admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(firewall): use all default routes

Browse Source 
- Accept output traffic from all default routes through VPN interface
- Accept output from all default routes to outbound subnets
- Accept all input traffic on ports for all default routes
- Add IP rules for all default routes
This commit is contained in:
Quentin McGaw
2022-03-13 13:26:09 +00:00
parent 0795008c23
commit f99d5e8656
11 changed files with 212 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
internal/firewall/enable.go
View File

@@ -96,13 +96,9 @@ func (c *Config) enable(ctx context.Context) (err error) {
if err = c.acceptEstablishedRelatedTraffic(ctx, remove); err != nil {
return err
}
if c.vpnConnection.IP != nil {
if err = c.acceptOutputTrafficToVPN(ctx, c.defaultInterface, c.vpnConnection, remove); err != nil {
return err
}
if err = c.acceptOutputThroughInterface(ctx, c.vpnIntf, remove); err != nil {
return err
}
if err = c.allowVPNIP(ctx); err != nil {
return err
}
for _, network := range c.localNetworks {
@@ -111,10 +107,8 @@ func (c *Config) enable(ctx context.Context) (err error) {
}
}
for _, subnet := range c.outboundSubnets {
if err := c.acceptOutputFromIPToSubnet(ctx, c.defaultInterface, c.localIP, subnet, remove); err != nil {
return err
}
if err = c.allowOutboundSubnets(ctx); err != nil {
return err
}
// Allows packets from any IP address to go through eth0 / local network
@@ -125,10 +119,8 @@ func (c *Config) enable(ctx context.Context) (err error) {
}
}
for port, intf := range c.allowedInputPorts {
if err := c.acceptInputToPort(ctx, intf, port, remove); err != nil {
return err
}
if err = c.allowInputPorts(ctx); err != nil {
return err
}
if err := c.runUserPostRules(ctx, c.customRulesPath, remove); err != nil {
@@ -137,3 +129,47 @@ func (c *Config) enable(ctx context.Context) (err error) {
return nil
}
func (c *Config) allowVPNIP(ctx context.Context) (err error) {
if c.vpnConnection.IP == nil {
return nil
}
const remove = false
for _, defaultRoute := range c.defaultRoutes {
err = c.acceptOutputTrafficToVPN(ctx, defaultRoute.NetInterface, c.vpnConnection, remove)
if err != nil {
return fmt.Errorf("cannot accept output traffic through VPN: %w", err)
}
}
return nil
}
func (c *Config) allowOutboundSubnets(ctx context.Context) (err error) {
for _, subnet := range c.outboundSubnets {
for _, defaultRoute := range c.defaultRoutes {
const remove = false
err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
defaultRoute.AssignedIP, subnet, remove)
if err != nil {
return err
}
}
}
return nil
}
func (c *Config) allowInputPorts(ctx context.Context) (err error) {
for port, netInterfaces := range c.allowedInputPorts {
for netInterface := range netInterfaces {
const remove = false
err = c.acceptInputToPort(ctx, netInterface, port, remove)
if err != nil {
return fmt.Errorf("cannot accept input port %d on interface %s: %w",
port, netInterface, err)
}
}
}
return nil
}