From patchwork Sun Jun 16 15:36:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 7862 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4W2HFQ09f2z3wnw for ; Sun, 16 Jun 2024 15:37:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4W2HFM23NxznC; Sun, 16 Jun 2024 15:37:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4W2HFM0zxpz2xtd; Sun, 16 Jun 2024 15:37:11 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4W2HFJ15wpz2xtd for ; Sun, 16 Jun 2024 15:37:08 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4W2HFG0fdRznC for ; Sun, 16 Jun 2024 15:37:05 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1718552227; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qYvfqp4442+6n8/R8UnbxssxqmHzO/voOLTbheCFXos=; b=xNbuGORuPBoOhu9p+MEoBjm1NsXRKAP1f85paNj6ftB/Ns9Bdeutzoy80cNnkMScGXVajA m8xRwNyYmEIUoZCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1718552227; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=qYvfqp4442+6n8/R8UnbxssxqmHzO/voOLTbheCFXos=; b=jpZnqkqGvI6VmMMUV44FZ7Cqo9Sno9pdh2Nela+90/XyASP2YZO9OWXZo9vA9sXTSUqoAe a+gIweC0CHpuHnA37YlXOUSQXnt9VW8MVq1hB7zU2zE3U6nSFPlOqa8xAlJVjlFbcuGEAy t+5iT5XORevzPCnLV6oAc1qWPTEzaCP6Q6drkURrmvSM1507nhtOni0ilJ2lTmP/rIZImQ gvEl5qUtJPjkN2aHeYqW4UPisf7EI5yjuqLDkYHrDRAm0L3JPjgM2lpScbDkIfEbQIxevY g9iPON6qQxaFOkc0CHYeiB4Oc2z+jOvblWYbRKjtOyT2ZzGjZfegQD883b3ZOA== Message-ID: Date: Sun, 16 Jun 2024 15:36:00 +0000 MIME-Version: 1.0 To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] strongswan: Create firewall rules for outgoing IPsec traffic as well Message-ID-Hash: PEQK2ASTCEAP4GI6VQCJMY4R3UMYRKGB X-Message-ID-Hash: PEQK2ASTCEAP4GI6VQCJMY4R3UMYRKGB X-MailFrom: peter.mueller@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This will avoid outgoing IPsec traffic being dropped by IPFire itself, if the default firewall behavior for outgoing traffic is set to "blocked", and no appropriate rules have been manually configured in the web interface. To ensure configured IPsec tunnels will always work flawlessly, regardless of the firewall default policy and any manually created firewall rules, create and delete outgoing iptables rules accordingly when bringing an IPsec connection up or down. Tested-by: Peter Müller Signed-off-by: Peter Müller --- src/patches/strongswan-ipfire.patch | 49 +++++++++++++++++------------ 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch index d8e35cd52..a1f80d361 100644 --- a/src/patches/strongswan-ipfire.patch +++ b/src/patches/strongswan-ipfire.patch @@ -1,13 +1,5 @@ -commit b439f74361d393bcb85109b6c41a905cf613a296 -Author: Peter Müller -Date: Wed May 18 17:46:57 2022 +0000 - - IPFire modifications to _updown script - - Signed-off-by: Peter Müller - diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in -index 34eaf68c7..9ed387a0a 100644 +index 34eaf68c7..38aa63354 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -242,10 +242,10 @@ up-host:iptables) @@ -98,7 +90,7 @@ index 34eaf68c7..9ed387a0a 100644 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT fi # -@@ -342,47 +324,37 @@ up-client:iptables) +@@ -342,47 +324,46 @@ up-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -111,7 +103,7 @@ index 34eaf68c7..9ed387a0a 100644 fi fi + -+ # Open Firewall for IPinIP + AH + ESP Traffic ++ # Open firewall for incoming and outgoing IPinIP + AH + ESP traffic to the peers' IP + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \ + -s $PLUTO_PEER $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT -j ACCEPT @@ -121,6 +113,15 @@ index 34eaf68c7..9ed387a0a 100644 + iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ + -s $PLUTO_PEER $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p IPIP \ ++ -s $PLUTO_ME $D_MY_PORT \ ++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT ++ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_ME $D_MY_PORT \ ++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT ++ iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_ME $D_MY_PORT \ ++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT + ;; down-client:iptables) @@ -161,7 +162,7 @@ index 34eaf68c7..9ed387a0a 100644 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT fi # -@@ -392,12 +364,24 @@ down-client:iptables) +@@ -392,12 +373,32 @@ down-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -174,7 +175,7 @@ index 34eaf68c7..9ed387a0a 100644 fi fi + -+ # Close Firewall for IPinIP + AH + ESP Traffic ++ # Close firewall for incoming and outgoing IPinIP + AH + ESP traffic to the peers' IP + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \ + -s $PLUTO_PEER $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT -j ACCEPT @@ -184,11 +185,19 @@ index 34eaf68c7..9ed387a0a 100644 + iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ + -s $PLUTO_PEER $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT -j ACCEPT -+ ++ iptables --wait -D IPSECINPUT -o $PLUTO_INTERFACE -p IPIP \ ++ -s $PLUTO_ME $D_MY_PORT \ ++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT ++ iptables --wait -D IPSECINPUT -o $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_ME $D_MY_PORT \ ++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT ++ iptables --wait -D IPSECINPUT -o $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_ME $D_MY_PORT \ ++ -d $PLUTO_PEER $S_PEER_PORT -j ACCEPT ;; # # IPv6 -@@ -422,10 +406,10 @@ up-host-v6:iptables) +@@ -422,10 +423,10 @@ up-host-v6:iptables) # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -201,7 +210,7 @@ index 34eaf68c7..9ed387a0a 100644 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -454,10 +438,10 @@ down-host-v6:iptables) +@@ -454,10 +455,10 @@ down-host-v6:iptables) # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -214,7 +223,7 @@ index 34eaf68c7..9ed387a0a 100644 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -487,10 +471,10 @@ up-client-v6:iptables) +@@ -487,10 +488,10 @@ up-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -227,7 +236,7 @@ index 34eaf68c7..9ed387a0a 100644 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -499,10 +483,10 @@ up-client-v6:iptables) +@@ -499,10 +500,10 @@ up-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -240,7 +249,7 @@ index 34eaf68c7..9ed387a0a 100644 -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi -@@ -535,11 +519,11 @@ down-client-v6:iptables) +@@ -535,11 +536,11 @@ down-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -254,7 +263,7 @@ index 34eaf68c7..9ed387a0a 100644 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -549,11 +533,11 @@ down-client-v6:iptables) +@@ -549,11 +550,11 @@ down-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then