CentOS 7 和 firewalld 上 OpenVPN 的多个用户类型/访问规则

CentOS 7 和 firewalld 上 OpenVPN 的多个用户类型/访问规则

如何在 CentOS 7 服务器上运行的 OpenVPN 中为用户和管理员定义单独的角色? 具体来说,只能允许用户执行https,而必须允许管理员同时执行httpsssh

迄今为止的进展:

翻译中@garethTheRed 建议的链接中的说明,我定义了以下步骤。我还完成了步骤一、二和三。但我不知道如何完成第四步。 有人可以展示如何将第四步从 iptables 转换为firewalld,并确认其他步骤吗?

步骤1(完全的):根据用户类别创建虚拟IP地址映射:

    Class            Virtual IP range       Allowed Services  
    employees        10.8.0.0/24            https
    administrator    10.8.1.0/24            ssh, https  

第二步(完全的):在/etc/openvpn/server.conf中,

    define the Employee IP address pool:
    server 10.8.0.0 255.255.255.0

    Add a route for the System Administrator IP range:
    route 10.8.1.0 255.255.255.0

    Specify client configuration directory to assign a fixed IP forAdministrator:
    client-config-dir ccd

第三步(完全的):在新目录/etc/openvpn/ccd和新配置文件中/etc/openvpn/ccd/sysadmin

    Define the fixed IP address for the Administrator VPN client:

        mkdir ccd
        cd ccd
        nano sysadmin1
        type the following into /etc/openvpn/ccd/sysadmin1:
        ifconfig-push 10.8.1.1 10.8.1.2

第四步(我如何在防火墙中执行此操作,以便用户只能https并且管理员可以sshhttps?):

    First, define a static unit number for our tun interface:

        dev tun0  //where does this go?

    Establish firewall rules for the employees and administrator (convert these to firewalld):
        # Employee rule // MUST ONLY BE ALLOWED TO https
        iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.66.4.4 -j ACCEPT

        # Sysadmin rule //MUST BE ALLOWED TO ssh AND https
        iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.66.4.0/24 -j ACCEPT

注意:当我输入 时firewall-cmd --list-all,到目前为止整个防火墙配置的总和定义如下:

public (default, active)
  interfaces: enp3s0
  sources: 
  services: dhcpv6-client openvpn smtp
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 

我想以任何需要的方式更改防火墙配置,以便为此用例提供最佳安全性。

我如何修改上述内容才能使其正常工作?

编辑:

阅读@garethTheRed 的有用答案后,我有三个问题/观察结果:

1.) There is no `tun` device on the firewall, but yet I am able  
    to connect to the VPN from the client with  
    `openvpn --config /path/to/client.ovpn` with the firewall  
    configured only as shown by the results of `firewall-cmd --list-all`.
    So why is it necessary to define a `tun` device in the firewall?  

2.) `ip addr` shows that I was logged in as 10.8.0.6.  How can I 
    force being logged in as a fixed address, such as 10.8.1.1 defined  
    in Step Three above?  

3.) What privileges/access does a user really have when they log in to the  
    server via OpenVPN when the firewall is configured as shown in the  
    results of `firewall-cmd --list-all` above?  Are they be able to do  
    anything other than https without a password anyway?  ssh would  
    require knowledge of both a password and a username.  

编辑#2

在 @garethTheRed 非常有用的答案中定义的内部区域中,内部区域的用户似乎可以访问以下服务dhcpv6-clientipp-clientmdnssamba-clientssh。这篇文章中的用例还包括https.

因此,此帖子的解决方案似乎包括:

1.) setting up rules blocking the `10.8.0.0/24` ip range from  
    `dhcpv6-client`, `ipp-client`, `mdns`, `samba-client`, and `ssh`,  
    while allowing access to `https`.  

2.) retaining access by the `10.8.1.0/24` ip range to all services  
    defined in the internal zone.  

3.) creating and installing separate client certificates for the  
    two classes of users (administrator and user)? Each class,  
    and therefore each certificate, must have a Canonical Name (CN)  
    that matches the names of config files added to `/etc/openvpn/ccd`.  
    Openvpn should then use the config file whose name matches the CN.  
    This config file should be set to configure the network address  
    that will be allocated to the clients in that class
    @garethTheRed's words are used here in #3.  

但这三件事还需要完成这个要求吗?我该如何完成这三件事?

答案1

您可以修改区域并添加丰富的规则ssh它会阻止除特定范围之外的所有流量 -员工子网。

tun通过列出所有区域来查找您的界面所在的区域:

firewall-cmd --list-all-zones | less

在输出中,您应该看到类似以下内容的内容:

internal (active)
  interfaces: tun0
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

您可能会发现该tun设备(tun0在上面的示例中)与您的以太网适配器位于同一区域。虽然这可行,但如果将它们分开,管理起来会更容易。

从区域中删除不需要的服务是明智之举internal- 就您而言,删除所有服务,但ssh还要添加http

firewall-cmd --zone=internal --permanent --add-service=http
firewall-cmd --zone=internal --permanent --remove-service=dhcpv6-client

对要删除的其他服务重复最后一个命令。确保不要删除ssh!当您这样做时,external也从您的区域中删除多余的服务。

tun将接口所在zone的zone定义文件复制到/etc/firewalld/zones.例如,如果tun设备位于Internal区域中:

sudo cp /usr/lib/firewalld/zones/internal.xml /etc/firewalld/zones

编辑复制的文件并在关闭之前添加以下内容</zone>

<rule family="ipv4">
    <source invert="True" address="10.8.0.0"/>
    <service name="ssh"/>
    <reject/>
</rule>

最后,运行firewall-cmd --reload以应用规则。

警告: 如果这不起作用,你可以把自己锁在门外 :-o

替代选项:

另一个更简单的选项是配置sshd为仅接受来自给定网络地址的连接 - 10.8.0.0

更简单的选择是完全放弃 VPN,仅使用防火墙。如果(且仅当)你的雇员(或您的外部路由器)有一个静态 IP 地址,然后只需配置丰富的规则仅允许其 IP 地址或网络地址访问服务,ssh同时拒绝所有其他 IP 地址。

相关内容