made iptables for the VPN connection more secure Added destination and source definition. Flag -S can be used to ignore this. It's the new default as it is more secure and does not impact the way things work (backwords compatible).
(cherry picked from commit ef3b4bb4e3342f166489034fa7149540d2ef1383) Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/47754a68 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/47754a68 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/47754a68 Branch: refs/heads/4.4 Commit: 47754a68acbcb1f582c80d5156375da0716727a8 Parents: 03bf241 Author: Remi Bergsma <rberg...@schubergphilis.com> Authored: Mon Dec 8 19:06:55 2014 +0100 Committer: Daan Hoogland <d...@onecht.net> Committed: Tue Dec 9 10:54:44 2014 +0100 ---------------------------------------------------------------------- .../debian/config/opt/cloud/bin/ipsectunnel.sh | 26 ++++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/47754a68/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh ---------------------------------------------------------------------- diff --git a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh index a95c65e..e0af6a2 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -23,7 +23,7 @@ vpnoutmark="0x525" vpninmark="0x524" usage() { - printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime> -s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check if up on creation ]\n" $(basename $0) >&2 + printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime> -s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check if up on creation> -S <disable vpn ports iptables> ]\n" $(basename $0) >&2 } #set -x @@ -61,13 +61,16 @@ enable_iptables_subnets() { return 0 } +# +# Add the right side here to close the gap, so we're sure no one else comes in +# also double check the default behaviour of ipsec to drop if wrong.... check_and_enable_iptables() { sudo iptables-save | grep "A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT" if [ $? -ne 0 ] then - sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT - sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT - sudo iptables -A INPUT -i $outIf -p 50 -j ACCEPT + sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT + sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT + sudo iptables -A INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT # Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT fi @@ -90,9 +93,9 @@ check_and_disable_iptables() { if [ $? -ne 0 ] then #Nobody else use s2s vpn now, so delete the iptables rules - sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT - sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT - sudo iptables -D INPUT -i $outIf -p 50 -j ACCEPT + sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT + sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT + sudo iptables -D INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT fi return 0 @@ -213,8 +216,9 @@ sflag= passive=0 op="" checkup=0 +secure=1 -while getopts 'ADpcl:n:g:r:N:e:i:t:T:s:d:' OPTION +while getopts 'ADSpcl:n:g:r:N:e:i:t:T:s:d:' OPTION do case $OPTION in A) opflag=1 @@ -260,6 +264,8 @@ do ;; c) checkup=1 ;; + S) secure=0 + ;; ?) usage exit 2 ;; @@ -267,6 +273,10 @@ do done logger -t cloud "$(basename $0): parameters $*" +if [ $secure -eq 1 ] +then + iptables_secure=" -s $rightpeer -d $leftpeer " +fi # get interface for public ip ip link|grep BROADCAST|grep -v eth0|cut -d ":" -f 2 > /tmp/iflist
