FreeSwan + IPTables
Marcel Mazáč
mazac na neria.cz
Úterý Červenec 6 15:16:51 CEST 2004
Ipsec.conf :
# Zakladni nastaveni
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
# Zakladni konfigurace
conn %default
keyingtries=0
conn N4_N3
auto=start
authby=rsasig
# Leva jsou Hustopece
left=195.39.121.177
leftsubnet=192.168.4.0/24
leftnexthop=195.39.121.161
leftid=@mail.neria.cz
leftrsasigkey=XXX
# Prava jsou Pohorelice
right=195.39.120.200
rightsubnet=192.168.3.0/24
rightnexthop=195.39.120.193
rightid=@pohorelice.neria.cz
rightrsasigkey=XXX
firewall mam nastaveny takto:
#!/bin/sh
# venek
LAN0_IP="195.39.121.177"
LAN0_IFACE="eth1"
# vnitrek1
LAN1_IP="192.168.4.3/32"
LAN1_BCAST="192.168.4.255/32"
LAN1_IFACE="eth0"
# vnitrek2
LAN2_IP="192.168.1.3/32"
LAN2_BCAST="192.168.1.255/32"
LAN2_IFACE="eth2"
# vnitrek2:0
LAN3_IP="10.200.1.1/32"
LAN3_BCAST="10.200.1.255/32"
LAN3_IFACE="eth2"
# loopback
LO_IFACE="lo"
LO_IP="127.0.0.1/32"
IPTABLES="/sbin/iptables"
/sbin/depmod -a
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > ${interface}
done
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -A POSTROUTING -o $LAN0_IFACE -j SNAT --to $LAN0_IP
$IPTABLES -N spoofing
$IPTABLES -A spoofing -m limit --limit 5/h --limit-burst 3 \
-j LOG --log-prefix "Rezervovana IP: "
$IPTABLES -A spoofing -j DROP
$IPTABLES -N IN_FW
$IPTABLES -A IN_FW -s 172.16.0.0/12 -j spoofing
$IPTABLES -A IN_FW -s 96.0.0.0/4 -j spoofing
$IPTABLES -N syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
# FORWARD
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
"NEW bez SYN: "
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -i $LAN0_IFACE -j IN_FW
$IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN2_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN3_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN0_IFACE -o $LAN1_IFACE \
-m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN0_IFACE -o $LAN2_IFACE \
-m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN0_IFACE -o $LAN3_IFACE \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# VPN
$IPTABLES -A FORWARD -s 192.168.4.0/24 -d 192.168.3.0/24 -j ACCEPT
# END VPN
$IPTABLES -A FORWARD -m limit --limit 6/h -j LOG --log-prefix "Forward drop:
"
# INPUT
$IPTABLES -A INPUT -i $LAN0_IFACE -p tcp ! --syn -m state --state NEW -j
DROP
$IPTABLES -A INPUT -i $LAN0_IFACE -j IN_FW
$IPTABLES -A INPUT -i $LAN0_IFACE -p tcp --syn -j syn-flood
$IPTABLES -A INPUT -i $LAN0_IFACE -p TCP --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $LAN0_IFACE -p TCP --dport 25 -j ACCEPT
$IPTABLES -A INPUT -i $LAN0_IFACE -p TCP --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $LAN0_IFACE -p TCP --dport 110 -j ACCEPT
$IPTABLES -A INPUT -i $LAN0_IFACE -p TCP --dport 443 -j ACCEPT
$IPTABLES -A INPUT -i $LAN0_IFACE -p TCP --dport 113 -j REJECT --reject-with
tcp-reset
$IPTABLES -A INPUT -i $LAN0_IFACE -p ICMP --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -i $LAN0_IFACE -p ICMP --icmp-type
destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -i $LAN0_IFACE -p ICMP --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i $LAN0_IFACE -p ICMP --icmp-type time-exceeded -j
ACCEPT
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN0_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_BCAST -j ACCEPT
$IPTABLES -A INPUT -i $LAN2_IFACE -d $LAN2_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN2_IFACE -d $LAN0_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN2_IFACE -d $LAN2_BCAST -j ACCEPT
$IPTABLES -A INPUT -i $LAN3_IFACE -d $LAN3_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN3_IFACE -d $LAN0_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN3_IFACE -d $LAN3_BCAST -j ACCEPT
$IPTABLES -A INPUT -i $LAN2_IFACE -d $LAN1_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN3_IFACE -d $LAN1_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN3_IFACE -d $LAN2_IP -j ACCEPT
# VPN
$IPTABLES -A INPUT -p UDP --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p 50 -j ACCEPT
$IPTABLES -A INPUT -p 51 -j ACCEPT
# END VPN
$IPTABLES -A INPUT -d $LAN0_IP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A INPUT -m limit --limit 6/h -j LOG --log-prefix "Input drop: "
# OUTPUT
$IPTABLES -t mangle -A OUTPUT -o $LAN0_IFACE -p tcp --sport ssh -j TOS
--set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $LAN0_IFACE -p tcp --dport ssh -j TOS
--set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $LAN0_IFACE -p tcp --sport ftp -j TOS
--set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $LAN0_IFACE -p tcp --dport ftp -j TOS
--set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $LAN0_IFACE -p tcp --sport ftp-data -j TOS
--set-tos Maximize-Throughput
$IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN3_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN2_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN1_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN0_IP -j ACCEPT
$IPTABLES -A OUTPUT -j LOG --log-prefix "Output drop: "
# VPN
$IPTABLES -A OUTPUT -p UDP --sport 500 --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p 50 -j ACCEPT
$IPTABLES -A OUTPUT -p 51 -j ACCEPT
# END VPN
V logu se po startu IPSEC objevi
Jul 5 13:52:59 mail ipsec_setup: Starting FreeS/WAN IPsec 1.96...
Jul 5 13:52:59 mail ipsec_setup: KLIPS debug `none'
Jul 5 13:52:59 mail ipsec_setup: KLIPS ipsec0 on eth1
195.39.121.177/255.255.255.224 broadcast 195.39.121.191
Jul 5 13:52:59 mail ipsec_setup: ...FreeS/WAN IPsec started
Jul 5 13:53:10 mail ipsec__plutorun: 104 "N4_N3" #1: STATE_MAIN_I1:
initiate
Jul 5 13:53:10 mail ipsec__plutorun: 010 "N4_N3" #1: STATE_MAIN_I1:
retransmission; will wait 20s for response
Jul 5 13:53:10 mail ipsec__plutorun: 106 "N4_N3" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Jul 5 13:53:10 mail ipsec__plutorun: 108 "N4_N3" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Jul 5 13:53:10 mail ipsec__plutorun: 004 "N4_N3" #1: STATE_MAIN_I4: ISAKMP
SA established
Jul 5 13:53:10 mail ipsec__plutorun: 112 "N4_N3" #4: STATE_QUICK_I1:
initiate
Jul 5 13:53:10 mail ipsec__plutorun: 004 "N4_N3" #4: STATE_QUICK_I2: sent
QI2, IPsec SA established
Marcel Mazáč
NERIA a.s.
E-mail : mazac <mailto:mazac na neria.cz> @neria.cz
Další informace o konferenci Linux