From ebb0e3f392837776cc5abb4dcaf0a063ff2e5a4f Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Fri, 27 Jun 2025 19:29:10 -0600 Subject: [PATCH] Moved simplified forwarding rules to the ufw-user-forward chain. Punted unused RELATED,ESTABLISHED rules, which were shadowed by generic rules in chains ufw{,6}-before-{{in,out}put,forward}(!). --- README.org | 68 +++++++++++++++++++++---------------- roles_t/gate/tasks/main.yml | 25 ++++++++------ 2 files changed, 54 insertions(+), 39 deletions(-) diff --git a/README.org b/README.org index e276961..85d20d2 100644 --- a/README.org +++ b/README.org @@ -4636,25 +4636,18 @@ should not be routing their Internet traffic through their VPN. Forwarding rules are also needed. The ~nat~ table is a /post/ routing rule set, so the default routing policy (~DENY~) will drop packets before NAT can translate them. The following rules are added to allow -packets to be forwarded from the campus Ethernet or its wild subnet -to an ISP on the ~isp~ interface, and back (if related to an outgoing -packet). +packets to be forwarded from the campus Ethernet or its wild subnet to +an ISP on the ~isp~ interface. A generic routing rule in UFW accepts +any related or established packet (according to the kernel's +connection tracking). #+NAME: ufw-forward-nat #+CAPTION: ~ufw-forward-nat~ #+BEGIN_SRC conf --A FORWARD -i lan -o isp -j ACCEPT --A FORWARD -i wild -o isp -j ACCEPT --A FORWARD -i isp -o lan {{ ACCEPT_RELATED }} --A FORWARD -i isp -o wild {{ ACCEPT_RELATED }} +-A ufw-user-forward -i lan -o isp -j ACCEPT +-A ufw-user-forward -i wild -o isp -j ACCEPT #+END_SRC -To keep the above code lines short, the template references an -~ACCEPT_RELATED~ variable, provided by the task, whose value includes -the following ~iptables(8)~ rule specification parameters. - -: -m state --state ESTABLISHED,RELATED -j ACCEPT - If "the standard ~iptables-restore~ syntax" as it is described in the ~ufw-framework~ manual page, allows continuation lines, please let us know! @@ -4668,25 +4661,36 @@ public and campus VPNs is also allowed. #+NAME: ufw-forward-private #+CAPTION: ~ufw-forward-private~ #+BEGIN_SRC conf --A FORWARD -i lan -o wg0 -j ACCEPT --A FORWARD -i wg0 -o lan -j ACCEPT +-A ufw-user-forward -i lan -o wg0 -j ACCEPT +-A ufw-user-forward -i wg0 -o lan -j ACCEPT +-A ufw-user-forward -i wg0 -o wg0 -j ACCEPT #+END_SRC +The third rule above may seem curious; it is. It short circuits +filters in subsequent chains (e.g. ~ufw-reject-forward~) that, by +default, log and reject packets, even those from subnet to the same +subnet (if it is a WireGuard™ subnet?). + Note that there are no forwarding rules to allow packets to pass from the ~wild~ device to the ~lan~ device, just the ~wg0~ device. -** Install UFW +** Configure UFW The following tasks install the Uncomplicated Firewall (UFW), set its -policy in =/etc/default/ufw=, and install the above rules in -=/etc/ufw/before.rules=. When Gate is configured by ~./abbey config -gate~ as in the example bootstrap, enabling the firewall should not be -a problem. But when configuring a new gate with ~./abbey config -new-gate~, enabling the firewall could break Ansible's current and -future ssh sessions. For this reason, Ansible /does not/ enable the -firewall. The administrator must login and execute the following -command after Gate is configured or new gate is "in position" -(connected to old Gate's ~wild~ and ~isp~ networks). +policy in =/etc/default/ufw=, install the NAT rules in +=/etc/ufw/before.rules=, and the Forward rules in +=/etc/ufw/user.rules= (where the ~ufw-user-forward~ chain +is... mentioned?). + +When Gate is configured by ~./abbey config gate~ as in the example +bootstrap, enabling the firewall should not be a problem. But when +configuring a new gate with ~./abbey config new-gate~, enabling the +firewall could break Ansible's current and future ssh sessions. For +this reason, Ansible /does not/ enable the firewall. + +The administrator must login and execute the following command after +Gate is configured or new gate is "in position" (connected to old +Gate's ~wild~ and ~isp~ networks). : sudo ufw enable @@ -4711,23 +4715,29 @@ command after Gate is configured or new gate is "in position" - { line: "DEFAULT_FORWARD_POLICY=\"DROP\"", regexp: "^DEFAULT_FORWARD_POLICY=" } -- name: Configure UFW rules. +- name: Configure UFW NAT rules. become: yes - vars: - ACCEPT_RELATED: -m state --state ESTABLISHED,RELATED -j ACCEPT blockinfile: - path: /etc/ufw/before.rules block: | *nat :POSTROUTING ACCEPT [0:0] <> COMMIT + dest: /etc/ufw/before.rules + insertafter: EOF + prepend_newline: yes +- name: Configure UFW FORWARD rules. + become: yes + blockinfile: + block: | *filter <> <> COMMIT + dest: /etc/ufw/user.rules insertafter: EOF + prepend_newline: yes #+END_SRC ** Configure DHCP For The Wild Ethernet diff --git a/roles_t/gate/tasks/main.yml b/roles_t/gate/tasks/main.yml index 2a57881..9b3aa91 100644 --- a/roles_t/gate/tasks/main.yml +++ b/roles_t/gate/tasks/main.yml @@ -77,28 +77,33 @@ - { line: "DEFAULT_FORWARD_POLICY=\"DROP\"", regexp: "^DEFAULT_FORWARD_POLICY=" } -- name: Configure UFW rules. +- name: Configure UFW NAT rules. become: yes - vars: - ACCEPT_RELATED: -m state --state ESTABLISHED,RELATED -j ACCEPT blockinfile: - path: /etc/ufw/before.rules block: | *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE -A POSTROUTING -s {{ wild_net_cidr }} -o isp -j MASQUERADE COMMIT + dest: /etc/ufw/before.rules + insertafter: EOF + prepend_newline: yes +- name: Configure UFW FORWARD rules. + become: yes + blockinfile: + block: | *filter - -A FORWARD -i lan -o isp -j ACCEPT - -A FORWARD -i wild -o isp -j ACCEPT - -A FORWARD -i isp -o lan {{ ACCEPT_RELATED }} - -A FORWARD -i isp -o wild {{ ACCEPT_RELATED }} - -A FORWARD -i lan -o wg0 -j ACCEPT - -A FORWARD -i wg0 -o lan -j ACCEPT + -A ufw-user-forward -i lan -o isp -j ACCEPT + -A ufw-user-forward -i wild -o isp -j ACCEPT + -A ufw-user-forward -i lan -o wg0 -j ACCEPT + -A ufw-user-forward -i wg0 -o lan -j ACCEPT + -A ufw-user-forward -i wg0 -o wg0 -j ACCEPT COMMIT + dest: /etc/ufw/user.rules insertafter: EOF + prepend_newline: yes - name: Install DHCP server. become: yes -- 2.25.1