Skip to content
Snippets Groups Projects
Unverified Commit aa79386b authored by micah's avatar micah :speech_balloon:
Browse files

Fix outgoing vpn firewall rule for abuse.

The firewall rule that was put in place to stop vpn users from doing bad things
was not working. If you were to connect to the vpn, and then attempt to connect
to a server over port 25, you would connect. That isn't supposed to happen, as
it allows the VPN to be used as a mail abuse vector.

The problem was three-fold:
 - the rules should be input rules, not output, because of the way containers
 work with the host
 - the chain should be the FORWARD chain, not the OUTPUT chain
 - the rules needed to be before we allow all traffic

This fix has been tested in production.
parent 70539aad
Branches
Tags
1 merge request!88Fix outgoing vpn firewall rule for abuse.
Pipeline #231425 passed
...@@ -8,6 +8,27 @@ add_rule6 -A user-input -p tcp -m tcp -d {{ ips | ansible.netcommon.ipv6 | first ...@@ -8,6 +8,27 @@ add_rule6 -A user-input -p tcp -m tcp -d {{ ips | ansible.netcommon.ipv6 | first
add_rule6 -A user-input -p udp -m udp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 80 -j ACCEPT add_rule6 -A user-input -p udp -m udp -d {{ ips | ansible.netcommon.ipv6 | first }} --dport 80 -j ACCEPT
{% endif %} {% endif %}
# deny outgoing ports that shouldn't be used
# Strict egress filtering:
# SMTP (TCP 25)
# Trivial File Transfer Protocol - TFTP (UDP 69)
# MS RPC (TCP & UDP 135)
# NetBIOS/IP (TCP/UDP 139 & UDP 137, UDP 138)
# Simple Network Management Protocol – SNMP (UDP/TCP 161-162)
# SMB/IP (TCP/UDP 445)
# Syslog (UDP 514)
# Gamqowi trojan: TCP 4661
# Mneah trojan: TCP 4666
add_rule4 -A FORWARD -i tun0 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP
add_rule4 -A FORWARD -i tun1 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP
add_rule4 -A FORWARD -i tun0 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP
add_rule4 -A FORWARD -i tun1 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP
add_rule6 -A FORWARD -i tun0 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP
add_rule6 -A FORWARD -i tun1 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP
add_rule6 -A FORWARD -i tun0 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP
add_rule6 -A FORWARD -i tun1 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP
# let ipv4 tcp vpn hosts reach the internet # let ipv4 tcp vpn hosts reach the internet
add_rule4 -A FORWARD -s {{ openvpn_tcp_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j ACCEPT add_rule4 -A FORWARD -s {{ openvpn_tcp_network | ipaddr('network/prefix') }} -o {{ ansible_default_ipv4.interface }} -j ACCEPT
# allow re/established tcp *inbound* to vpn hosts # allow re/established tcp *inbound* to vpn hosts
...@@ -41,26 +62,6 @@ add_rule6 -A FORWARD -i tun0 -p tcp -o tun0 -j DROP ...@@ -41,26 +62,6 @@ add_rule6 -A FORWARD -i tun0 -p tcp -o tun0 -j DROP
add_rule6 -A FORWARD -i tun1 -p udp -o tun0 -j DROP add_rule6 -A FORWARD -i tun1 -p udp -o tun0 -j DROP
{% endif %} {% endif %}
# deny outgoing ports that shouldn't be used
# Strict egress filtering:
# SMTP (TCP 25)
# Trivial File Transfer Protocol - TFTP (UDP 69)
# MS RPC (TCP & UDP 135)
# NetBIOS/IP (TCP/UDP 139 & UDP 137, UDP 138)
# Simple Network Management Protocol – SNMP (UDP/TCP 161-162)
# SMB/IP (TCP/UDP 445)
# Syslog (UDP 514)
# Gamqowi trojan: TCP 4661
# Mneah trojan: TCP 4666
add_rule4 -A OUTPUT -o tun0 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP
add_rule4 -A OUTPUT -o tun1 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP
add_rule4 -A OUTPUT -o tun0 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP
add_rule4 -A OUTPUT -o tun1 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP
add_rule6 -A OUTPUT -o tun0 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP
add_rule6 -A OUTPUT -o tun1 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP
add_rule6 -A OUTPUT -o tun0 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP
add_rule6 -A OUTPUT -o tun1 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP
# allow tcp vpn clients to resolve DNS (i.e. query knot-resolver) # allow tcp vpn clients to resolve DNS (i.e. query knot-resolver)
add_rule -A user-input -i tun0 -p udp --dport 53 -j ACCEPT add_rule -A user-input -i tun0 -p udp --dport 53 -j ACCEPT
add_rule -A user-input -i tun0 -p tcp --dport 53 -j ACCEPT add_rule -A user-input -i tun0 -p tcp --dport 53 -j ACCEPT
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment