diff options
author | micah <micah@riseup.net> | 2023-01-02 21:33:36 +0000 |
---|---|---|
committer | micah <micah@riseup.net> | 2023-01-02 21:33:36 +0000 |
commit | 65c4c9c1c91f7c432c23be9366541fdf6949944d (patch) | |
tree | 17bca436cc004a6a393761a97d7501683dac54bb | |
parent | 6d2f378df8882d4853484e3d85658536a93fa984 (diff) | |
parent | 382afed03359df5a61897dedc2e12857609191d0 (diff) |
Merge branch 'gw_firewall_restrictions' into 'main'
firewall: restrict outgoing ports
See merge request leap/container-platform/lilypad!59
-rw-r--r-- | config/roles/openvpn/templates/50openvpn.firewall.j2 | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/config/roles/openvpn/templates/50openvpn.firewall.j2 b/config/roles/openvpn/templates/50openvpn.firewall.j2 index d685547..e68c993 100644 --- a/config/roles/openvpn/templates/50openvpn.firewall.j2 +++ b/config/roles/openvpn/templates/50openvpn.firewall.j2 @@ -41,6 +41,26 @@ add_rule6 -A FORWARD -i tun0 -p tcp -o tun0 -j DROP add_rule6 -A FORWARD -i tun1 -p udp -o tun0 -j DROP {% endif %} +# deny outgoing ports that shouldn't be used +# Strict egress filtering: +# SMTP (TCP 25) +# Trivial File Transfer Protocol - TFTP (UDP 69) +# MS RPC (TCP & UDP 135) +# NetBIOS/IP (TCP/UDP 139 & UDP 137, UDP 138) +# Simple Network Management Protocol – SNMP (UDP/TCP 161-162) +# SMB/IP (TCP/UDP 445) +# Syslog (UDP 514) +# Gamqowi trojan: TCP 4661 +# Mneah trojan: TCP 4666 +add_rule4 -A OUTPUT -o tun0 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP +add_rule4 -A OUTPUT -o tun1 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP +add_rule4 -A OUTPUT -o tun0 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP +add_rule4 -A OUTPUT -o tun1 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP +add_rule6 -A OUTPUT -o tun0 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP +add_rule6 -A OUTPUT -o tun1 -p tcp -m multiport --dports 25,135,139,161,162,445,4661,4666 -j DROP +add_rule6 -A OUTPUT -o tun0 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP +add_rule6 -A OUTPUT -o tun1 -p udp -m multiport --dports 69,135,139,137,138,161,162,445,514 -j DROP + # allow tcp vpn clients to resolve DNS (i.e. query knot-resolver) add_rule -A user-input -i tun0 -p udp --dport 53 -j ACCEPT add_rule -A user-input -i tun0 -p tcp --dport 53 -j ACCEPT |