From 8d985911280f63e5f84073236e3ac0008e200152 Mon Sep 17 00:00:00 2001 From: wanxewoj Date: Thu, 18 Oct 2018 10:17:15 +0200 Subject: [PATCH 1/5] escape ip6 gateway address in square brackets --- src/fw_iptables.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/fw_iptables.c b/src/fw_iptables.c index 0877c9d..6808709 100644 --- a/src/fw_iptables.c +++ b/src/fw_iptables.c @@ -381,6 +381,15 @@ iptables_fw_init(void) LOCK_CONFIG(); config = config_get_config(); gw_interface = safe_strdup(config->gw_interface); /* must free */ + + /* ip6 addresses must be specified in square brackets like [ffcc:e08::1] */ + if (config->ip6) { + /* TODO: check config-> gw_address doesn't already contain brackets */ + safe_asprintf(&gw_address, "[%s]", config->gw_address); + } else { + gw_address = safe_strdup(config->gw_address); /* must free */ + } + gw_address = safe_strdup(config->gw_address); /* must free */ gw_iprange = safe_strdup(config->gw_iprange); /* must free */ gw_port = config->gw_port; From 862e9136df9b7d7c634a4a579f1f4abe4801418b Mon Sep 17 00:00:00 2001 From: wanxewoj Date: Thu, 18 Oct 2018 10:33:22 +0200 Subject: [PATCH 2/5] touch NAT table only when not ip6 --- src/fw_iptables.c | 62 ++++++++++++++++++++++++----------------------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/src/fw_iptables.c b/src/fw_iptables.c index 6808709..5a3ba1f 100644 --- a/src/fw_iptables.c +++ b/src/fw_iptables.c @@ -489,38 +489,39 @@ iptables_fw_init(void) /* * ************************************** - * Set up nat table chains and rules + * Set up nat table chains and rules (ip4 only) * */ + + if (!config->ip6) { + /* Create new chains in nat table */ + rc |= iptables_do_command("-t nat -N " CHAIN_OUTGOING); - /* Create new chains in nat table */ - rc |= iptables_do_command("-t nat -N " CHAIN_OUTGOING); + /* + * nat PREROUTING chain + */ - /* - * nat PREROUTING chain - */ + // packets coming in on gw_interface jump to CHAIN_OUTGOING + rc |= iptables_do_command("-t nat -I PREROUTING -i %s -s %s -j " CHAIN_OUTGOING, gw_interface, gw_iprange); + // CHAIN_OUTGOING, packets marked TRUSTED ACCEPT + rc |= iptables_do_command("-t nat -A " CHAIN_OUTGOING " -m mark --mark 0x%x%s -j RETURN", FW_MARK_TRUSTED, markmask); + // CHAIN_OUTGOING, packets marked AUTHENTICATED ACCEPT + rc |= iptables_do_command("-t nat -A " CHAIN_OUTGOING " -m mark --mark 0x%x%s -j RETURN", FW_MARK_AUTHENTICATED, markmask); + // CHAIN_OUTGOING, append the "preauthenticated-users" ruleset + rc |= _iptables_append_ruleset("nat", "preauthenticated-users", CHAIN_OUTGOING); - // packets coming in on gw_interface jump to CHAIN_OUTGOING - rc |= iptables_do_command("-t nat -I PREROUTING -i %s -s %s -j " CHAIN_OUTGOING, gw_interface, gw_iprange); - // CHAIN_OUTGOING, packets marked TRUSTED ACCEPT - rc |= iptables_do_command("-t nat -A " CHAIN_OUTGOING " -m mark --mark 0x%x%s -j RETURN", FW_MARK_TRUSTED, markmask); - // CHAIN_OUTGOING, packets marked AUTHENTICATED ACCEPT - rc |= iptables_do_command("-t nat -A " CHAIN_OUTGOING " -m mark --mark 0x%x%s -j RETURN", FW_MARK_AUTHENTICATED, markmask); - // CHAIN_OUTGOING, append the "preauthenticated-users" ruleset - rc |= _iptables_append_ruleset("nat", "preauthenticated-users", CHAIN_OUTGOING); + // Allow access to remote FAS - CHAIN_OUTGOING and CHAIN_TO_INTERNET packets for remote FAS, ACCEPT + if (fas_port && strcmp(fas_remoteip, gw_address)) { + rc |= iptables_do_command("-t nat -A " CHAIN_OUTGOING " -p tcp --destination %s --dport %d -j ACCEPT", fas_remoteip, fas_port); + } - // Allow access to remote FAS - CHAIN_OUTGOING and CHAIN_TO_INTERNET packets for remote FAS, ACCEPT - if (fas_port && strcmp(fas_remoteip, gw_address)) { - rc |= iptables_do_command("-t nat -A " CHAIN_OUTGOING " -p tcp --destination %s --dport %d -j ACCEPT", fas_remoteip, fas_port); + // CHAIN_OUTGOING, packets for tcp port 80, redirect to gw_port on primary address for the iface + rc |= iptables_do_command("-t nat -A " CHAIN_OUTGOING " -p tcp --dport 80 -j DNAT --to-destination %s:%d", gw_address, gw_port); + // CHAIN_OUTGOING, other packets ACCEPT + rc |= iptables_do_command("-t nat -A " CHAIN_OUTGOING " -j ACCEPT"); } - - // CHAIN_OUTGOING, packets for tcp port 80, redirect to gw_port on primary address for the iface - rc |= iptables_do_command("-t nat -A " CHAIN_OUTGOING " -p tcp --dport 80 -j DNAT --to-destination %s:%d", gw_address, gw_port); - // CHAIN_OUTGOING, other packets ACCEPT - rc |= iptables_do_command("-t nat -A " CHAIN_OUTGOING " -j ACCEPT"); - /* - * End of nat table chains and rules + * End of nat table chains and rules (ip4 only) ************************************** */ @@ -733,12 +734,13 @@ iptables_fw_destroy(void) iptables_do_command("-t mangle -X " CHAIN_OUTGOING); iptables_do_command("-t mangle -X " CHAIN_INCOMING); - /* Everything in the nat table */ - - debug(LOG_DEBUG, "Destroying chains in the NAT table"); - iptables_fw_destroy_mention("nat", "PREROUTING", CHAIN_OUTGOING); - iptables_do_command("-t nat -F " CHAIN_OUTGOING); - iptables_do_command("-t nat -X " CHAIN_OUTGOING); + /* Everything in the nat table (ip4 only) */ + if (!config->ip6) { + debug(LOG_DEBUG, "Destroying chains in the NAT table"); + iptables_fw_destroy_mention("nat", "PREROUTING", CHAIN_OUTGOING); + iptables_do_command("-t nat -F " CHAIN_OUTGOING); + iptables_do_command("-t nat -X " CHAIN_OUTGOING); + } /* Everything in the filter table */ From 89dd8f83ca7117255c1da0c46fd14bd81add9909 Mon Sep 17 00:00:00 2001 From: wanxewoj Date: Thu, 18 Oct 2018 10:39:43 +0200 Subject: [PATCH 3/5] fix missing CHAIN_ALLOWED during iptables_fw_destroy() --- src/fw_iptables.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/fw_iptables.c b/src/fw_iptables.c index 5a3ba1f..356908c 100644 --- a/src/fw_iptables.c +++ b/src/fw_iptables.c @@ -439,6 +439,7 @@ iptables_fw_init(void) /* Create new chains in the mangle table */ rc |= iptables_do_command("-t mangle -N " CHAIN_TRUSTED); /* for marking trusted packets */ rc |= iptables_do_command("-t mangle -N " CHAIN_BLOCKED); /* for marking blocked packets */ + rc |= iptables_do_command("-t mangle -N " CHAIN_ALLOWED); /* for marking allowed packets */ rc |= iptables_do_command("-t mangle -N " CHAIN_INCOMING); /* for counting incoming packets */ rc |= iptables_do_command("-t mangle -N " CHAIN_OUTGOING); /* for marking authenticated packets, and for counting outgoing packets */ From 038e3bb054b344f1eafcb621158b898cb84b1ba8 Mon Sep 17 00:00:00 2001 From: wanxewoj Date: Thu, 18 Oct 2018 10:55:36 +0200 Subject: [PATCH 4/5] handle differences in ICMP types between ip4 and ip6 --- src/fw_iptables.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/fw_iptables.c b/src/fw_iptables.c index 356908c..eb37b9c 100644 --- a/src/fw_iptables.c +++ b/src/fw_iptables.c @@ -382,12 +382,16 @@ iptables_fw_init(void) config = config_get_config(); gw_interface = safe_strdup(config->gw_interface); /* must free */ - /* ip6 addresses must be specified in square brackets like [ffcc:e08::1] */ + /* ip4 vs ip6 differences */ + const char *ICMP_TYPE; if (config->ip6) { + /* ip6 addresses must be in square brackets like [ffcc:e08::1] */ /* TODO: check config-> gw_address doesn't already contain brackets */ safe_asprintf(&gw_address, "[%s]", config->gw_address); + ICMP_TYPE = "icmp6"; } else { gw_address = safe_strdup(config->gw_address); /* must free */ + ICMP_TYPE = "icmp"; } gw_address = safe_strdup(config->gw_address); /* must free */ @@ -579,7 +583,7 @@ iptables_fw_init(void) // CHAIN_TRUSTED_TO_ROUTER, append the "trusted-users-to-router" ruleset rc |= _iptables_append_ruleset("filter", "trusted-users-to-router", CHAIN_TRUSTED_TO_ROUTER); // CHAIN_TRUSTED_TO_ROUTER, any packets not matching that ruleset REJECT - rc |= iptables_do_command("-t filter -A " CHAIN_TRUSTED_TO_ROUTER " -j REJECT --reject-with icmp-port-unreachable"); + rc |= iptables_do_command("-t filter -A " CHAIN_TRUSTED_TO_ROUTER " -j REJECT --reject-with %s-port-unreachable", ICMP_TYPE); } // CHAIN_TO_ROUTER, other packets: @@ -595,7 +599,7 @@ iptables_fw_init(void) /* CHAIN_TO_ROUTER, append the "users-to-router" ruleset */ rc |= _iptables_append_ruleset("filter", "users-to-router", CHAIN_TO_ROUTER); /* everything else, REJECT */ - rc |= iptables_do_command("-t filter -A " CHAIN_TO_ROUTER " -j REJECT --reject-with icmp-port-unreachable"); + rc |= iptables_do_command("-t filter -A " CHAIN_TO_ROUTER " -j REJECT --reject-with %s-port-unreachable", ICMP_TYPE); } @@ -643,7 +647,7 @@ iptables_fw_init(void) // CHAIN_TRUSTED, append the "trusted-users" ruleset rc |= _iptables_append_ruleset("filter", "trusted-users", CHAIN_TRUSTED); // CHAIN_TRUSTED, any packets not matching that ruleset REJECT - rc |= iptables_do_command("-t filter -A " CHAIN_TRUSTED " -j REJECT --reject-with icmp-port-unreachable"); + rc |= iptables_do_command("-t filter -A " CHAIN_TRUSTED " -j REJECT --reject-with %s-port-unreachable", ICMP_TYPE); } @@ -663,7 +667,7 @@ iptables_fw_init(void) // CHAIN_AUTHENTICATED, append the "authenticated-users" ruleset rc |= _iptables_append_ruleset("filter", "authenticated-users", CHAIN_AUTHENTICATED); // CHAIN_AUTHENTICATED, any packets not matching that ruleset REJECT - rc |= iptables_do_command("-t filter -A " CHAIN_AUTHENTICATED " -j REJECT --reject-with icmp-port-unreachable"); + rc |= iptables_do_command("-t filter -A " CHAIN_AUTHENTICATED " -j REJECT --reject-with %s-port-unreachable", ICMP_TYPE); } /* CHAIN_TO_INTERNET, other packets: */ @@ -679,7 +683,7 @@ iptables_fw_init(void) rc |= _iptables_append_ruleset("filter", "preauthenticated-users", CHAIN_TO_INTERNET); } // CHAIN_TO_INTERNET, all other packets REJECT - rc |= iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -j REJECT --reject-with icmp-port-unreachable"); + rc |= iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -j REJECT --reject-with %s-port-unreachable", ICMP_TYPE); /* * End of filter table chains and rules From f7fe3eb2b515f9a716c58ddae66151a57fe933d4 Mon Sep 17 00:00:00 2001 From: wanxewoj Date: Thu, 18 Oct 2018 11:00:30 +0200 Subject: [PATCH 5/5] added missing ip4/ip6 handling in iptables_fw_destroy_mention() --- src/fw_iptables.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/fw_iptables.c b/src/fw_iptables.c index eb37b9c..b0d0152 100644 --- a/src/fw_iptables.c +++ b/src/fw_iptables.c @@ -781,6 +781,8 @@ iptables_fw_destroy_mention( const char *mention ) { + s_config *config; + char *iptables; FILE *p = NULL; char *command = NULL; char *command2 = NULL; @@ -790,7 +792,9 @@ iptables_fw_destroy_mention( debug(LOG_DEBUG, "Checking all mention of %s from %s.%s", mention, table, chain); - safe_asprintf(&command, "iptables -t %s -L %s -n --line-numbers -v", table, chain); + config = config_get_config(); + iptables = config->ip6 ? "ip6tables" : "iptables"; + safe_asprintf(&command, "%s -t %s -L %s -n --line-numbers -v", iptables, table, chain); if ((p = popen(command, "r"))) { /* Skip first 2 lines */