ocserv makes hole to nftables firewall
Description of problem:
When using config options:
restrict-user-to-routes = true
restrict-user-to-ports = "tcp(443), udp(443), udp(53), tcp(53), tcp(22), icmp(), icmpv6()"ocserv calls iptables to add rules to firewall. However Debian 10 uses nftables as default and translation layer which emulates iptables (package iptables, iptables-legacy contain actual iptables command). First issue with it is that iptables package is not listed as dependency in Debian package (so when uninstalled, groups with listed options fails to connect).
Second, security issue, is with nftables using universal inet chain instead of separate ip and ip6 chains in nftables.
When ocserv calls iptables for creating rules, it automatically creates ip and ip6 chains with INPUT, FORWARD and OUTPUT hooks (priority 0) and with default ACCEPT action. INPUT and OUTPUT hooks are without any rules! This efectively disables whole firewall!
Version of ocserv used:
ocserv/stable,now 0.12.2-3 amd64 Debian 10 package.
Client used:
(Include the client used and its version; e.g., openconnect 8.1)
Distributor of ocserv
Debian 10
How reproducible:
Describe the steps to reproduce the issue:
- Make nftables firewall without ip and ip6 chains, all rules would be in universal inet chain
- Install ocserv
- Add ''restrict-user-to-routes'' and/or ''restrict-user-to-ports'' to config global or group
- Make connection using configured group
- You have now server without INPUT firewall
Actual results:
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ACTUAL FIREWALL IS HERE...
}
}
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
SKIPPED - OK...
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
chain FORWARD-ocserv-fw-vpns2 {
iifname "vpns2" ip daddr 172.29.0.0/24 counter packets 719 bytes 60892 accept comment "ocserv-fw"
iifname "vpns2" ip daddr 192.168.102.0/24 counter packets 0 bytes 0 accept comment "ocserv-fw"
iifname "vpns2" counter packets 0 bytes 0 reject comment "ocserv-fw"
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
SKIPPED - OK...
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
chain FORWARD-ocserv-fw-vpns2 {
iifname "vpns2" ip6 daddr 2a00:xx07::/32 counter packets 0 bytes 0 accept comment "ocserv-fw"
iifname "vpns2" counter packets 0 bytes 0 reject comment "ocserv-fw"
}
}Expected results:
ocserv should detect running nftables and rules into chain connected to forward hook or add its own chain and hook it into nftables system.
Issue is not documented and even it is not primary caused by ocserv, it has to be aware of presence iptables-nft compatibility layer to avoid punching hole into firewall.