made iptables for the VPN connection more secure Added destination and source definition. Flag -S can be used to ignore this. It's the new default as it is more secure and does not impact the way things work (backwords compatible).
(cherry picked from commit ef3b4bb4e3342f166489034fa7149540d2ef1383) Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a592b010 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a592b010 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a592b010 Branch: refs/heads/master Commit: a592b010350296d06fef987b5bd6b21f7cfca8a8 Parents: 85ba1f7 Author: Remi Bergsma <rberg...@schubergphilis.com> Authored: Mon Dec 8 19:06:55 2014 +0100 Committer: Daan Hoogland <d...@onecht.net> Committed: Tue Dec 9 11:19:43 2014 +0100 ---------------------------------------------------------------------- .../debian/config/opt/cloud/bin/ipsectunnel.sh | 26 ++++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a592b010/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh ---------------------------------------------------------------------- diff --git a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh index a95c65e..e0af6a2 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -23,7 +23,7 @@ vpnoutmark="0x525" vpninmark="0x524" usage() { - printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime> -s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check if up on creation ]\n" $(basename $0) >&2 + printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime> -s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check if up on creation> -S <disable vpn ports iptables> ]\n" $(basename $0) >&2 } #set -x @@ -61,13 +61,16 @@ enable_iptables_subnets() { return 0 } +# +# Add the right side here to close the gap, so we're sure no one else comes in +# also double check the default behaviour of ipsec to drop if wrong.... check_and_enable_iptables() { sudo iptables-save | grep "A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT" if [ $? -ne 0 ] then - sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT - sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT - sudo iptables -A INPUT -i $outIf -p 50 -j ACCEPT + sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT + sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT + sudo iptables -A INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT # Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT fi @@ -90,9 +93,9 @@ check_and_disable_iptables() { if [ $? -ne 0 ] then #Nobody else use s2s vpn now, so delete the iptables rules - sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT - sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT - sudo iptables -D INPUT -i $outIf -p 50 -j ACCEPT + sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT + sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT + sudo iptables -D INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT fi return 0 @@ -213,8 +216,9 @@ sflag= passive=0 op="" checkup=0 +secure=1 -while getopts 'ADpcl:n:g:r:N:e:i:t:T:s:d:' OPTION +while getopts 'ADSpcl:n:g:r:N:e:i:t:T:s:d:' OPTION do case $OPTION in A) opflag=1 @@ -260,6 +264,8 @@ do ;; c) checkup=1 ;; + S) secure=0 + ;; ?) usage exit 2 ;; @@ -267,6 +273,10 @@ do done logger -t cloud "$(basename $0): parameters $*" +if [ $secure -eq 1 ] +then + iptables_secure=" -s $rightpeer -d $leftpeer " +fi # get interface for public ip ip link|grep BROADCAST|grep -v eth0|cut -d ":" -f 2 > /tmp/iflist
