Ubuntu server, or onto an unsupported cloud provider's Ubuntu instance. Required variables: -- server - IP address of your server +- server - IP address of your server (or "localhost" if deploying to the local machine) +- endpoint - public IP address of the server you're installing on +- ssh_user - name of the SSH user you will use to install on the machine (passwordless login required). If `server=localhost`, this isn't required. - ca_password - Password for the private CA key Note that by default, the iptables rules on your existing server will be overwritten. If you don't want to overwrite the iptables rules, you can use the `--skip-tags iptables` flag. @@ -249,16 +251,6 @@ Required variables: You need to source the rc file prior to run Algo. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh) - -### Local - -Required variables: - -- server - IP or hostname to access the server via SSH -- endpoint - Public IP address or domain name of your server -- ssh_user - - ### Update users Playbook: