#### The mangle table # This table allows us to modify packet headers # Packets enter this table first # *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] {% if max_mss is defined %} # MSS is the TCP Max Segment Size # Setting the 'max_mss' Ansible variable can solve some issues related to packet fragmentation # This appears to be necessary on (at least) Google Cloud, # however, some routers also require a change to this parameter # See also: # - https://github.com/trailofbits/algo/issues/216 # - https://github.com/trailofbits/algo/issues?utf8=%E2%9C%93&q=is%3Aissue%20mtu # - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan -A FORWARD -s {{ vpn_network }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }} {% endif %} COMMIT #### The nat table # This table enables Network Address Translation # (This is technically a type of packet mangling) # *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # Allow traffic from the VPN network to the outside world, and replies -A POSTROUTING -s {{ vpn_network }} -m policy --pol none --dir out -j MASQUERADE COMMIT #### The filter table # The default ipfilter table # *filter # By default, drop packets that are destined for this server :INPUT DROP [0:0] # By default, drop packets that request to be forwarded by this server :FORWARD DROP [0:0] # By default, accept any packets originating from this server :OUTPUT ACCEPT [0:0] # Accept packets destined for localhost -A INPUT -i lo -j ACCEPT # Accept any packet from an open TCP connection -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Accept packets using the encapsulation protocol -A INPUT -p esp -j ACCEPT -A INPUT -p ah -j ACCEPT # rate limit ICMP traffic per source -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT # Accept IPSEC traffic to ports 500 (IPSEC) and 4500 (MOBIKE aka IKE + NAT traversal) -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT # Allow new traffic to port 22 (SSH) -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT # Allow any traffic from the VPN -A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT # TODO: # The IP of the resolver should be bound to a DUMMY interface. # DUMMY interfaces are the proper way to install IPs without assigning them any # particular virtual (tun,tap,...) or physical (ethernet) interface. # Accept DNS traffic to the local DNS resolver -A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT {% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %} # Drop traffic between VPN clients -A FORWARD -s {{ vpn_network }} -d {{ vpn_network }} -j DROP {% endif %} # Forward any packet that's part of an established connection -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Drop SMB/CIFS traffic that requests to be forwarded -A FORWARD -p tcp --dport 445 -j DROP # Drop NETBIOS trafic that requests to be forwarded -A FORWARD -p udp -m multiport --ports 137,138 -j DROP -A FORWARD -p tcp -m multiport --ports 137,139 -j DROP # Forward any IPSEC traffic from the VPN network -A FORWARD -m conntrack --ctstate NEW -s {{ vpn_network }} -m policy --pol ipsec --dir in -j ACCEPT COMMIT