merge

Add required IPv6 ICMP types to iptables

See merge request cyber5k/mistborn!86

.gitlab-ci.yml

@@ -13,7 +13,6 @@ stages:
 
 include:
   - template: Code-Quality.gitlab-ci.yml
-  - template: Security/SAST.gitlab-ci.yml
 
 docker_build:
   stage: test

README.md

@@ -15,7 +15,7 @@ The term [Mistborn](http://www.brandonsanderson.com/the-mistborn-saga-the-origin
 
 Mistborn started as a passion project for a husband and father protecting his family. Certain family members insisted on connecting their devices to free public WiFi networks. We needed a way to secure all family devices with a solid VPN (WireGuard). Once we had that we wanted to control DNS to block ads to all devices and block malicious websites across all family devices. Then we wanted chat, file-sharing, and webchat services that we could use for ourselves without entrusting our data to some big tech company. And then... home automation. I know I'll be adding more services so I made that easy to do.
 
-As a [Certified Information Systems Security Professional (CISSP)](https://www.credly.com/badges/ebcb76f2-1e82-4079-9ea3-b507ffbd1d15/public_url) and an [Offensive Security Certified Professional (OSCP)](https://www.credly.com/badges/b93c44ec-3af5-48e8-9a33-b64365b70c61/public_url), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights).
+As an [Offensive Security Certified Professional (OSCP)](https://resources.infosecinstitute.com/certification/the-oscp-certification-and-exam/), I designed Mistborn thinking about how it would be attacked by both external and internal threats. In making design trade-off decisions I tend to the paranoid. See [Technical and Security Insights](#technical-and-security-insights).
 
 Ideal for teams who:
 - hate internet ads
@@ -62,9 +62,8 @@ Within Mistborn is a panel to enable and manage these free extra services (off b
 # Quickstart
 Tested Operating Systems (in order of thoroughness):
 - Ubuntu 20.04 LTS
-- Debian 11 (Bullseye)
+- Debian 10 (Buster)
 - Raspberry Pi OS (formerly Raspbian) Buster
-- Formerly tested and may still work: Ubuntu 18.04 LTS, Debian 10 (Buster)
 
 **Note:** Install operating system updates and restart. Raspberry Pi OS particularly needs to be restarted after kernel updates (kernel modules for the currently running kernel may be missing).
 

base.yml

@@ -119,7 +119,7 @@ services:
     restart: unless-stopped
   
   redis:
-    image: redis:5.0
+    image: redis:6.2-alpine
     container_name: mistborn_production_redis
     restart: unless-stopped
 
@@ -138,8 +138,10 @@ services:
       default:
       dns_net:
         ipv4_address: 10.2.1.3
+        ipv6_address: "fd0c:6164:c111:ecee::3"
     dns:
       - 10.2.1.2
+      - "fd0c:6164:c111:ecee::2"
     depends_on:
       - traefik
       - pihole
@@ -161,8 +163,10 @@ services:
       default:
       dns_net:
         ipv4_address: 10.2.1.4
+        ipv6_address: "fd0c:6164:c111:ecee::4"
     dns:
       - 10.2.1.2
+      - "fd0c:6164:c111:ecee::2"
     depends_on:
       - traefik
       - pihole
@@ -211,10 +215,11 @@ services:
       - "traefik.http.services.pihole-service.loadbalancer.server.port=80"
    environment:
      - ServerIP=10.2.0.3
-     - PIHOLE_DNS_=10.2.0.2#5054
+     - PIHOLE_DNS_=10.2.0.2#5054;fdce:7a9e:13ce:d817::2#5054
+     - ServerIPv6=fdce:7a9e:13ce:d817::3
      #- DNS1='10.2.0.2#5054' # docs say port 5054, was 54; use network_mode: host to see which port is used
      #- DNS2=''
-     - IPv6='false'
+     - IPv6=true
      - DNSMASQ_LISTENING=all
    #  TZ: 'America/New York'
    # Volumes store your data between container upgrades
@@ -227,8 +232,10 @@ services:
      default:
      pihole_net:
        ipv4_address: 10.2.0.3
+       ipv6_address: "fdce:7a9e:13ce:d817::3"
      dns_net:
        ipv4_address: 10.2.1.2
+       ipv6_address: "fd0c:6164:c111:ecee::2"
    restart: unless-stopped
 
   dnscrypt-proxy:
@@ -242,17 +249,34 @@ services:
     networks:
       pihole_net:
         ipv4_address: 10.2.0.2
+        ipv6_address: "fdce:7a9e:13ce:d817::2"
     restart: unless-stopped
 
 
 networks:
+
+  default:
+    driver: bridge
+    driver_opts:
+      com.docker.network.enable_ipv6: "true"
+    ipam:
+      config:
+        - subnet: "fd39:4459:ffa9:a36f::/64"
+
   pihole_net:
     driver: bridge
+    driver_opts:
+      com.docker.network.enable_ipv6: "true"
     ipam:
       config:
         - subnet: 10.2.0.0/29
+        - subnet: "fdce:7a9e:13ce:d817::/64"
+  
   dns_net:
     driver: bridge
+    driver_opts:
+      com.docker.network.enable_ipv6: "true"
     ipam:
       config:
         - subnet: 10.2.1.0/24
+        - subnet: "fd0c:6164:c111:ecee::/64"

compose/production/postgres/Dockerfile

@@ -1,4 +1,4 @@
-FROM postgres:11.3
+FROM postgres:13.3-alpine
 
 COPY ./compose/production/postgres/maintenance /usr/local/bin/maintenance
 RUN chmod +x /usr/local/bin/maintenance/*

scripts/install.sh

@@ -105,39 +105,13 @@ source ./scripts/subinstallers/platform.sh
 
 # iptables
 echo "Setting up firewall (iptables)"
-if [ -f "/etc/iptables/rules.v4" ]; then
-    echo "Caution: iptables rules exist."
-
-    read -p "Would you like to Clear (C) existing iptables rules or Add (A) to existing rules (this may cause problems)? [c/a] " MISTBORN_IPTABLES_ACTION
-    echo
-
-    if [[ "${MISTBORN_IPTABLES_ACTION}" =~ ^([cC])$ ]]; then
-    # clear
-        echo "Clearing existing iptables rules..."
-        sudo rm -rf /etc/iptables/rules.v4
-        sudo iptables -F
-        sudo iptables -t nat -F
-        sudo iptables -P INPUT ACCEPT
-        sudo iptables -P FORWARD ACCEPT
-        sudo rm -rf /etc/iptables/rules.v6 || true
-        sudo ip6tables -F || true
-        sudo ip6tables -t nat -F || true
-        sudo ip6tables -P INPUT ACCEPT || true
-        sudo ip6tables -P FORWARD ACCEPT || true
-
-    elif [[ "${MISTBORN_IPTABLES_ACTION}" =~ ^([aA])$ ]]; then
-    # do nothing
-        echo "Proceeding..."
-
-    else
-        echo "Unrecognized action: stopping"
-        exit 1;
-
-    fi
+if [ ! -f "/etc/iptables/rules.v4" ]; then
+    echo "Setting iptables rules..."
+    ./scripts/subinstallers/iptables.sh
+else
+    echo "iptables rules exist. Leaving alone."
 fi
 
-echo "Setting iptables rules..."
-source ./scripts/subinstallers/iptables.sh
 
 # SSH Server
 sudo -E apt-get install -y openssh-server

scripts/subinstallers/iptables.sh

@@ -50,7 +50,11 @@ sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 if [ ! -z "${SSH_CLIENT}" ]; then
     SSH_SRC=$(echo $SSH_CLIENT | awk '{print $1}')
     SSH_PRT=$(echo $SSH_CLIENT | awk '{print $3}')
+    if [[ $SSH_SRC =~ .*:.* ]]; then
+        sudo ip6tables -A INPUT -p tcp -s $SSH_SRC --dport $SSH_PRT -j ACCEPT
+    else
         sudo iptables -A INPUT -p tcp -s $SSH_SRC --dport $SSH_PRT -j ACCEPT
+    fi
 fi
 
 # docker rules
@@ -91,6 +95,15 @@ echo "Setting ip6tables rules"
 sudo ip6tables -P INPUT ACCEPT
 sudo ip6tables -I INPUT -i lo -j ACCEPT
 sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# Allow as per RFC 4890
+sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 1   -j ACCEPT
+sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 2   -j ACCEPT
+sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 3   -j ACCEPT
+sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 4   -j ACCEPT
+sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
+sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
+sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
+sudo ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
 sudo ip6tables -A INPUT -j MISTBORN_LOG_DROP
 
 sudo ip6tables -P INPUT DROP