From mboxrd@z Thu Jan  1 00:00:00 1970
From: Timo Eissler <timo@teissler.de>
To: development@lists.ipfire.org
Subject: Re: [PATCH] ipsec: Add block rules to avoid conntrack entries
Date: Sun, 04 Oct 2015 17:56:07 +0200
Message-ID: <56114C17.10903@teissler.de>
In-Reply-To: <1443907913-919-1-git-send-email-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6994208569215373681=="
List-Id: <development.lists.ipfire.org>

--===============6994208569215373681==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable


Just by reading the code, this looks good for me.

I'm also very interested in getting feedback from Tom, but i think this will
finally solve the SIP issues we had in combination with IPSec.

Thank you very much for this!

Am 03.10.2015 um 23:31 schrieb Michael Tremer:
> If an IPsec VPN connections is not established, there are
> rare cases when packets are supposed to be sent through
> that said tunnel and incorrectly handled.
>
> Those packets are sent to the default gateway an entry
> for this connection is created in the connection tracking
> table (usually only happens to UDP). All following packets
> are sent the same route even after the tunnel has been
> brought up. That leads to SIP phones not being able to
> register among other things.
>
> This patch adds firewall rules that these packets are
> rejected. That will sent a notification to the client
> that the tunnel is not up and avoid the connection to
> be added to the connection tracking table.
>
> Apart from a small performance penalty there should
> be no other side-effects.
>
> Fixes: #10908
>
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> Cc: tomvend(a)rymes.com
> Cc: daniel.weismueller(a)ipfire.org
> Cc: morlix(a)morlix.de
> ---
>  config/firewall/ipsec-block           | 59
+++++++++++++++++++++++++++++++++++
>  config/rootfiles/common/stage2        |  1 +
>  config/rootfiles/common/x86_64/stage2 |  1 +
>  lfs/stage2                            |  2 ++
>  src/initscripts/init.d/firewall       |  8 +++++
>  src/misc-progs/ipsecctrl.c            |  4 +++
>  6 files changed, 75 insertions(+)
>  create mode 100644 config/firewall/ipsec-block
>
> diff --git a/config/firewall/ipsec-block b/config/firewall/ipsec-block
> new file mode 100644
> index 0000000..9fa8e1a
> --- /dev/null
> +++ b/config/firewall/ipsec-block
> @@ -0,0 +1,59 @@
> +#!/bin/bash
>
+############################################################################=
###
>
+#
      #
> +# IPFire.org - A linux based
firewall                                         #
> +# Copyright (C) 2015 IPFire
Team                                              #
>
+#
      #
> +# This program is free software: you can redistribute it and/or
modify        #
> +# it under the terms of the GNU General Public License as published
by        #
> +# the Free Software Foundation, either version 3 of the License,
or           #
> +# (at your option) any later
version.                                         #
>
+#
      #
> +# This program is distributed in the hope that it will be
useful,             #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty
of              #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
the               #
> +# GNU General Public License for more
details.                                #
>
+#
      #
> +# You should have received a copy of the GNU General Public
License           #
> +# along with this program.  If not, see
<http://www.gnu.org/licenses/>.       #
>
+#
      #
>
+############################################################################=
###
> +
> +VPN_CONFIG=3D"/var/ipfire/vpn/config"
> +
> +block_subnet() {
> +    local subnet=3D"${1}"
> +
> +    # Don't block a wildcard subnet
> +    if [ "${subnet}" =3D "0.0.0.0/0" ] || [ "${subnet}" =3D
"0.0.0.0/0.0.0.0" ]; then
> +        return 0
> +    fi
> +
> +    iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with
icmp-net-unreachable
> +}
> +
> +block_ipsec() {
> +    # Flush all exists rules
> +    iptables -F IPSECBLOCK
> +
> +    local id status name lefthost type ctype unknown1 unknown2 unknown3
> +    local leftsubnets unknown4 righthost rightsubnets rest
> +    while IFS=3D"," read -r id status name lefthost type ctype unkown1
unknown2 unknown3 \
> +            leftsubnets unknown4 righthost rightsubnets rest; do
> +        # Check if the connection is enabled
> +        [ "${status}" =3D "on" ] || continue
> +
> +        # Check if this a net-to-net connection
> +        [ "${type}" =3D "net" ] || continue
> +
> +        # Split multiple subnets
> +        rightsubnets=3D"${rightsubnets//\|/ }"
> +
> +        local rightsubnet
> +        for rightsubnet in ${rightsubnets}; do
> +            block_subnet "${rightsubnet}"
> +        done
> +    done < "${VPN_CONFIG}"
> +}
> +
> +block_ipsec || exit $?
> diff --git a/config/rootfiles/common/stage2
b/config/rootfiles/common/stage2
> index 90e28d9..4021caf 100644
> --- a/config/rootfiles/common/stage2
> +++ b/config/rootfiles/common/stage2
> @@ -73,6 +73,7 @@ run
>  #usr/lib
>  usr/lib/firewall
>  usr/lib/firewall/firewall-lib.pl
> +usr/lib/firewall/ipsec-block
>  usr/lib/firewall/rules.pl
>  #usr/lib/libgcc_s.so
>  usr/lib/libgcc_s.so.1
> diff --git a/config/rootfiles/common/x86_64/stage2
b/config/rootfiles/common/x86_64/stage2
> index 0ac9ab5..531daaa 100644
> --- a/config/rootfiles/common/x86_64/stage2
> +++ b/config/rootfiles/common/x86_64/stage2
> @@ -74,6 +74,7 @@ run
>  #usr/lib
>  usr/lib/firewall
>  usr/lib/firewall/firewall-lib.pl
> +usr/lib/firewall/ipsec-block
>  usr/lib/firewall/rules.pl
>  #usr/lib/libgcc_s.so
>  usr/lib/libgcc_s.so.1
> diff --git a/lfs/stage2 b/lfs/stage2
> index 3244fa3..ec5d117 100644
> --- a/lfs/stage2
> +++ b/lfs/stage2
> @@ -114,6 +114,8 @@ endif
>          /usr/lib/firewall/rules.pl
>      install -m 644 $(DIR_SRC)/config/firewall/firewall-lib.pl \
>          /usr/lib/firewall/firewall-lib.pl
> +    install -m 755 $(DIR_SRC)/config/firewall/ipsec-block \
> +        /usr/lib/firewall/ipsec-block
>=20
>      # Nobody user
>      -mkdir -p /home/nobody
> diff --git a/src/initscripts/init.d/firewall
b/src/initscripts/init.d/firewall
> index 8ca02bc..2d462d7 100644
> --- a/src/initscripts/init.d/firewall
> +++ b/src/initscripts/init.d/firewall
> @@ -115,6 +115,11 @@ iptables_init() {
>      iptables -A INPUT -j GUARDIAN
>      iptables -A FORWARD -j GUARDIAN
>=20
> +    # Block non-established IPsec networks
> +    iptables -N IPSECBLOCK
> +    iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
> +    iptables -A OUTPUT  -m policy --dir out --pol none -j IPSECBLOCK
> +
>      # Block OpenVPN transfer networks
>      iptables -N OVPNBLOCK
>      iptables -A INPUT   -i tun+ -j OVPNBLOCK
> @@ -270,6 +275,9 @@ iptables_init() {
>      iptables -t nat -N REDNAT
>      iptables -t nat -A POSTROUTING -j REDNAT
>=20
> +    # Populate IPsec block chain
> +    /usr/lib/firewall/ipsec-block
> +
>      # Apply OpenVPN firewall rules
>      /usr/local/bin/openvpnctrl --firewall-rules
>=20
> diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
> index e99202d..7499e94 100644
> --- a/src/misc-progs/ipsecctrl.c
> +++ b/src/misc-progs/ipsecctrl.c
> @@ -144,6 +144,9 @@ void turn_connection_on(char *name, char *type) {
>                  "/usr/sbin/ipsec down %s >/dev/null", name);
>          safe_system(command);
>=20
> +    // Reload the IPsec block chain
> +    safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
> +
>      // Reload the configuration into the daemon (#10339).
>      ipsec_reload();
>=20
> @@ -302,6 +305,7 @@ int main(int argc, char *argv[]) {
>=20
>          // start the system
>          if ((argc =3D=3D 2) && strcmp(argv[1], "S") =3D=3D 0) {
> +        safe_system("/usr/lib/firewall/ipsec-block >/dev/null");
>          safe_system("/usr/sbin/ipsec restart >/dev/null");
>                  exit(0);
>          }



--=20
Timo Eissler
Senior Project Engineer / Consultant

Am Zuckerberg 54
D-71640 Ludwigsburg

Tel.: +49 7141 4094003
Mobil.: +49 151 20650311
Email: timo(a)teissler.de


--===============6994208569215373681==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUVC
Q0FBR0JRSldFVXdZQUFvSkVFbVJDWjYzY3RFdFEyVVFBSUtTalBtUVVvT01yeUoyT3VYTWNYc3kK
UVRJZlVGWXZCK0J0VjdLMnM3SjhnNjRwbktNeElleVI2T0RBeVo3Q0ZHNzFCQlRWdHp1a3QwOG9p
TGE3YUlDKwpGdTRORUdZOUJnYVpiTDBuZ1d5ajlGK3VPdS8wbGVlL0RBRVEwcDFhbldOVnJrNXRW
RGZRaVpXTmlGN2I4akpuCk5UNUtvT3lHM3gxTC9idlpnMitmdEo1ZjlENmVkbUtqclFyK1V1N3Vv
UTBWWEtXNDB0ZnpUaGROdnJsK056MUcKNWJMSklITE9jZUlMZURLaE9TNzZxT3hjR0Z5dFU4bTFz
VjJhdHhTeWdZeDZYMGtjOStHVU1idDI1NEYvVENHUApCUkJWQk96cURVYWVzUHN4bEVtNkRETnpK
YlJ5MUdpUjRVd0l0RjQwNkwzVVUxSlJxZndaaGt1VmJUNG1MM3d3CkhSckxyd3UzckxOZHNhS0Yr
YlBLUTdBN3JIUXB0YlgyMnNXVVBEOWdmWERnWHlsdnNLZ2E0R0pKNmt3NUo3RTIKNWRIejRpcENJ
UXF6aGZ3TFl3Tmtsd3lnVVVwSTR2UTdkTXJqbUlSQWVNK3BsWkQvZXFGS0tuaDRSa2xZZ1ZEQwpn
MHZGcTRLaW9LQUppcFhZN0JFRmdNNTByeW1kZWRpUDNILzhQeklCREt0MitjS1lTaDUwdTJpWEoy
akJOekJ4Cm9YME01UC9NY0JPUDgzL0JjVU9CSEhhV1FxRE5hOEd5WmY0WUlWWWRFL1V2VEsvL1or
c1FqR1diRzNSWFd4bmsKY1psVDROTDA4SVpWZVdlTk8zUFgzRy9HbVorNDRCUy9lNXkxMmlVbTU4
TFJaMG9nbUV0OEd4ekgrREV0UjBUTQoveWMybUwweGZEMHBIWmhqbmZ4Nwo9OFZJcgotLS0tLUVO
RCBQR1AgU0lHTkFUVVJFLS0tLS0K

--===============6994208569215373681==--