From: Michael Tremer Date: Thu, 25 Apr 2024 18:32:57 +0000 (+0200) Subject: wireguard: Block unauthorized traffic X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=89b976e9a7e4da13b82de4aadadb63ffaf3031a6;p=ipfire-2.x.git wireguard: Block unauthorized traffic Signed-off-by: Michael Tremer --- diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b7e8a9cda..457d69dde 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -215,6 +215,11 @@ iptables_init() { iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK iptables -A OUTPUT -m policy --dir out --pol none -j IPSECBLOCK + # Block unauthorized WireGuard traffic + ipatbles -N WGBLOCK + iptables -A INPUT -i wg+ -j WGBLOCK + iptables -A FORWARD -i wg+ -j WGBLOCK + # Block OpenVPN transfer networks iptables -N OVPNBLOCK iptables -A INPUT -i tun+ -j OVPNBLOCK diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard index daadcb73b..0de356613 100644 --- a/src/initscripts/system/wireguard +++ b/src/initscripts/system/wireguard @@ -51,7 +51,11 @@ generate_config() { local keepalive local _rest - local subnet + local local_subnet + local remote_subnet + + # Flush firewall rules + iptables -F WGBLOCK # Flush all previously set routes ip route flush dev "${INTF}" @@ -85,8 +89,8 @@ generate_config() { # Apply the routes if [ "${type}" = "net" ]; then - for subnet in ${remote_subnets//|/,}; do - ip route add "${subnet}" dev "${INTF}" + for remote_subnet in ${remote_subnets//|/,}; do + ip route add "${remote_subnet}" dev "${INTF}" done fi fi @@ -95,7 +99,18 @@ generate_config() { if [ -n "${keepalive}" ]; then echo "PersistentKeepalive = ${keepalive}" fi + + # Set blocking rules + for local_subnet in ${local_subnets//|/ }; do + for remote_subnet in ${remote_subnets//|/ }; do + iptables -A WGBLOCK \ + -s "${remote_subnet}" -d "${local_subnet}" -j RETURN + done + done done < /var/ipfire/wireguard/peers + + # Block all other traffic + iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited } reload_firewall() {