From 4c98319ddfe1884b55d3dbe286ae68a1e46f7d66 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 27 Sep 2023 17:41:09 +0200 Subject: [PATCH] Add support for restricted VPN networks. --- conf/main_ipv4.conf.sample | 41 ++++++++++ conf/main_ipv6.conf.sample | 41 ++++++++++ conf/post_decalrations.conf | 16 ++++ ip6t-firewall-gateway | 150 ++++++++++++++++++++++++++++++++++++ ipt-firewall-gateway | 149 +++++++++++++++++++++++++++++++++++ 5 files changed, 397 insertions(+) diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 132ef25..b8c1759 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -563,6 +563,47 @@ vpn_local_net_ports="1194" vpn_out_ports="$standard_vpn_port" +# ----- +# - Restrict VPN Network to local Service +# -----# + +# - restrict_vpn_net_to_local_service +# - +# - allow_ext_net_to_local_service="vpn-net:local-address:port:protocol [vpn-net:local-address:port:protocol] [..]" +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - +# - Example: +# - restrict_vpn_net_to_local_service=" +# - 10.100.112.0/24:192.168.112.192/27:80:tcp +# - 10.100.112.0/24:192.168.112.192/27:443:tcp +# - " +# - +# - Blank separated list +# - +restrict_vpn_net_to_local_service="" + + +# ----- +# - Restrict VPN Network to local (Sub) network +# ----- + +# - restrict_vpn_net_to_local_subnet +# - +# - restrict_vpn_net_to_local_subnet=": [:} [..] +# - +# - Example: +# - restrict_vpn_net_to_local_subnet=" +# - 10.100.112.0/24:192.168.112.192/27 +# - " +# - +# - Blank separated list +# - +restrict_vpn_net_to_local_subnet="" + + # ====== # - WireGuard Service # ====== diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 0358892..e76c720 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -548,6 +548,47 @@ vpn_local_net_ports="1194" vpn_out_ports="$standard_vpn_port" +# ----- +# - Restrict VPN Network to local Service +# -----# + +# - restrict_vpn_net_to_local_service +# - +# - allow_ext_net_to_local_service="vpn-net,local-address,port,protocol [vpn-net,local-address,port,protocol] [..]" +# - +# - Note: +# - ===== +# - - Only 'tcp' and 'udp' are allowed valuse for protocol. +# - +# - Example: +# - restrict_vpn_net_to_local_service=" +# - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,80,tcp +# - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64,443,tcp +# - " +# - +# - Blank separated list +# - +restrict_vpn_net_to_local_service="" + + +# ----- +# - Restrict VPN Network to local (Sub) network +# ----- + +# - restrict_vpn_net_to_local_subnet +# - +# - restrict_vpn_net_to_local_subnet=", [,} [..] +# - +# - Example: +# - restrict_vpn_net_to_local_subnet=" +# - 2001:sc03:dd:bd2f:a63e:eb5f:86a5:d338/64,2003:ec:df3d:ffd:a63e:eb5f:86a5:d338/64 +# - " +# - +# - Blank separated list +# - +restrict_vpn_net_to_local_subnet="" + + # ====== # - WireGuard Service # ====== diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 3968809..703fe14 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -130,6 +130,22 @@ for _dev in $unprotected_ifs ; do unprotected_if_arr+=("$_dev") done +# --- +# - Restrict VPN Network to local Service +# --- +declare -a restrict_vpn_net_to_local_service_arr=() +for _val in $restrict_vpn_net_to_local_service ; do + restrict_vpn_net_to_local_service_arr+=("$_val") +done + +# --- +# - Restrict VPN Network to local (Sub) network +# --- +declare -a restrict_vpn_net_to_local_subnet_arr=() +for _val in $restrict_vpn_net_to_local_subnet ; do + restrict_vpn_net_to_local_subnet_arr+=("$_val") +done + # --- # - Allow these local networks any access to the internet # --- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index babf81c..97d0396 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -851,6 +851,156 @@ fi echo_done +echo "" + +unset restricted_vpn_network_arr +unset restricted_vpn_target_network_arr +declare -a restricted_vpn_network_arr +declare -a restricted_vpn_target_network_arr + + +# --- +# - Restrict VPN Network to local Service +# --- + +echononl "\tRestrict VPN Network to local Service" +if [[ ${#restrict_vpn_net_to_local_service_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces ; then + + for _val in "${restrict_vpn_net_to_local_service_arr[@]}" ; do + + IFS=',' read -a _val_arr <<< "${_val}" + + if ! containsElement "${_val_arr[0]}" "${restricted_vpn_network_arr[@]}" ; then + restricted_vpn_network_arr+=("${_val_arr[0]}") + fi + + if ! containsElement "${_val_arr[1]}" "${restricted_vpn_target_network_arr[@]}" ; then + restricted_vpn_target_network_arr+=("${_val_arr[1]}") + fi + + if containsElement "${_val_arr[1]}" "${gateway_ipv6_address_arr[@]}" ; then + + $ip6t -A INPUT -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # Allow also ICMP (ping) + $ip6t -A INPUT -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT +$ipt -A INPUT -s $_net + + else + + $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # Allow also ICMP (ping) to these target networks/hosts + $ip6t -A FORWARD -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT + + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if [[ "${_val_arr[3]}" = "tcp" ]]; then + $ip6t -A FORWARD -p ${_val_arr[3]} -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + fi + + done + + echo_done + +else + echo_skipped +fi + + +# --- +# - Restrict VPN Network to local (Sub) network +# --- + +# - !! Note: +# - does NOT depend on settings 'permit_between_local_networks' !! +# - +echononl "\tRestrict VPN Network to local (Sub) network" + +if [[ ${#restrict_vpn_net_to_local_subnet_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces ; then + + for _val in ${restrict_vpn_net_to_local_subnet_arr[@]} ; do + + IFS=',' read -a _val_arr <<< "${_val}" + + if ! containsElement "${_val_arr[0]}" "${restricted_vpn_network_arr[@]}" ; then + restricted_vpn_network_arr+=("${_val_arr[0]}") + fi + + if ! containsElement "${_val_arr[1]}" "${restricted_vpn_target_network_arr[@]}" ; then + restricted_vpn_target_network_arr+=("${_val_arr[1]}") + fi + + $ip6t -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + + done + + echo_done + +else + echo_skipped +fi + + +# --- +# - Allow local DNS Service for restricted VPN Networks +# --- + +echononl "\tAllow local DNS Service for restricted VPN Networks" +if [[ ${#restricted_vpn_network_arr[@]} -gt 0 ]] ; then + + for _net in "${restricted_vpn_network_arr[@]}" ; do + + + for _ip in "${gateway_ipv6_address_arr[@]}" ; do + + $ip6t -A INPUT -p udp -s $_net -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + + $ip6t -A INPUT -p icmp -s $_net -d $_ip -j ACCEPT + + done + + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Block further traffic from Restrict VPN Networks +# --- + +echononl "\tBlock further traffic from Restrict VPN Networks" +if [[ ${#restricted_vpn_network_arr[@]} -gt 0 ]] \ + && $kernel_forward_between_interfaces ; then + + for _net in ${restricted_vpn_network_arr[@]} ; do + + #$ip6t -A INPUT -p ALL -s $_net -m conntrack --ctstate NEW -j DROP + #$ip6t -A FORWARD -p ALL -s $_net -m conntrack --ctstate NEW -j DROP + $ip6t -A INPUT -p ALL -s $_net -j DROP + $ip6t -A FORWARD -p ALL -s $_net -j DROP + + done + + echo_done + +else + echo_skipped +fi + +echo "" + + # --- # - Permit all traffic through VPN lines # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 20689b5..15433ca 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1486,6 +1486,155 @@ fi echo_done +echo "" + +unset restricted_vpn_network_arr +unset restricted_vpn_target_network_arr +declare -a restricted_vpn_network_arr +declare -a restricted_vpn_target_network_arr + + +# --- +# - Restrict VPN Network to local Service +# --- + +echononl "\tRestrict VPN Network to local Service" +if [[ ${#restrict_vpn_net_to_local_service_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in "${restrict_vpn_net_to_local_service_arr[@]}" ; do + + IFS=':' read -a _val_arr <<< "${_val}" + + if ! containsElement "${_val_arr[0]}" "${restricted_vpn_network_arr[@]}" ; then + restricted_vpn_network_arr+=("${_val_arr[0]}") + fi + + if ! containsElement "${_val_arr[1]}" "${restricted_vpn_target_network_arr[@]}" ; then + restricted_vpn_target_network_arr+=("${_val_arr[1]}") + fi + + if containsElement "${_val_arr[1]}" "${gateway_ipv4_address_arr[@]}" ; then + + $ipt -A INPUT -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # Allow also ICMP (ping) + $ipt -A INPUT -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT +$ipt -A INPUT -s $_net + else + + $ipt -A FORWARD -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + + # Allow also ICMP (ping) to these target networks/hosts + $ipt -A FORWARD -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT + + fi + + # - Note: + # - If (local) alias interfaces like eth1:0 in use, youe need a further + # - special rule. + # - + if $local_alias_interfaces ; then + if [[ "${_val_arr[3]}" = "tcp" ]]; then + $ipt -A FORWARD -p tcp -d ${_val_arr[1]} --dport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s ${_val_arr[1]} --sport ${_val_arr[2]} --tcp-flag ACK ACK -j ACCEPT + fi + fi + + done + + echo_done + +else + echo_skipped +fi + + +# --- +# - Restrict VPN Network to local (Sub) network +# --- + +# - !! Note: +# - does NOT depend on settings 'permit_between_local_networks' !! +# - +echononl "\tRestrict VPN Network to local (Sub) network" + +if [[ ${#restrict_vpn_net_to_local_subnet_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _val in ${restrict_vpn_net_to_local_subnet_arr[@]} ; do + + IFS=':' read -a _val_arr <<< "${_val}" + + if ! containsElement "${_val_arr[0]}" "${restricted_vpn_network_arr[@]}" ; then + restricted_vpn_network_arr+=("${_val_arr[0]}") + fi + + if ! containsElement "${_val_arr[1]}" "${restricted_vpn_target_network_arr[@]}" ; then + restricted_vpn_target_network_arr+=("${_val_arr[1]}") + fi + + $ipt -A FORWARD -p ALL -s ${_val_arr[0]} -d ${_val_arr[1]} -m conntrack --ctstate NEW -j ACCEPT + #$ipt -A FORWARD -p icmp -s ${_val_arr[0]} -d ${_val_arr[1]} -j ACCEPT + + done + + echo_done + +else + echo_skipped +fi + + +# --- +# - Allow local DNS Service for restricted VPN Networks +# --- + +echononl "\tAllow local DNS Service for restricted VPN Networks" +if [[ ${#restricted_vpn_network_arr[@]} -gt 0 ]] ; then + + for _net in "${restricted_vpn_network_arr[@]}" ; do + + + for _ip in "${gateway_ipv4_address_arr[@]}" ; do + + $ipt -A INPUT -p udp -s $_net -d $_ip --dport 53 -m conntrack --ctstate NEW -j ACCEPT + + $ipt -A INPUT -p icmp -s $_net -d $_ip -j ACCEPT + + done + + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Block further traffic from Restrict VPN Networks +# --- + +echononl "\tBlock further traffic from Restrict VPN Networks" +if [[ ${#restricted_vpn_network_arr[@]} -gt 0 ]] \ + && $kernel_activate_forwarding ; then + + for _net in ${restricted_vpn_network_arr[@]} ; do + + #$ipt -A INPUT -p ALL -s $_net -m conntrack --ctstate NEW -j DROP + #$ipt -A FORWARD -p ALL -s $_net -m conntrack --ctstate NEW -j DROP + $ipt -A INPUT -p ALL -s $_net -j DROP + $ipt -A FORWARD -p ALL -s $_net -j DROP + + done + + echo_done + +else + echo_skipped +fi + echo ""