wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-10-05 10:05:18 +02:00
Code Issues Projects Releases Wiki Activity
algo/roles/common/templates/rules.v6.j2
Jack Ivanov 273c7665d3 Refactoring (#1334) 
<!--- Provide a general summary of your changes in the Title above -->

## Description
Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162
Configures Ansible to use python3 on the server side. Closes #1024 
Removes unneeded playbooks, reorganises a lot of variables
Reorganises the `config` folder. Closes #1330
<details><summary>Here is how the config directory looks like now</summary>
<p>

```
configs/X.X.X.X/
|-- ipsec
|   |-- apple
|   |   |-- desktop.mobileconfig
|   |   |-- laptop.mobileconfig
|   |   `-- phone.mobileconfig
|   |-- manual
|   |   |-- cacert.pem
|   |   |-- desktop.p12
|   |   |-- desktop.ssh.pem
|   |   |-- ipsec_desktop.conf
|   |   |-- ipsec_desktop.secrets
|   |   |-- ipsec_laptop.conf
|   |   |-- ipsec_laptop.secrets
|   |   |-- ipsec_phone.conf
|   |   |-- ipsec_phone.secrets
|   |   |-- laptop.p12
|   |   |-- laptop.ssh.pem
|   |   |-- phone.p12
|   |   `-- phone.ssh.pem
|   `-- windows
|       |-- desktop.ps1
|       |-- laptop.ps1
|       `-- phone.ps1
|-- ssh-tunnel
|   |-- desktop.pem
|   |-- desktop.pub
|   |-- laptop.pem
|   |-- laptop.pub
|   |-- phone.pem
|   |-- phone.pub
|   `-- ssh_config
`-- wireguard
    |-- desktop.conf
    |-- desktop.png
    |-- laptop.conf
    |-- laptop.png
    |-- phone.conf
    `-- phone.png
```

![finder](https://i.imgur.com/FtOmKO0.png)

</p>
</details>

## Motivation and Context
This refactoring is focused to aim to the 1.0 release

## How Has This Been Tested?
Deployed to several cloud providers with various options enabled and disabled

## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [x] Refactoring

## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] I have read the **CONTRIBUTING** document.
- [x] My code follows the code style of this project.
- [x] My change requires a change to the documentation.
- [x] I have updated the documentation accordingly.
- [x] All new and existing tests passed.
2019-03-10 13:16:34 -04:00

111 lines
4.5 KiB
Django/Jinja
Raw Blame History

{% set subnets = ([strongswan_network_ipv6] if ipsec_enabled else []) + ([wireguard_network_ipv6] if wireguard_enabled else []) %}
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) %}
#### The mangle table
# This table allows us to modify packet headers
# Packets enter this table first
#
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if reduce_mtu|int > 0 and ipsec_enabled %}
-A FORWARD -s {{ strongswan_network_ipv6 }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1340 - reduce_mtu|int }}
{% endif %}
COMMIT
#### The nat table
# This table enables Network Address Translation
# (This is technically a type of packet mangling)
#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Allow traffic from the VPN network to the outside world, and replies
-A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j MASQUERADE
COMMIT
#### The filter table
# The default ipfilter table
#
*filter
# By default, drop packets that are destined for this server
:INPUT DROP [0:0]
# By default, drop packets that request to be forwarded by this server
:FORWARD DROP [0:0]
# By default, accept any packets originating from this server
:OUTPUT ACCEPT [0:0]
# Create the ICMPV6-CHECK chain and its log chain
# These chains are used later to prevent a type of bug that would
# allow malicious traffic to reach over the server into the private network
# An instance of such a bug on Cisco software is described here:
# https://www.insinuator.net/2016/05/cve-2016-1409-ipv6-ndp-dos-vulnerability-in-cisco-software/
# other software implementations might be at least as broken as the one in CISCO gear.
:ICMPV6-CHECK - [0:0]
:ICMPV6-CHECK-LOG - [0:0]
# Accept packets destined for localhost
-A INPUT -i lo -j ACCEPT
# Accept any packet from an open TCP connection
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Accept packets using the encapsulation protocol
-A INPUT -p esp -j ACCEPT
-A INPUT -m ah -j ACCEPT
# rate limit ICMP traffic per source
-A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
# Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }}
-A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT
# Allow new traffic to port 22 (SSH)
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Accept properly formatted Neighbor Discovery Protocol packets
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
# DHCP in AWS
-A INPUT -m conntrack --ctstate NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
# TODO:
# The IP of the resolver should be bound to a DUMMY interface.
# DUMMY interfaces are the proper way to install IPs without assigning them any
# particular virtual (tun,tap,...) or physical (ethernet) interface.
# Accept DNS traffic to the local DNS resolver
-A INPUT -d fcaa::1 -p udp --dport 53 -j ACCEPT
# Drop traffic between VPN clients
-A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
-A FORWARD -j ICMPV6-CHECK
-A FORWARD -p tcp --dport 445 -j DROP
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% if ipsec_enabled %}
-A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network_ipv6 }} -m policy --pol ipsec --dir in -j ACCEPT
{% endif %}
{% if wireguard_enabled %}
-A FORWARD -m conntrack --ctstate NEW -s {{ wireguard_network_ipv6 }} -m policy --pol none --dir in -j ACCEPT
{% endif %}
# Use the ICMPV6-CHECK chain, described above
-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type router-solicitation -j ICMPV6-CHECK-LOG
-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type router-advertisement -j ICMPV6-CHECK-LOG
-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type neighbor-solicitation -j ICMPV6-CHECK-LOG
-A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type neighbor-advertisement -j ICMPV6-CHECK-LOG
-A ICMPV6-CHECK-LOG -j LOG --log-prefix "ICMPV6-CHECK-LOG DROP "
-A ICMPV6-CHECK-LOG -j DROP
COMMIT
Reference in a new issue View git blame Copy permalink