wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-13 08:13:01 +02:00
Code Issues Projects Releases Wiki Activity

Make iptables more clean and tidy

Browse source
This commit is contained in:
Jack Ivanov 2019-03-07 15:59:55 +01:00
parent e55de149d3
commit 90edc60c6c
2 changed files with 25 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
roles/common/templates/rules.v4.j2
View file

@ -1,3 +1,6 @@
{% set subnets = ([strongswan_network] if ipsec_enabled else []) + ([wireguard_network_ipv4] if wireguard_enabled else []) %}
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) %}
#### The mangle table #### The mangle table
# This table allows us to modify packet headers # This table allows us to modify packet headers
# Packets enter this table first # Packets enter this table first
@ -10,7 +13,7 @@
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
{% if reduce_mtu|int > 0 %} {% if reduce_mtu|int > 0 and ipsec_enabled %}
-A FORWARD -s {{ strongswan_network }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1360 - reduce_mtu|int }} -A FORWARD -s {{ strongswan_network }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1360 - reduce_mtu|int }}
{% endif %} {% endif %}
@ -27,7 +30,7 @@ COMMIT
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
# Allow traffic from the VPN network to the outside world, and replies # Allow traffic from the VPN network to the outside world, and replies
-A POSTROUTING -s {{ strongswan_network }}{% if wireguard_enabled %},{{ wireguard_network_ipv4 }}{% endif %} -m policy --pol none --dir out -j MASQUERADE -A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j MASQUERADE
COMMIT COMMIT
@ -54,12 +57,15 @@ COMMIT
-A INPUT -p ah -j ACCEPT -A INPUT -p ah -j ACCEPT
# rate limit ICMP traffic per source # rate limit ICMP traffic per source
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
# Accept IPSEC traffic to ports 500 (IPSEC) and 4500 (MOBIKE aka IKE + NAT traversal) # Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }}
-A INPUT -p udp -m multiport --dports 500,4500{% if wireguard_enabled %},{{ wireguard_port }}{% endif %} -j ACCEPT -A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT
# Allow new traffic to port 22 (SSH) # Allow new traffic to port 22 (SSH)
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Allow any traffic from the VPN
{% if ipsec_enabled %}
# Allow any traffic from the IPsec VPN
-A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT
{% endif %}
# TODO: # TODO:
# The IP of the resolver should be bound to a DUMMY interface. # The IP of the resolver should be bound to a DUMMY interface.
@ -70,10 +76,7 @@ COMMIT
-A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT -A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT
# Drop traffic between VPN clients # Drop traffic between VPN clients
{% if BetweenClients_DROP %} -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
{% set BetweenClientsPolicy = "DROP" %}
{% endif %}
-A FORWARD -s {{ strongswan_network }}{% if wireguard_enabled %},{{ wireguard_network_ipv4 }}{% endif %} -d {{ strongswan_network }}{% if wireguard_enabled %},{{ wireguard_network_ipv4 }}{% endif %} -j {{ BetweenClientsPolicy | default("ACCEPT") }}
# Forward any packet that's part of an established connection # Forward any packet that's part of an established connection
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@ -83,11 +86,13 @@ COMMIT
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP -A FORWARD -p udp -m multiport --ports 137,138 -j DROP
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP -A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
{% if ipsec_enabled %}
# Forward any IPSEC traffic from the VPN network # Forward any IPSEC traffic from the VPN network
-A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network }} -m policy --pol ipsec --dir in -j ACCEPT -A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network }} -m policy --pol ipsec --dir in -j ACCEPT
{% endif %}
# Forward any traffic from the WireGuard VPN network
{% if wireguard_enabled %} {% if wireguard_enabled %}
# Forward any traffic from the WireGuard VPN network
-A FORWARD -m conntrack --ctstate NEW -s {{ wireguard_network_ipv4 }} -m policy --pol none --dir in -j ACCEPT -A FORWARD -m conntrack --ctstate NEW -s {{ wireguard_network_ipv4 }} -m policy --pol none --dir in -j ACCEPT
{% endif %} {% endif %}

18
roles/common/templates/rules.v6.j2
View file

@ -1,3 +1,6 @@
{% set subnets = ([strongswan_network_ipv6] if ipsec_enabled else []) + ([wireguard_network_ipv6] if wireguard_enabled else []) %}
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) %}
#### The mangle table #### The mangle table
# This table allows us to modify packet headers # This table allows us to modify packet headers
# Packets enter this table first # Packets enter this table first
@ -10,7 +13,7 @@
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
{% if reduce_mtu|int > 0 %} {% if reduce_mtu|int > 0 and ipsec_enabled %}
-A FORWARD -s {{ strongswan_network_ipv6 }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1340 - reduce_mtu|int }} -A FORWARD -s {{ strongswan_network_ipv6 }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1340 - reduce_mtu|int }}
{% endif %} {% endif %}
@ -26,7 +29,7 @@ COMMIT
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
# Allow traffic from the VPN network to the outside world, and replies # Allow traffic from the VPN network to the outside world, and replies
-A POSTROUTING -s {{ strongswan_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_network_ipv6 }}{% endif %} -m policy --pol none --dir out -j MASQUERADE -A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j MASQUERADE
COMMIT COMMIT
@ -60,8 +63,8 @@ COMMIT
-A INPUT -m ah -j ACCEPT -A INPUT -m ah -j ACCEPT
# rate limit ICMP traffic per source # rate limit ICMP traffic per source
-A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT -A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
# Accept IPSEC traffic to ports 500 (IPSEC) and 4500 (MOBIKE aka IKE + NAT traversal) # Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }}
-A INPUT -p udp -m multiport --dports 500,4500{% if wireguard_enabled %},{{ wireguard_port}}{% endif %} -j ACCEPT -A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT
# Allow new traffic to port 22 (SSH) # Allow new traffic to port 22 (SSH)
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
@ -83,17 +86,16 @@ COMMIT
-A INPUT -d fcaa::1 -p udp --dport 53 -j ACCEPT -A INPUT -d fcaa::1 -p udp --dport 53 -j ACCEPT
# Drop traffic between VPN clients # Drop traffic between VPN clients
{% if BetweenClients_DROP %} -A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
{% set BetweenClientsPolicy = "DROP" %}
{% endif %}
-A FORWARD -s {{ strongswan_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_network_ipv6 }}{% endif %} -d {{ strongswan_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_network_ipv6 }}{% endif %} -j {{ BetweenClientsPolicy | default("ACCEPT") }}
-A FORWARD -j ICMPV6-CHECK -A FORWARD -j ICMPV6-CHECK
-A FORWARD -p tcp --dport 445 -j DROP -A FORWARD -p tcp --dport 445 -j DROP
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP -A FORWARD -p udp -m multiport --ports 137,138 -j DROP
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP -A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% if ipsec_enabled %}
-A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network_ipv6 }} -m policy --pol ipsec --dir in -j ACCEPT -A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network_ipv6 }} -m policy --pol ipsec --dir in -j ACCEPT
{% endif %}
{% if wireguard_enabled %} {% if wireguard_enabled %}
-A FORWARD -m conntrack --ctstate NEW -s {{ wireguard_network_ipv6 }} -m policy --pol none --dir in -j ACCEPT -A FORWARD -m conntrack --ctstate NEW -s {{ wireguard_network_ipv6 }} -m policy --pol none --dir in -j ACCEPT
{% endif %} {% endif %}