1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE>Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
<STYLE TYPE="text/css"><!--
BODY { font-family: serif }
H1 { font-family: sans-serif }
H2 { font-family: sans-serif }
H3 { font-family: sans-serif }
H4 { font-family: sans-serif }
H5 { font-family: sans-serif }
H6 { font-family: sans-serif }
SUB { font-size: smaller }
SUP { font-size: smaller }
PRE { font-family: monospace }
--></STYLE>
</HEAD>
<BODY>
<A HREF="toc.html">Contents</A>
<A HREF="background.html">Previous</A>
<A HREF="makecheck.html">Next</A>
<HR>
<H1><A name="user.examples">FreeS/WAN script examples</A></H1>
This file is intended to hold a collection of user-written example
scripts or configuration files for use with FreeS/WAN.
<P> So far it has only one entry.</P>
<H2><A name="poltorak">Poltorak's Firewall script</A></H2>
<PRE>
From: Poltorak Serguei <poltorak@dataforce.net>
Subject: [Users] Using FreeS/WAN
Date: Tue, 16 Oct 2001
Hello.
I'm using FreeS/WAN IPsec for half a year. I learned a lot of things about
it and I think it would be interesting for someone to see the result of my
experiments and usage of FreeS/WAN. If you find a mistake in this
file, please e-mail me. And excuse me for my english... I'm learning.. :)
I'll talk about vary simple configuration:
addresses prefix = 192.168
lan1 sgw1 .0.0/24 (Internet) sgw2 lan2
.1.0/24---[ .1.1 ; .0.1 ]===================[ .0.10 ; . 2.10 ]---.2.0/24
We need to let lan1 see lan2 across Internet like it is behind sgw1. The
same for lan2. And we need to do IPX bridge for Novel Clients and NDS
synchronization.
my config:
------------------- ipsec.conf -------------------
conn lan1-lan2
type=tunnel
compress=yes
#-------------------
left=192.168.0.1
leftsubnet=192.168.1.0/24
#-------------------
right=192.168.0.10
rightsubnet=192.168.2.0/24
#-------------------
auth=esp
authby=secret
--------------- end of ipsec.conf ----------------
ping .2.x from .1.y (y != 1)
It works?? Fine. Let's continue...
Why y != 1 ?? Because kernel of sgw1 have 2 IP addresses and it will choose
the first IP (which is used to go to Internet) .0.1 and the packet won't go
through IPsec tunnel :( But if do ping on .1.1 kernel will respond from
that address (.1.1) and the packet will be tunneled. The same problem occurred then
.2.x sends a packet to .1.2 which is down at the moment. What happens? .1.1
sends ARP requesting .1.2... after 3 tries it send to .2.x an destunreach,
but from his "natural" IP or .0.1 . So the error message won't be delivered!
It's a big problem...
Resolution... One can manipulate with ipsec0 or ipsec0:0 to solve the
problem (if ipsec0 has .1.1 kernel will send packets correctly), but there
are powerful and elegant iproute2 :) We simply need to change source address
of packet that goes to other secure lan. This is done with
ip route replace 192.168.2.0/24 via 192.168.0.10 dev ipsec0 src 192.168.1.1
Cool!! Now it works!!
The second step. We want install firewall on sgw1 and sgw2. Encryption of
traffic without security isn't a good idea. I don't use {left|right}firewall,
because I'm running firewall from init scripts.
We want IPsec data between lan1-lan2, some ICMP errors (destination
unreachable, TTL exceeded, parameter problem and source quench), replying on
pings from both lans and Internet, ipxtunnel data for IPX and of course SSH
between sgw1 and sgw2 and from/to one specified host.
I'm using ipchains. With iptables there are some changes.
---------------- rc.firewall ---------------------
#!/bin/sh
#
# Firewall for IPsec lan1-lan2
#
IPC=/sbin/ipchains
ANY=0.0.0.0/0
# left
SGW1_EXT=192.168.0.1
SGW1_INT=192.168.1.1
LAN1=192.168.1.0/24
# right
SGW2_EXT=192.168.0.10
SGW2_INT=192.168.2.10
LAN2=192.168.2.0/24
# SSH from and to this host
SSH_PEER_HOST=_SOME_HOST_
# this is for left. exchange these values for right.
MY_EXT=$SGW1_EXT
MY_INT=$SGW1_INT
PEER_EXT=$SGW2_EXT
PEER_INT=$SGW2_INT
INT_IF=eth1
EXT_IF=eth0
IPSEC_IF=ipsec0
MY_LAN=$LAN1
PEER_LAN=$LAN2
$IPC -F
$IPC -P input DENY
$IPC -P forward DENY
$IPC -P output DENY
# Loopback traffic
$IPC -A input -i lo -j ACCEPT
$IPC -A output -i lo -j ACCEPT
# for IPsec SGW1-SGW2
## IKE
$IPC -A input -p udp -s $PEER_EXT 500 -d $MY_EXT 500 -i $EXT_IF -j ACCEPT
$IPC -A output -p udp -s $MY_EXT 500 -d $PEER_EXT 500 -i $EXT_IF -j ACCEPT
## ESP
$IPC -A input -p 50 -s $PEER_EXT -d $MY_EXT -i $EXT_IF -j ACCEPT
### we don't need this line ### $IPC -A output -p 50 -s $MY_EXT -d $PEER_EXT -i $EXT_IF -j ACCEPT
## forward LAN1-LAN2
$IPC -A forward -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
$IPC -A forward -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
$IPC -A output -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
$IPC -A input -s $PEER_LAN -d $MY_LAN -i $IPSEC_IF -j ACCEPT
$IPC -A input -s $MY_LAN -d $PEER_LAN -i $INT_IF -j ACCEPT
$IPC -A output -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
# ICMP
#
## Dest unreachable
### from/to Internet
$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
### from/to Lan
$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
### from/to Peer Lan
$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
#
## Source quench
### from/to Internet
$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type source-quench -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
### from/to Lan
$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
### from/to Peer Lan
$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
#
## Parameter problem
### from/to Internet
$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
### from/to Lan
$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
### from/to Peer Lan
$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
#
## Time To Live exceeded
### from/to Internet
$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
### to Lan
$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
### to Peer Lan
$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
# ICMP PINGs
## from Internet
$IPC -A input -p icmp -s $ANY -d $MY_EXT --icmp-type echo-request -i $EXT_IF -j ACCEPT
$IPC -A output -p icmp -s $MY_EXT -d $ANY --icmp-type echo-reply -i $EXT_IF -j ACCEPT
## from LAN
$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $INT_IF -j ACCEPT
$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $INT_IF -j ACCEPT
## from Peer LAN
$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $IPSEC_IF -j ACCEPT
$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $IPSEC_IF -j ACCEPT
# SSH
## from SSH_PEER_HOST
$IPC -A input -p tcp -s $SSH_PEER_HOST -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $SSH_PEER_HOST -i $EXT_IF -j ACCEPT
## to SSH_PEER_HOST
$IPC -A input -p tcp \! -y -s $SSH_PEER_HOST 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
$IPC -A output -p tcp -s $MY_EXT -d $SSH_PEER_HOST 22 -i $EXT_IF -j ACCEPT
## from PEER
$IPC -A input -p tcp -s $PEER_EXT -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $PEER_EXT -i $EXT_IF -j ACCEPT
## to PEER
$IPC -A input -p tcp \! -y -s $PEER_EXT 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
$IPC -A output -p tcp -s $MY_EXT -d $PEER_EXT 22 -i $EXT_IF -j ACCEPT
# ipxtunnel
$IPC -A input -p udp -s $PEER_INT 2005 -d $MY_INT 2005 -i $IPSEC_IF -j ACCEPT
$IPC -A output -p udp -s $MY_INT 2005 -d $PEER_INT 2005 -i $IPSEC_IF -j ACCEPT
---------------- end of rc.firewall ----------------------
To understand this we need to look on this scheme:
++-----------------------<----------------------------+
|| ipsec0 |
\/ |
eth0 +--------+ /---------/ yes /---------/ yes +-----------------------+
------>| INPUT |-->/ ?local? /----->/ ?IPsec? /----->| decrypt decapsulate |
eth1 +--------+ /---------/ /---------/ +-----------------------+
|| no || no
\/ \/
+----------+ +---------+ +-------+
| routing | | local | | local |
| decision | | deliver | | send |
+----------+ +---------+ +-------+
|| ||
\/ \/
+---------+ +----------+
| forward | | routing |
+---------+ | decision |
|| +----------+
|| ||
++----------------<-----------------++
||
\/
+--------+ eth0
| OUTPUT | eth1
+--------+ ipsec0
||
\/
/---------/ yes +-----------------------+
/ ?IPsec? /----->| encrypt encapsulate |
/---------/ +-----------------------+
|| no ||
|| ||
|| \/ eth0, eth1
++-----------------------++-------------->
This explain how a packet traverse TCP/IP stack in IPsec capable kernel.
FIX ME, please, if there are any errors
Test the new firewall now.
Now about IPX. I tried 3 programs for tunneling IPX: tipxd, SIB and ipxtunnel
tipxd didn't send packets.. :(
SIB and ipxtunnel worked fine :)
With ipxtunnel there was a little problem. In sources there are an error.
--------------------- in main.c ------------------------
< bytes += p.len;
---
> bytes += len;
--------------------------------------------------------
After this FIX everything goes right...
------------------- /etc/ipxtunnel.conf ----------------
port 2005
remote 192.168.101.97 2005
interface eth1
--------------- end of /etc/ipxtunnel.conf -------------
I use IPX tunnel between .1.1 and .2.10 so we don't need to encrypt nor
authenticate encapsulated IPX packets, it is done with IPsec.
If you don't wont to use iproute2 to change source IP you need to use SIB
(it is able to bind local address) or establish tunnel between .0.1 and
.0.10 (external IPs, you need to do encryption in the program, but it isn't
strong).
For now I'm using ipxtunnel.
I think that's all for the moment. If there are any error, please e-mail me:
poltorak@df.ru . It would be cool if someone puts the scheme of TCP/IP in
kernel and firewall example on FreeS/WAN's manual pages.
PoltoS
</PRE>
<HR>
<A HREF="toc.html">Contents</A>
<A HREF="background.html">Previous</A>
<A HREF="makecheck.html">Next</A>
</BODY>
</HTML>
|