BadVPN – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | include_guard "network" |
| 2 | |||
| 3 | include "pppoe.ncdi" |
||
| 4 | include "dhcp_server.ncdi" |
||
| 5 | include "unbound.ncdi" |
||
| 6 | include "network_control_server.ncdi" |
||
| 7 | include "port_forwarding.ncdi" |
||
| 8 | |||
| 9 | template network_main { |
||
| 10 | log("notice", "NCD starting"); |
||
| 11 | log_r("notice", "NCD stopped"); |
||
| 12 | |||
| 13 | # Load ipv6 module so we can disable ipv6. |
||
| 14 | runonce({"/sbin/modprobe", "ipv6"}); |
||
| 15 | |||
| 16 | # Set some sysctl's. |
||
| 17 | runonce({"/sbin/sysctl", "net.ipv4.ip_forward=1"}); |
||
| 18 | runonce({"/sbin/sysctl", "net.ipv6.conf.all.disable_ipv6=1"}); |
||
| 19 | |||
| 20 | # Setup iptables INPUT chain. |
||
| 21 | net.iptables.policy("filter", "INPUT", "ACCEPT", "ACCEPT"); |
||
| 22 | net.iptables.append("filter", "INPUT", "-i", "lo", "-j", "ACCEPT"); |
||
| 23 | net.iptables.append("filter", "INPUT", "-m", "conntrack", "--ctstate", "ESTABLISHED", "-j", "ACCEPT"); |
||
| 24 | |||
| 25 | # Setup iptables OUTPUT chain. |
||
| 26 | net.iptables.policy("filter", "OUTPUT", "ACCEPT", "ACCEPT"); |
||
| 27 | |||
| 28 | # Setup iptables FORWARD chain. |
||
| 29 | net.iptables.policy("filter", "FORWARD", "DROP", "ACCEPT"); |
||
| 30 | net.iptables.append("filter", "FORWARD", "-m", "conntrack", "--ctstate", "ESTABLISHED", "-j", "ACCEPT"); |
||
| 31 | net.iptables.append("filter", "FORWARD", "-m", "connmark", "--mark", "0x1/0x1", "-j", "ACCEPT"); |
||
| 32 | |||
| 33 | # Create dependency scope. |
||
| 34 | depend_scope() depsc; |
||
| 35 | |||
| 36 | # Start processes. |
||
| 37 | process_manager() mgr; |
||
| 38 | mgr->start("network_lan", {}); |
||
| 39 | mgr->start("network_serverif", {}); |
||
| 40 | mgr->start("network_internet", {}); |
||
| 41 | mgr->start("network_lan_internet_rules", {}); |
||
| 42 | mgr->start("network_serverif_internet_rules", {}); |
||
| 43 | mgr->start("network_lan_serverif_rules", {}); |
||
| 44 | mgr->start("network_lan_dhcp_server", {}); |
||
| 45 | mgr->start("network_unbound", {}); |
||
| 46 | mgr->start("network_port_forwarding", {}); |
||
| 47 | mgr->start("network_start_control_server", {}); |
||
| 48 | } |
||
| 49 | |||
| 50 | template network_weak_hostmodel_rules { |
||
| 51 | alias("_arg0") dev; |
||
| 52 | alias("_arg1") addr; |
||
| 53 | |||
| 54 | concat("INPUT_hostmodel_drop_", dev) drop_chain; |
||
| 55 | |||
| 56 | net.iptables.newchain("filter", drop_chain); |
||
| 57 | net.iptables.append("filter", drop_chain, "-j", "DROP"); |
||
| 58 | net.iptables.append("filter", "INPUT", "-d", addr, "!", "-i", dev, "-j", drop_chain); |
||
| 59 | } |
||
| 60 | |||
| 61 | template network_weak_hostmodel_exception { |
||
| 62 | alias("_arg0") dev; |
||
| 63 | alias("_arg1") match; |
||
| 64 | |||
| 65 | concat("INPUT_hostmodel_drop_", dev) drop_chain; |
||
| 66 | |||
| 67 | listfrom({"filter", drop_chain}, match, {"-j", "RETURN"}) args; |
||
| 68 | net.iptables.insert(args); |
||
| 69 | } |
||
| 70 | |||
| 71 | template network_lan { |
||
| 72 | alias("_caller") main; |
||
| 73 | |||
| 74 | # Some configuration. |
||
| 75 | var("enp1s0") dev; |
||
| 76 | var("192.168.111.1") addr; |
||
| 77 | var("24") prefix; |
||
| 78 | var("192.168.111.100") dhcp_start; |
||
| 79 | var("192.168.111.149") dhcp_end; |
||
| 80 | |||
| 81 | main.depsc->provide("lan_config"); |
||
| 82 | |||
| 83 | # Wait for device, set up, wait for link. |
||
| 84 | net.backend.waitdevice(dev); |
||
| 85 | net.up(dev); |
||
| 86 | net.backend.waitlink(dev); |
||
| 87 | |||
| 88 | # Weak host model. |
||
| 89 | call("network_weak_hostmodel_rules", {dev, addr}); |
||
| 90 | |||
| 91 | # Assign IP address. |
||
| 92 | net.ipv4.addr(dev, addr, prefix); |
||
| 93 | |||
| 94 | # Do SNAT for port forwardings when connections originate from the inside. |
||
| 95 | net.iptables.append("nat", "POSTROUTING", "-m", "connmark", "--mark", "0x2/0x2", "-j", "SNAT", "--to-source", addr, "--random"); |
||
| 96 | |||
| 97 | main.depsc->provide("lan"); |
||
| 98 | } |
||
| 99 | |||
| 100 | template network_serverif { |
||
| 101 | alias("_caller") main; |
||
| 102 | |||
| 103 | # Some configuration. |
||
| 104 | var("enp3s0") dev; |
||
| 105 | var("192.168.113.1") addr; |
||
| 106 | var("24") prefix; |
||
| 107 | |||
| 108 | main.depsc->provide("serverif_config"); |
||
| 109 | |||
| 110 | # Wait for device, set up, wait for link. |
||
| 111 | net.backend.waitdevice(dev); |
||
| 112 | net.up(dev); |
||
| 113 | net.backend.waitlink(dev); |
||
| 114 | |||
| 115 | # Weak host model. |
||
| 116 | call("network_weak_hostmodel_rules", {dev, addr}); |
||
| 117 | |||
| 118 | # Assign IP address. |
||
| 119 | net.ipv4.addr(dev, addr, prefix); |
||
| 120 | |||
| 121 | # Do SNAT for port forwardings when connections originate from the inside. |
||
| 122 | net.iptables.append("nat", "POSTROUTING", "-m", "connmark", "--mark", "0x4/0x4", "-j", "SNAT", "--to-source", addr, "--random"); |
||
| 123 | |||
| 124 | main.depsc->provide("serverif"); |
||
| 125 | } |
||
| 126 | |||
| 127 | template network_internet { |
||
| 128 | alias("_caller") main; |
||
| 129 | |||
| 130 | # Some configuration. |
||
| 131 | var("enp2s0") pppoe_dev; |
||
| 132 | var("MISSING") pppoe_username; |
||
| 133 | var("MISSING") pppoe_password; |
||
| 134 | |||
| 135 | # Wait for device, set up, wait for link. |
||
| 136 | net.backend.waitdevice(pppoe_dev); |
||
| 137 | net.up(pppoe_dev); |
||
| 138 | net.backend.waitlink(pppoe_dev); |
||
| 139 | |||
| 140 | log("notice", "PPPoE started"); |
||
| 141 | log_r("notice", "PPPoE stopped"); |
||
| 142 | |||
| 143 | # Start PPPoE. |
||
| 144 | call("pppoe", {pppoe_dev, pppoe_username, pppoe_password, "network_internet_pppoe_preup"}) pppoe; |
||
| 145 | |||
| 146 | # Grab configuration. |
||
| 147 | var(pppoe.ifname) dev; |
||
| 148 | var(pppoe.local_ip) addr; |
||
| 149 | var(pppoe.remote_ip) remote_addr; |
||
| 150 | var(pppoe.dns_servers) dns_servers; |
||
| 151 | |||
| 152 | to_string(dns_servers) dns_str; |
||
| 153 | log("notice", "PPPoE up dev=", dev, " local=", addr, " remote=", remote_addr, " dns=", dns_str); |
||
| 154 | log_r("notice", "PPPoE down"); |
||
| 155 | |||
| 156 | # Add default route. |
||
| 157 | net.ipv4.route("0.0.0.0/0", remote_addr, "20", dev); |
||
| 158 | |||
| 159 | main.depsc->provide("internet"); |
||
| 160 | } |
||
| 161 | |||
| 162 | template network_internet_pppoe_preup { |
||
| 163 | alias("_arg0") dev; |
||
| 164 | alias("_arg1") addr; |
||
| 165 | alias("_arg2") remote_ip; |
||
| 166 | alias("_arg3") dns_servers; |
||
| 167 | |||
| 168 | # Weak host model. |
||
| 169 | call("network_weak_hostmodel_rules", {dev, addr}); |
||
| 170 | |||
| 171 | # Drop packets to this system, except some things. |
||
| 172 | net.iptables.newchain("filter", "INPUT_internet_drop"); |
||
| 173 | #net.iptables.append("filter", "INPUT_internet_drop", "-p", "tcp", "--dport", "22", "-j", "RETURN"); |
||
| 174 | net.iptables.append("filter", "INPUT_internet_drop", "-j", "DROP"); |
||
| 175 | net.iptables.append("filter", "INPUT", "-i", dev, "-j", "INPUT_internet_drop"); |
||
| 176 | |||
| 177 | # Do SNAT for packets going out. |
||
| 178 | net.iptables.append("nat", "POSTROUTING", "-o", dev, "-j", "SNAT", "--to-source", addr, "--random"); |
||
| 179 | |||
| 180 | # Do MMS clamping. |
||
| 181 | net.iptables.append("mangle", "OUTPUT", "-o", dev, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"); |
||
| 182 | net.iptables.append("mangle", "FORWARD", "-o", dev, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu"); |
||
| 183 | } |
||
| 184 | |||
| 185 | template network_lan_internet_rules { |
||
| 186 | alias("_caller") main; |
||
| 187 | main.depsc->depend({"lan"}) lan; |
||
| 188 | main.depsc->depend({"internet"}) internet; |
||
| 189 | |||
| 190 | # Add exception to weak host model of internet interface. |
||
| 191 | call("network_weak_hostmodel_exception", {internet.dev, {"-i", lan.dev}}); |
||
| 192 | net.iptables.append("filter", "FORWARD", "-m", "conntrack", "--ctstate", "NEW", "-i", lan.dev, "-o", internet.dev, "-j", "ACCEPT"); |
||
| 193 | } |
||
| 194 | |||
| 195 | template network_serverif_internet_rules { |
||
| 196 | alias("_caller") main; |
||
| 197 | main.depsc->depend({"serverif"}) serverif; |
||
| 198 | main.depsc->depend({"internet"}) internet; |
||
| 199 | |||
| 200 | # Allow traffic from LAN to Internet. |
||
| 201 | call("network_weak_hostmodel_exception", {internet.dev, {"-i", serverif.dev}}); |
||
| 202 | net.iptables.append("filter", "FORWARD", "-m", "conntrack", "--ctstate", "NEW", "-i", serverif.dev, "-o", internet.dev, "-j", "ACCEPT"); |
||
| 203 | } |
||
| 204 | |||
| 205 | template network_lan_serverif_rules { |
||
| 206 | alias("_caller") main; |
||
| 207 | main.depsc->depend({"lan"}) lan; |
||
| 208 | main.depsc->depend({"serverif"}) serverif; |
||
| 209 | |||
| 210 | # Allow traffic from serverif to LAN. |
||
| 211 | call("network_weak_hostmodel_exception", {serverif.dev, {"-i", lan.dev}}); |
||
| 212 | net.iptables.append("filter", "FORWARD", "-m", "conntrack", "--ctstate", "NEW", "-i", lan.dev, "-o", serverif.dev, "-j", "ACCEPT"); |
||
| 213 | |||
| 214 | # Allow traffic from LAN to serverif. |
||
| 215 | call("network_weak_hostmodel_exception", {lan.dev, {"-i", serverif.dev}}); |
||
| 216 | net.iptables.append("filter", "FORWARD", "-m", "conntrack", "--ctstate", "NEW", "-i", serverif.dev, "-o", lan.dev, "-j", "ACCEPT"); |
||
| 217 | } |
||
| 218 | |||
| 219 | template network_lan_dhcp_server { |
||
| 220 | alias("_caller") main; |
||
| 221 | main.depsc->depend({"lan"}) lan; |
||
| 222 | |||
| 223 | # Start DHCP server. |
||
| 224 | call("dhcp_server", {lan.addr, lan.prefix, lan.dhcp_start, lan.dhcp_end, {lan.addr}, {lan.addr}}); |
||
| 225 | } |
||
| 226 | |||
| 227 | template network_unbound { |
||
| 228 | alias("_caller") main; |
||
| 229 | main.depsc->depend({"lan_config"}) lan_config; |
||
| 230 | main.depsc->depend({"serverif_config"}) serverif_config; |
||
| 231 | |||
| 232 | # Add DNS servers. |
||
| 233 | net.dns({"127.0.0.1"}, "20"); |
||
| 234 | |||
| 235 | # Build configuration. |
||
| 236 | ipv4_net_from_addr_and_prefix(lan_config.addr, lan_config.prefix) lan_network; |
||
| 237 | ipv4_net_from_addr_and_prefix(serverif_config.addr, serverif_config.prefix) serverif_network; |
||
| 238 | var({ |
||
| 239 | {lan_network, lan_config.prefix, "allow"}, |
||
| 240 | {serverif_network, serverif_config.prefix, "allow"} |
||
| 241 | }) access_control_rules; |
||
| 242 | |||
| 243 | # Start Unbound. |
||
| 244 | call("unbound", {"lan", access_control_rules}); |
||
| 245 | } |
||
| 246 | |||
| 247 | template network_port_forwarding { |
||
| 248 | alias("_caller") main; |
||
| 249 | |||
| 250 | # Start forwarding. |
||
| 251 | call("port_forwarding", {"/var/lib/ncd-port-forwardings.ncdvalue", "network_port_forwarding_rules"}) pf; |
||
| 252 | |||
| 253 | main.depsc->provide("port_forwarding"); |
||
| 254 | } |
||
| 255 | |||
| 256 | template network_port_forwarding_rules { |
||
| 257 | alias("_caller.main") main; |
||
| 258 | alias("_arg0") protocol; |
||
| 259 | alias("_arg1") port_start; |
||
| 260 | alias("_arg2") port_end; |
||
| 261 | alias("_arg3") dest_addr; |
||
| 262 | |||
| 263 | # Get access to lan and serverif configuration. |
||
| 264 | main.depsc->depend({"lan_config"}) lan; |
||
| 265 | main.depsc->depend({"serverif_config"}) serverif; |
||
| 266 | |||
| 267 | # Wait for Internet interface. |
||
| 268 | main.depsc->depend({"internet"}) internet; |
||
| 269 | |||
| 270 | # Build port range string. |
||
| 271 | concat(port_start, ":", port_end) port_range; |
||
| 272 | |||
| 273 | # Add rules. |
||
| 274 | net.iptables.append("nat", "PREROUTING", "-d", internet.addr, "-p", protocol, "--dport", port_range, "-i", lan.dev, "-j", "CONNMARK", "--set-xmark", "0x3/0x3"); |
||
| 275 | net.iptables.append("nat", "PREROUTING", "-d", internet.addr, "-p", protocol, "--dport", port_range, "-i", serverif.dev, "-j", "CONNMARK", "--set-xmark", "0x5/0x5"); |
||
| 276 | net.iptables.append("nat", "PREROUTING", "-d", internet.addr, "-p", protocol, "--dport", port_range, "-i", internet.dev, "-j", "CONNMARK", "--set-xmark", "0x1/0x1"); |
||
| 277 | net.iptables.append("nat", "PREROUTING", "-d", internet.addr, "-p", protocol, "--dport", port_range, "-j", "DNAT", "--to-destination", dest_addr); |
||
| 278 | } |
||
| 279 | |||
| 280 | template network_start_control_server { |
||
| 281 | alias("_caller") main; |
||
| 282 | main.depsc->depend({"lan_config"}) lan_config; |
||
| 283 | |||
| 284 | # Start control server. |
||
| 285 | call("network_control_server", {"/run/ncd-control.socket", |
||
| 286 | "network_control_list_port_forwardings", |
||
| 287 | "network_control_add_port_forwarding", |
||
| 288 | "network_control_remove_port_forwarding"}); |
||
| 289 | } |
||
| 290 | |||
| 291 | template network_control_list_port_forwardings { |
||
| 292 | alias("_caller.main") main; |
||
| 293 | |||
| 294 | main.depsc->depend({"port_forwarding"}) port_forwarding; |
||
| 295 | var(port_forwarding.pf.map.keys) port_forwardings; |
||
| 296 | } |
||
| 297 | |||
| 298 | template network_control_add_port_forwarding { |
||
| 299 | alias("_caller.main") main; |
||
| 300 | alias("_arg0") protocol; |
||
| 301 | alias("_arg1") port_start; |
||
| 302 | alias("_arg2") port_end; |
||
| 303 | alias("_arg3") dest_addr; |
||
| 304 | |||
| 305 | var("") try_error_text; |
||
| 306 | try("network_verify_port_forwarding_try", {}) verify_try; |
||
| 307 | |||
| 308 | If (verify_try.succeeded) { |
||
| 309 | main.depsc->depend({"port_forwarding"}) port_forwarding; |
||
| 310 | |||
| 311 | call("port_forwarding_add", {"_caller.port_forwarding.pf", protocol, port_start, port_end, dest_addr}) call; |
||
| 312 | alias("call.succeeded") succeeded; |
||
| 313 | alias("call.error_text") error_text; |
||
| 314 | } Else { |
||
| 315 | var("false") succeeded; |
||
| 316 | alias("try_error_text") error_text; |
||
| 317 | } branch; |
||
| 318 | |||
| 319 | alias("branch.succeeded") succeeded; |
||
| 320 | alias("branch.error_text") error_text; |
||
| 321 | } |
||
| 322 | |||
| 323 | template network_control_remove_port_forwarding { |
||
| 324 | alias("_caller.main") main; |
||
| 325 | alias("_arg0") protocol; |
||
| 326 | alias("_arg1") port_start; |
||
| 327 | alias("_arg2") port_end; |
||
| 328 | alias("_arg3") dest_addr; |
||
| 329 | |||
| 330 | main.depsc->depend({"port_forwarding"}) port_forwarding; |
||
| 331 | |||
| 332 | call("port_forwarding_remove", {"_caller.port_forwarding.pf", protocol, port_start, port_end, dest_addr}) call; |
||
| 333 | alias("call.succeeded") succeeded; |
||
| 334 | alias("call.error_text") error_text; |
||
| 335 | } |
||
| 336 | |||
| 337 | template network_verify_port_forwarding_try { |
||
| 338 | alias("_caller") c; |
||
| 339 | |||
| 340 | c.main.depsc->depend({"lan_config"}) lan; |
||
| 341 | c.main.depsc->depend({"serverif_config"}) serverif; |
||
| 342 | |||
| 343 | net.ipv4.addr_in_network(c.dest_addr, lan.addr, lan.prefix) in_lan; |
||
| 344 | net.ipv4.addr_in_network(c.dest_addr, serverif.addr, serverif.prefix) in_serverif; |
||
| 345 | |||
| 346 | If (in_lan) { |
||
| 347 | print(); |
||
| 348 | } |
||
| 349 | Elif (in_serverif) { |
||
| 350 | print(); |
||
| 351 | } |
||
| 352 | Else { |
||
| 353 | c.try_error_text->set("Destination address does not belong to any permitted network."); |
||
| 354 | _try->assert("false"); |
||
| 355 | }; |
||
| 356 | } |