From da9e757b8e48c54a4ecbd3bdb027b573ac5a3314 Mon Sep 17 00:00:00 2001 From: Jayapal Date: Thu, 13 Aug 2015 14:07:12 +0530 Subject: [PATCH 1/4] CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 2f3235ef69c..2caaf3c7ad6 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -678,9 +678,6 @@ def main(argv): red = CsRedundant(config) red.set() - nf = CsNetfilters() - nf.compare(config.get_fw()) - vpns = CsSite2SiteVpn("site2sitevpn", config) vpns.process() @@ -693,6 +690,9 @@ def main(argv): mon = CsMonitor("monitorservice", config) mon.process() + nf = CsNetfilters() + nf.compare(config.get_fw()) + # Save iptables configuration - will be loaded on reboot by the iptables-restore that is configured on /etc/rc.local CsHelper.save_iptables("iptables-save", "/etc/iptables/router_rules.v4") CsHelper.save_iptables("ip6tables-save", "/etc/iptables/router_rules.v6") From 382458317ead1ded0149b0fa43d41cd527d22e50 Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Thu, 13 Aug 2015 21:35:44 +0200 Subject: [PATCH 2/4] CLOUDSTACK-8730: fix s2s iptables rules and ipsec config For site2site VPN to work, we need a default gateway to be set. See CLOUDSTACK-8685 --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 2f3235ef69c..154f0c95516 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -428,7 +428,7 @@ class CsSite2SiteVpn(CsDataBag): self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -j ACCEPT" % dev]) self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 4500 -j ACCEPT" % dev]) self.fw.append(["", "front", "-A INPUT -i %s -p esp -j ACCEPT" % dev]) - self.fw.append(["nat", "front", "-A POSTROUTING -t nat -o %s-m mark --set-xmark 0x525/0xffffffff -j ACCEPT" % dev]) + self.fw.append(["nat", "front", "-A POSTROUTING -t nat -o %s -m mark --mark 0x525 -j ACCEPT" % dev]) for net in obj['peer_guest_cidr_list'].lstrip().rstrip().split(','): self.fw.append(["mangle", "front", "-A FORWARD -s %s -d %s -j MARK --set-xmark 0x525/0xffffffff" % (obj['local_guest_cidr'], net)]) @@ -453,7 +453,7 @@ class CsSite2SiteVpn(CsDataBag): file.addeq(" leftsubnet=%s" % obj['local_guest_cidr']) file.addeq(" leftnexthop=%s" % obj['local_public_gateway']) file.addeq(" right=%s" % rightpeer) - file.addeq(" rightsubnets=%s" % peerlist) + file.addeq(" rightsubnets={%s}" % peerlist) file.addeq(" type=tunnel") file.addeq(" authby=secret") file.addeq(" keyexchange=ike") @@ -463,7 +463,7 @@ class CsSite2SiteVpn(CsDataBag): file.addeq(" salifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime'])) file.addeq(" pfs=%s" % CsHelper.bool_to_yn(obj['dpd'])) file.addeq(" keyingtries=2") - file.addeq(" auto=add") + file.addeq(" auto=start") if obj['dpd']: file.addeq(" dpddelay=30") file.addeq(" dpdtimeout=120") From 9b97719c5c7839215fa4ff4392995af28055f803 Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Fri, 14 Aug 2015 09:05:59 +0200 Subject: [PATCH 3/4] tighten security of site-to-site VPN It was like this in 4.4 and 4.5 --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 154f0c95516..9f7ffb7b433 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -425,9 +425,9 @@ class CsSite2SiteVpn(CsDataBag): CsHelper.execute("ipsec auto --rereadall") def configure_iptables(self, dev, obj): - self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -j ACCEPT" % dev]) - self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 4500 -j ACCEPT" % dev]) - self.fw.append(["", "front", "-A INPUT -i %s -p esp -j ACCEPT" % dev]) + self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])]) + self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 4500 -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])]) + self.fw.append(["", "front", "-A INPUT -i %s -p esp -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])]) self.fw.append(["nat", "front", "-A POSTROUTING -t nat -o %s -m mark --mark 0x525 -j ACCEPT" % dev]) for net in obj['peer_guest_cidr_list'].lstrip().rstrip().split(','): self.fw.append(["mangle", "front", From 4f8ab51f7f2a1d8b78e754981d92c3904408fb30 Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Fri, 14 Aug 2015 09:07:25 +0200 Subject: [PATCH 4/4] do not log sensitive site-to-site VPN PSK Logging before: 2015-08-12 16:30:07,126 Searching for 192.168.23.6 and replacing with 192.168.23.6 192.168.23.5: PSK "preSharedKey" Logging after: 2015-08-12 16:30:07,126 Searching for 192.168.23.6 and replacing with 192.168.23.6 192.168.23.5: PSK "****" --- systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py index 28d441363ba..1cbf9713c4a 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py @@ -114,7 +114,10 @@ class CsFile: def search(self, search, replace): found = False - logging.debug("Searching for %s and replacing with %s" % (search, replace)) + replace_filtered = replace + if re.search("PSK \"", replace): + replace_filtered = re.sub(r'".*"', '"****"', replace) + logging.debug("Searching for %s and replacing with %s" % (search, replace_filtered)) for index, line in enumerate(self.new_config): if line.lstrip().startswith("#"): continue