Re: [PATCH] ipsec: Add block rules to avoid conntrack entries

[Timo Eissler <timo@teissler.de>]

[-- Attachment #1: Type: text/plain, Size: 7787 bytes --]


Just by reading the code, this looks good for me.

I'm also very interested in getting feedback from Tom, but i think this will
finally solve the SIP issues we had in combination with IPSec.

Thank you very much for this!

Am 03.10.2015 um 23:31 schrieb Michael Tremer:
> If an IPsec VPN connections is not established, there are
> rare cases when packets are supposed to be sent through
> that said tunnel and incorrectly handled.
>
> Those packets are sent to the default gateway an entry
> for this connection is created in the connection tracking
> table (usually only happens to UDP). All following packets
> are sent the same route even after the tunnel has been
> brought up. That leads to SIP phones not being able to
> register among other things.
>
> This patch adds firewall rules that these packets are
> rejected. That will sent a notification to the client
> that the tunnel is not up and avoid the connection to
> be added to the connection tracking table.
>
> Apart from a small performance penalty there should
> be no other side-effects.
>
> Fixes: #10908
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> Cc: tomvend(a)rymes.com
> Cc: daniel.weismueller(a)ipfire.org
> Cc: morlix(a)morlix.de
> ---
>  config/firewall/ipsec-block           | 59
+++++++++++++++++++++++++++++++++++
>  config/rootfiles/common/stage2        |  1 +
>  config/rootfiles/common/x86_64/stage2 |  1 +
>  lfs/stage2                            |  2 ++
>  src/initscripts/init.d/firewall       |  8 +++++
>  src/misc-progs/ipsecctrl.c            |  4 +++
>  6 files changed, 75 insertions(+)
>  create mode 100644 config/firewall/ipsec-block
>
> diff --git a/config/firewall/ipsec-block b/config/firewall/ipsec-block
> new file mode 100644
> index 0000000..9fa8e1a
> --- /dev/null
> +++ b/config/firewall/ipsec-block
> @@ -0,0 +1,59 @@
> +#!/bin/bash
>
+###############################################################################
>
+#
      #
> +# IPFire.org - A linux based
firewall                                         #
> +# Copyright (C) 2015 IPFire
Team                                              #
>
+#
      #
> +# This program is free software: you can redistribute it and/or
modify        #
> +# it under the terms of the GNU General Public License as published
by        #
> +# the Free Software Foundation, either version 3 of the License,
or           #
> +# (at your option) any later
version.                                         #
>
+#
      #
> +# This program is distributed in the hope that it will be
useful,             #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty
of              #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
the               #
> +# GNU General Public License for more
details.                                #
>
+#
      #
> +# You should have received a copy of the GNU General Public
License           #
> +# along with this program.  If not, see
<http://www.gnu.org/licenses/>.       #
>
+#
      #
>
+###############################################################################
> +
> +VPN_CONFIG="/var/ipfire/vpn/config"
> +
> +block_subnet() {
> +    local subnet="${1}"
> +
> +    # Don't block a wildcard subnet
> +    if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" =
"0.0.0.0/0.0.0.0" ]; then
> +        return 0
> +    fi
> +
> +    iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with
icmp-net-unreachable
> +}
> +
> +block_ipsec() {
> +    # Flush all exists rules
> +    iptables -F IPSECBLOCK
> +
> +    local id status name lefthost type ctype unknown1 unknown2 unknown3
> +    local leftsubnets unknown4 righthost rightsubnets rest
> +    while IFS="," read -r id status name lefthost type ctype unkown1
unknown2 unknown3 \
> +            leftsubnets unknown4 righthost rightsubnets rest; do
> +        # Check if the connection is enabled
> +        [ "${status}" = "on" ] || continue
> +
> +        # Check if this a net-to-net connection
> +        [ "${type}" = "net" ] || continue
> +
> +        # Split multiple subnets
> +        rightsubnets="${rightsubnets//\|/ }"
> +
> +        local rightsubnet
> +        for rightsubnet in ${rightsubnets}; do
> +            block_subnet "${rightsubnet}"
> +        done
> +    done < "${VPN_CONFIG}"
> +}
> +
> +block_ipsec || exit $?
> diff --git a/config/rootfiles/common/stage2
b/config/rootfiles/common/stage2
> index 90e28d9..4021caf 100644
> --- a/config/rootfiles/common/stage2
> +++ b/config/rootfiles/common/stage2
> @@ -73,6 +73,7 @@ run
>  #usr/lib
>  usr/lib/firewall
>  usr/lib/firewall/firewall-lib.pl
> +usr/lib/firewall/ipsec-block
>  usr/lib/firewall/rules.pl
>  #usr/lib/libgcc_s.so
>  usr/lib/libgcc_s.so.1
> diff --git a/config/rootfiles/common/x86_64/stage2
b/config/rootfiles/common/x86_64/stage2
> index 0ac9ab5..531daaa 100644
> --- a/config/rootfiles/common/x86_64/stage2
> +++ b/config/rootfiles/common/x86_64/stage2
> @@ -74,6 +74,7 @@ run
>  #usr/lib
>  usr/lib/firewall
>  usr/lib/firewall/firewall-lib.pl
> +usr/lib/firewall/ipsec-block
>  usr/lib/firewall/rules.pl
>  #usr/lib/libgcc_s.so
>  usr/lib/libgcc_s.so.1
> diff --git a/lfs/stage2 b/lfs/stage2
> index 3244fa3..ec5d117 100644
> --- a/lfs/stage2
> +++ b/lfs/stage2
> @@ -114,6 +114,8 @@ endif
>          /usr/lib/firewall/rules.pl
>      install -m 644 $(DIR_SRC)/config/firewall/firewall-lib.pl \
>          /usr/lib/firewall/firewall-lib.pl
> +    install -m 755 $(DIR_SRC)/config/firewall/ipsec-block \
> +        /usr/lib/firewall/ipsec-block
> 
>      # Nobody user
>      -mkdir -p /home/nobody
> diff --git a/src/initscripts/init.d/firewall
b/src/initscripts/init.d/firewall
> index 8ca02bc..2d462d7 100644
> --- a/src/initscripts/init.d/firewall
> +++ b/src/initscripts/init.d/firewall
> @@ -115,6 +115,11 @@ iptables_init() {
>      iptables -A INPUT -j GUARDIAN
>      iptables -A FORWARD -j GUARDIAN
> 
> +    # Block non-established IPsec networks
> +    iptables -N IPSECBLOCK
> +    iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
> +    iptables -A OUTPUT  -m policy --dir out --pol none -j IPSECBLOCK
> +
>      # Block OpenVPN transfer networks
>      iptables -N OVPNBLOCK
>      iptables -A INPUT   -i tun+ -j OVPNBLOCK
> @@ -270,6 +275,9 @@ iptables_init() {
>      iptables -t nat -N REDNAT
>      iptables -t nat -A POSTROUTING -j REDNAT
> 
> +    # Populate IPsec block chain
> +    /usr/lib/firewall/ipsec-block
> +
>      # Apply OpenVPN firewall rules
>      /usr/local/bin/openvpnctrl --firewall-rules
> 
> diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
> index e99202d..7499e94 100644
> --- a/src/misc-progs/ipsecctrl.c
> +++ b/src/misc-progs/ipsecctrl.c
> @@ -144,6 +144,9 @@ void turn_connection_on(char *name, char *type) {
>                  "/usr/sbin/ipsec down %s >/dev/null", name);
>          safe_system(command);
> 
> +    // Reload the IPsec block chain
> +    safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
> +
>      // Reload the configuration into the daemon (#10339).
>      ipsec_reload();
> 
> @@ -302,6 +305,7 @@ int main(int argc, char *argv[]) {
> 
>          // start the system
>          if ((argc == 2) && strcmp(argv[1], "S") == 0) {
> +        safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
>          safe_system("/usr/sbin/ipsec restart >/dev/null");
>                  exit(0);
>          }



-- 
Timo Eissler
Senior Project Engineer / Consultant

Am Zuckerberg 54
D-71640 Ludwigsburg

Tel.: +49 7141 4094003
Mobil.: +49 151 20650311
Email: timo(a)teissler.de


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]