BadVPN – Blame information for rev 1
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | include_guard "network" |
2 | |||
3 | include "pppoe.ncdi" |
||
4 | include "dhcp_server.ncdi" |
||
5 | include "unbound.ncdi" |
||
6 | include "network_control_server.ncdi" |
||
7 | include "port_forwarding.ncdi" |
||
8 | |||
9 | template network_main { |
||
10 | log("notice", "NCD starting"); |
||
11 | log_r("notice", "NCD stopped"); |
||
12 | |||
13 | # Load ipv6 module so we can disable ipv6. |
||
14 | runonce({"/sbin/modprobe", "ipv6"}); |
||
15 | |||
16 | # Set some sysctl's. |
||
17 | runonce({"/sbin/sysctl", "net.ipv4.ip_forward=1"}); |
||
18 | runonce({"/sbin/sysctl", "net.ipv6.conf.all.disable_ipv6=1"}); |
||
19 | |||
20 | # Setup iptables INPUT chain. |
||
21 | net.iptables.policy("filter", "INPUT", "ACCEPT", "ACCEPT"); |
||
22 | net.iptables.append("filter", "INPUT", "-i", "lo", "-j", "ACCEPT"); |
||
23 | net.iptables.append("filter", "INPUT", "-m", "conntrack", "--ctstate", "ESTABLISHED", "-j", "ACCEPT"); |
||
24 | |||
25 | # Setup iptables OUTPUT chain. |
||
26 | net.iptables.policy("filter", "OUTPUT", "ACCEPT", "ACCEPT"); |
||
27 | |||
28 | # Setup iptables FORWARD chain. |
||
29 | net.iptables.policy("filter", "FORWARD", "DROP", "ACCEPT"); |
||
30 | net.iptables.append("filter", "FORWARD", "-m", "conntrack", "--ctstate", "ESTABLISHED", "-j", "ACCEPT"); |
||
31 | net.iptables.append("filter", "FORWARD", "-m", "connmark", "--mark", "0x1/0x1", "-j", "ACCEPT"); |
||
32 | |||
33 | # Create dependency scope. |
||
34 | depend_scope() depsc; |
||
35 | |||
36 | # Start processes. |
||
37 | process_manager() mgr; |
||
38 | mgr->start("network_lan", {}); |
||
39 | mgr->start("network_serverif", {}); |
||
40 | mgr->start("network_internet", {}); |
||
41 | mgr->start("network_lan_internet_rules", {}); |
||
42 | mgr->start("network_serverif_internet_rules", {}); |
||
43 | mgr->start("network_lan_serverif_rules", {}); |
||
44 | mgr->start("network_lan_dhcp_server", {}); |
||
45 | mgr->start("network_unbound", {}); |
||
46 | mgr->start("network_port_forwarding", {}); |
||
47 | mgr->start("network_start_control_server", {}); |
||
48 | } |
||
49 | |||
50 | template network_weak_hostmodel_rules { |
||
51 | alias("_arg0") dev; |
||
52 | alias("_arg1") addr; |
||
53 | |||
54 | concat("INPUT_hostmodel_drop_", dev) drop_chain; |
||
55 | |||
56 | net.iptables.newchain("filter", drop_chain); |
||
57 | net.iptables.append("filter", drop_chain, "-j", "DROP"); |
||
58 | net.iptables.append("filter", "INPUT", "-d", addr, "!", "-i", dev, "-j", drop_chain); |
||
59 | } |
||
60 | |||
61 | template network_weak_hostmodel_exception { |
||
62 | alias("_arg0") dev; |
||
63 | alias("_arg1") match; |
||
64 | |||
65 | concat("INPUT_hostmodel_drop_", dev) drop_chain; |
||
66 | |||
67 | listfrom({"filter", drop_chain}, match, {"-j", "RETURN"}) args; |
||
68 | net.iptables.insert(args); |
||
69 | } |
||
70 | |||
71 | template network_lan { |
||
72 | alias("_caller") main; |
||
73 | |||
74 | # Some configuration. |
||
75 | var("enp1s0") dev; |
||
76 | var("192.168.111.1") addr; |
||
77 | var("24") prefix; |
||
78 | var("192.168.111.100") dhcp_start; |
||
79 | var("192.168.111.149") dhcp_end; |
||
80 | |||
81 | main.depsc->provide("lan_config"); |
||
82 | |||
83 | # Wait for device, set up, wait for link. |
||
84 | net.backend.waitdevice(dev); |
||
85 | net.up(dev); |
||
86 | net.backend.waitlink(dev); |
||
87 | |||
88 | # Weak host model. |
||
89 | call("network_weak_hostmodel_rules", {dev, addr}); |
||
90 | |||
91 | # Assign IP address. |
||
92 | net.ipv4.addr(dev, addr, prefix); |
||
93 | |||
94 | # Do SNAT for port forwardings when connections originate from the inside. |
||
95 | net.iptables.append("nat", "POSTROUTING", "-m", "connmark", "--mark", "0x2/0x2", "-j", "SNAT", "--to-source", addr, "--random"); |
||
96 | |||
97 | main.depsc->provide("lan"); |
||
98 | } |
||
99 | |||
100 | template network_serverif { |
||
101 | alias("_caller") main; |
||
102 | |||
103 | # Some configuration. |
||
104 | var("enp3s0") dev; |
||
105 | var("192.168.113.1") addr; |
||
106 | var("24") prefix; |
||
107 | |||
108 | main.depsc->provide("serverif_config"); |
||
109 | |||
110 | # Wait for device, set up, wait for link. |
||
111 | net.backend.waitdevice(dev); |
||
112 | net.up(dev); |
||
113 | net.backend.waitlink(dev); |
||
114 | |||
115 | # Weak host model. |
||
116 | call("network_weak_hostmodel_rules", {dev, addr}); |
||
117 | |||
118 | # Assign IP address. |
||
119 | net.ipv4.addr(dev, addr, prefix); |
||
120 | |||
121 | # Do SNAT for port forwardings when connections originate from the inside. |
||
122 | net.iptables.append("nat", "POSTROUTING", "-m", "connmark", "--mark", "0x4/0x4", "-j", "SNAT", "--to-source", addr, "--random"); |
||
123 | |||
124 | main.depsc->provide("serverif"); |
||
125 | } |
||
126 | |||
127 | template network_internet { |
||
128 | alias("_caller") main; |
||
129 | |||
130 | # Some configuration. |
||
131 | var("enp2s0") pppoe_dev; |
||
132 | var("MISSING") pppoe_username; |
||
133 | var("MISSING") pppoe_password; |
||
134 | |||
135 | # Wait for device, set up, wait for link. |
||
136 | net.backend.waitdevice(pppoe_dev); |
||
137 | net.up(pppoe_dev); |
||
138 | net.backend.waitlink(pppoe_dev); |
||
139 | |||
140 | log("notice", "PPPoE started"); |
||
141 | log_r("notice", "PPPoE stopped"); |
||
142 | |||
143 | # Start PPPoE. |
||
144 | call("pppoe", {pppoe_dev, pppoe_username, pppoe_password, "network_internet_pppoe_preup"}) pppoe; |
||
145 | |||
146 | # Grab configuration. |
||
147 | var(pppoe.ifname) dev; |
||
148 | var(pppoe.local_ip) addr; |
||
149 | var(pppoe.remote_ip) remote_addr; |
||
150 | var(pppoe.dns_servers) dns_servers; |
||
151 | |||
152 | to_string(dns_servers) dns_str; |
||
153 | log("notice", "PPPoE up dev=", dev, " local=", addr, " remote=", remote_addr, " dns=", dns_str); |
||
154 | log_r("notice", "PPPoE down"); |
||
155 | |||
156 | # Add default route. |
||
157 | net.ipv4.route("0.0.0.0/0", remote_addr, "20", dev); |
||
158 | |||
159 | main.depsc->provide("internet"); |
||
160 | } |
||
161 | |||
162 | template network_internet_pppoe_preup { |
||
163 | alias("_arg0") dev; |
||
164 | alias("_arg1") addr; |
||
165 | alias("_arg2") remote_ip; |
||
166 | alias("_arg3") dns_servers; |
||
167 | |||
168 | # Weak host model. |
||
169 | call("network_weak_hostmodel_rules", {dev, addr}); |
||
170 | |||
171 | # Drop packets to this system, except some things. |
||
172 | net.iptables.newchain("filter", "INPUT_internet_drop"); |
||
173 | #net.iptables.append("filter", "INPUT_internet_drop", "-p", "tcp", "--dport", "22", "-j", "RETURN"); |
||
174 | net.iptables.append("filter", "INPUT_internet_drop", "-j", "DROP"); |
||
175 | net.iptables.append("filter", "INPUT", "-i", dev, "-j", "INPUT_internet_drop"); |
||
176 | |||
177 | # Do SNAT for packets going out. |
||
178 | net.iptables.append("nat", "POSTROUTING", "-o", dev, "-j", "SNAT", "--to-source", addr, "--random"); |
||
179 | |||
180 | # Do MMS clamping. |
||
181 | net.iptables.append("mangle", "OUTPUT", "-o", dev, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"); |
||
182 | net.iptables.append("mangle", "FORWARD", "-o", dev, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"); |
||
183 | } |
||
184 | |||
185 | template network_lan_internet_rules { |
||
186 | alias("_caller") main; |
||
187 | main.depsc->depend({"lan"}) lan; |
||
188 | main.depsc->depend({"internet"}) internet; |
||
189 | |||
190 | # Add exception to weak host model of internet interface. |
||
191 | call("network_weak_hostmodel_exception", {internet.dev, {"-i", lan.dev}}); |
||
192 | net.iptables.append("filter", "FORWARD", "-m", "conntrack", "--ctstate", "NEW", "-i", lan.dev, "-o", internet.dev, "-j", "ACCEPT"); |
||
193 | } |
||
194 | |||
195 | template network_serverif_internet_rules { |
||
196 | alias("_caller") main; |
||
197 | main.depsc->depend({"serverif"}) serverif; |
||
198 | main.depsc->depend({"internet"}) internet; |
||
199 | |||
200 | # Allow traffic from LAN to Internet. |
||
201 | call("network_weak_hostmodel_exception", {internet.dev, {"-i", serverif.dev}}); |
||
202 | net.iptables.append("filter", "FORWARD", "-m", "conntrack", "--ctstate", "NEW", "-i", serverif.dev, "-o", internet.dev, "-j", "ACCEPT"); |
||
203 | } |
||
204 | |||
205 | template network_lan_serverif_rules { |
||
206 | alias("_caller") main; |
||
207 | main.depsc->depend({"lan"}) lan; |
||
208 | main.depsc->depend({"serverif"}) serverif; |
||
209 | |||
210 | # Allow traffic from serverif to LAN. |
||
211 | call("network_weak_hostmodel_exception", {serverif.dev, {"-i", lan.dev}}); |
||
212 | net.iptables.append("filter", "FORWARD", "-m", "conntrack", "--ctstate", "NEW", "-i", lan.dev, "-o", serverif.dev, "-j", "ACCEPT"); |
||
213 | |||
214 | # Allow traffic from LAN to serverif. |
||
215 | call("network_weak_hostmodel_exception", {lan.dev, {"-i", serverif.dev}}); |
||
216 | net.iptables.append("filter", "FORWARD", "-m", "conntrack", "--ctstate", "NEW", "-i", serverif.dev, "-o", lan.dev, "-j", "ACCEPT"); |
||
217 | } |
||
218 | |||
219 | template network_lan_dhcp_server { |
||
220 | alias("_caller") main; |
||
221 | main.depsc->depend({"lan"}) lan; |
||
222 | |||
223 | # Start DHCP server. |
||
224 | call("dhcp_server", {lan.addr, lan.prefix, lan.dhcp_start, lan.dhcp_end, {lan.addr}, {lan.addr}}); |
||
225 | } |
||
226 | |||
227 | template network_unbound { |
||
228 | alias("_caller") main; |
||
229 | main.depsc->depend({"lan_config"}) lan_config; |
||
230 | main.depsc->depend({"serverif_config"}) serverif_config; |
||
231 | |||
232 | # Add DNS servers. |
||
233 | net.dns({"127.0.0.1"}, "20"); |
||
234 | |||
235 | # Build configuration. |
||
236 | ipv4_net_from_addr_and_prefix(lan_config.addr, lan_config.prefix) lan_network; |
||
237 | ipv4_net_from_addr_and_prefix(serverif_config.addr, serverif_config.prefix) serverif_network; |
||
238 | var({ |
||
239 | {lan_network, lan_config.prefix, "allow"}, |
||
240 | {serverif_network, serverif_config.prefix, "allow"} |
||
241 | }) access_control_rules; |
||
242 | |||
243 | # Start Unbound. |
||
244 | call("unbound", {"lan", access_control_rules}); |
||
245 | } |
||
246 | |||
247 | template network_port_forwarding { |
||
248 | alias("_caller") main; |
||
249 | |||
250 | # Start forwarding. |
||
251 | call("port_forwarding", {"/var/lib/ncd-port-forwardings.ncdvalue", "network_port_forwarding_rules"}) pf; |
||
252 | |||
253 | main.depsc->provide("port_forwarding"); |
||
254 | } |
||
255 | |||
256 | template network_port_forwarding_rules { |
||
257 | alias("_caller.main") main; |
||
258 | alias("_arg0") protocol; |
||
259 | alias("_arg1") port_start; |
||
260 | alias("_arg2") port_end; |
||
261 | alias("_arg3") dest_addr; |
||
262 | |||
263 | # Get access to lan and serverif configuration. |
||
264 | main.depsc->depend({"lan_config"}) lan; |
||
265 | main.depsc->depend({"serverif_config"}) serverif; |
||
266 | |||
267 | # Wait for Internet interface. |
||
268 | main.depsc->depend({"internet"}) internet; |
||
269 | |||
270 | # Build port range string. |
||
271 | concat(port_start, ":", port_end) port_range; |
||
272 | |||
273 | # Add rules. |
||
274 | net.iptables.append("nat", "PREROUTING", "-d", internet.addr, "-p", protocol, "--dport", port_range, "-i", lan.dev, "-j", "CONNMARK", "--set-xmark", "0x3/0x3"); |
||
275 | net.iptables.append("nat", "PREROUTING", "-d", internet.addr, "-p", protocol, "--dport", port_range, "-i", serverif.dev, "-j", "CONNMARK", "--set-xmark", "0x5/0x5"); |
||
276 | net.iptables.append("nat", "PREROUTING", "-d", internet.addr, "-p", protocol, "--dport", port_range, "-i", internet.dev, "-j", "CONNMARK", "--set-xmark", "0x1/0x1"); |
||
277 | net.iptables.append("nat", "PREROUTING", "-d", internet.addr, "-p", protocol, "--dport", port_range, "-j", "DNAT", "--to-destination", dest_addr); |
||
278 | } |
||
279 | |||
280 | template network_start_control_server { |
||
281 | alias("_caller") main; |
||
282 | main.depsc->depend({"lan_config"}) lan_config; |
||
283 | |||
284 | # Start control server. |
||
285 | call("network_control_server", {"/run/ncd-control.socket", |
||
286 | "network_control_list_port_forwardings", |
||
287 | "network_control_add_port_forwarding", |
||
288 | "network_control_remove_port_forwarding"}); |
||
289 | } |
||
290 | |||
291 | template network_control_list_port_forwardings { |
||
292 | alias("_caller.main") main; |
||
293 | |||
294 | main.depsc->depend({"port_forwarding"}) port_forwarding; |
||
295 | var(port_forwarding.pf.map.keys) port_forwardings; |
||
296 | } |
||
297 | |||
298 | template network_control_add_port_forwarding { |
||
299 | alias("_caller.main") main; |
||
300 | alias("_arg0") protocol; |
||
301 | alias("_arg1") port_start; |
||
302 | alias("_arg2") port_end; |
||
303 | alias("_arg3") dest_addr; |
||
304 | |||
305 | var("") try_error_text; |
||
306 | try("network_verify_port_forwarding_try", {}) verify_try; |
||
307 | |||
308 | If (verify_try.succeeded) { |
||
309 | main.depsc->depend({"port_forwarding"}) port_forwarding; |
||
310 | |||
311 | call("port_forwarding_add", {"_caller.port_forwarding.pf", protocol, port_start, port_end, dest_addr}) call; |
||
312 | alias("call.succeeded") succeeded; |
||
313 | alias("call.error_text") error_text; |
||
314 | } Else { |
||
315 | var("false") succeeded; |
||
316 | alias("try_error_text") error_text; |
||
317 | } branch; |
||
318 | |||
319 | alias("branch.succeeded") succeeded; |
||
320 | alias("branch.error_text") error_text; |
||
321 | } |
||
322 | |||
323 | template network_control_remove_port_forwarding { |
||
324 | alias("_caller.main") main; |
||
325 | alias("_arg0") protocol; |
||
326 | alias("_arg1") port_start; |
||
327 | alias("_arg2") port_end; |
||
328 | alias("_arg3") dest_addr; |
||
329 | |||
330 | main.depsc->depend({"port_forwarding"}) port_forwarding; |
||
331 | |||
332 | call("port_forwarding_remove", {"_caller.port_forwarding.pf", protocol, port_start, port_end, dest_addr}) call; |
||
333 | alias("call.succeeded") succeeded; |
||
334 | alias("call.error_text") error_text; |
||
335 | } |
||
336 | |||
337 | template network_verify_port_forwarding_try { |
||
338 | alias("_caller") c; |
||
339 | |||
340 | c.main.depsc->depend({"lan_config"}) lan; |
||
341 | c.main.depsc->depend({"serverif_config"}) serverif; |
||
342 | |||
343 | net.ipv4.addr_in_network(c.dest_addr, lan.addr, lan.prefix) in_lan; |
||
344 | net.ipv4.addr_in_network(c.dest_addr, serverif.addr, serverif.prefix) in_serverif; |
||
345 | |||
346 | If (in_lan) { |
||
347 | print(); |
||
348 | } |
||
349 | Elif (in_serverif) { |
||
350 | print(); |
||
351 | } |
||
352 | Else { |
||
353 | c.try_error_text->set("Destination address does not belong to any permitted network."); |
||
354 | _try->assert("false"); |
||
355 | }; |
||
356 | } |