321 lines
12 KiB
HTML
321 lines
12 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>Introduction to FreeS/WAN</TITLE>
|
|
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=iso-8859-1">
|
|
<STYLE TYPE="text/css"><!--
|
|
BODY { font-family: serif }
|
|
H1 { font-family: sans-serif }
|
|
H2 { font-family: sans-serif }
|
|
H3 { font-family: sans-serif }
|
|
H4 { font-family: sans-serif }
|
|
H5 { font-family: sans-serif }
|
|
H6 { font-family: sans-serif }
|
|
SUB { font-size: smaller }
|
|
SUP { font-size: smaller }
|
|
PRE { font-family: monospace }
|
|
--></STYLE>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="toc.html">Contents</A>
|
|
<A HREF="background.html">Previous</A>
|
|
<A HREF="makecheck.html">Next</A>
|
|
<HR>
|
|
<H1><A name="user.examples">FreeS/WAN script examples</A></H1>
|
|
This file is intended to hold a collection of user-written example
|
|
scripts or configuration files for use with FreeS/WAN.
|
|
<P> So far it has only one entry.</P>
|
|
<H2><A name="poltorak">Poltorak's Firewall script</A></H2>
|
|
<PRE>
|
|
From: Poltorak Serguei <poltorak@dataforce.net>
|
|
Subject: [Users] Using FreeS/WAN
|
|
Date: Tue, 16 Oct 2001
|
|
|
|
Hello.
|
|
|
|
I'm using FreeS/WAN IPsec for half a year. I learned a lot of things about
|
|
it and I think it would be interesting for someone to see the result of my
|
|
experiments and usage of FreeS/WAN. If you find a mistake in this
|
|
file, please e-mail me. And excuse me for my english... I'm learning.. :)
|
|
|
|
I'll talk about vary simple configuration:
|
|
|
|
addresses prefix = 192.168
|
|
|
|
lan1 sgw1 .0.0/24 (Internet) sgw2 lan2
|
|
.1.0/24---[ .1.1 ; .0.1 ]===================[ .0.10 ; . 2.10 ]---.2.0/24
|
|
|
|
|
|
We need to let lan1 see lan2 across Internet like it is behind sgw1. The
|
|
same for lan2. And we need to do IPX bridge for Novel Clients and NDS
|
|
synchronization.
|
|
|
|
my config:
|
|
------------------- ipsec.conf -------------------
|
|
conn lan1-lan2
|
|
type=tunnel
|
|
compress=yes
|
|
#-------------------
|
|
left=192.168.0.1
|
|
leftsubnet=192.168.1.0/24
|
|
#-------------------
|
|
right=192.168.0.10
|
|
rightsubnet=192.168.2.0/24
|
|
#-------------------
|
|
auth=esp
|
|
authby=secret
|
|
--------------- end of ipsec.conf ----------------
|
|
|
|
ping .2.x from .1.y (y != 1)
|
|
It works?? Fine. Let's continue...
|
|
|
|
Why y != 1 ?? Because kernel of sgw1 have 2 IP addresses and it will choose
|
|
the first IP (which is used to go to Internet) .0.1 and the packet won't go
|
|
through IPsec tunnel :( But if do ping on .1.1 kernel will respond from
|
|
that address (.1.1) and the packet will be tunneled. The same problem occurred then
|
|
.2.x sends a packet to .1.2 which is down at the moment. What happens? .1.1
|
|
sends ARP requesting .1.2... after 3 tries it send to .2.x an destunreach,
|
|
but from his "natural" IP or .0.1 . So the error message won't be delivered!
|
|
It's a big problem...
|
|
|
|
Resolution... One can manipulate with ipsec0 or ipsec0:0 to solve the
|
|
problem (if ipsec0 has .1.1 kernel will send packets correctly), but there
|
|
are powerful and elegant iproute2 :) We simply need to change source address
|
|
of packet that goes to other secure lan. This is done with
|
|
|
|
ip route replace 192.168.2.0/24 via 192.168.0.10 dev ipsec0 src 192.168.1.1
|
|
|
|
Cool!! Now it works!!
|
|
|
|
The second step. We want install firewall on sgw1 and sgw2. Encryption of
|
|
traffic without security isn't a good idea. I don't use {left|right}firewall,
|
|
because I'm running firewall from init scripts.
|
|
|
|
We want IPsec data between lan1-lan2, some ICMP errors (destination
|
|
unreachable, TTL exceeded, parameter problem and source quench), replying on
|
|
pings from both lans and Internet, ipxtunnel data for IPX and of course SSH
|
|
between sgw1 and sgw2 and from/to one specified host.
|
|
|
|
I'm using ipchains. With iptables there are some changes.
|
|
|
|
---------------- rc.firewall ---------------------
|
|
#!/bin/sh
|
|
#
|
|
# Firewall for IPsec lan1-lan2
|
|
#
|
|
|
|
IPC=/sbin/ipchains
|
|
ANY=0.0.0.0/0
|
|
|
|
# left
|
|
SGW1_EXT=192.168.0.1
|
|
SGW1_INT=192.168.1.1
|
|
LAN1=192.168.1.0/24
|
|
|
|
# right
|
|
SGW2_EXT=192.168.0.10
|
|
SGW2_INT=192.168.2.10
|
|
LAN2=192.168.2.0/24
|
|
|
|
# SSH from and to this host
|
|
SSH_PEER_HOST=_SOME_HOST_
|
|
|
|
# this is for left. exchange these values for right.
|
|
MY_EXT=$SGW1_EXT
|
|
MY_INT=$SGW1_INT
|
|
PEER_EXT=$SGW2_EXT
|
|
PEER_INT=$SGW2_INT
|
|
INT_IF=eth1
|
|
EXT_IF=eth0
|
|
IPSEC_IF=ipsec0
|
|
MY_LAN=$LAN1
|
|
PEER_LAN=$LAN2
|
|
|
|
$IPC -F
|
|
$IPC -P input DENY
|
|
$IPC -P forward DENY
|
|
$IPC -P output DENY
|
|
|
|
# Loopback traffic
|
|
$IPC -A input -i lo -j ACCEPT
|
|
$IPC -A output -i lo -j ACCEPT
|
|
|
|
# for IPsec SGW1-SGW2
|
|
## IKE
|
|
$IPC -A input -p udp -s $PEER_EXT 500 -d $MY_EXT 500 -i $EXT_IF -j ACCEPT
|
|
$IPC -A output -p udp -s $MY_EXT 500 -d $PEER_EXT 500 -i $EXT_IF -j ACCEPT
|
|
## ESP
|
|
$IPC -A input -p 50 -s $PEER_EXT -d $MY_EXT -i $EXT_IF -j ACCEPT
|
|
### we don't need this line ### $IPC -A output -p 50 -s $MY_EXT -d $PEER_EXT -i $EXT_IF -j ACCEPT
|
|
## forward LAN1-LAN2
|
|
$IPC -A forward -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
|
|
$IPC -A forward -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
|
|
$IPC -A output -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
|
|
$IPC -A input -s $PEER_LAN -d $MY_LAN -i $IPSEC_IF -j ACCEPT
|
|
$IPC -A input -s $MY_LAN -d $PEER_LAN -i $INT_IF -j ACCEPT
|
|
$IPC -A output -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
|
|
|
|
# ICMP
|
|
#
|
|
## Dest unreachable
|
|
### from/to Internet
|
|
$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
|
|
### from/to Lan
|
|
$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
|
|
### from/to Peer Lan
|
|
$IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
|
|
#
|
|
## Source quench
|
|
### from/to Internet
|
|
$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type source-quench -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
|
|
### from/to Lan
|
|
$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
|
|
### from/to Peer Lan
|
|
$IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
|
|
#
|
|
## Parameter problem
|
|
### from/to Internet
|
|
$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
|
|
### from/to Lan
|
|
$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
|
|
### from/to Peer Lan
|
|
$IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
|
|
#
|
|
## Time To Live exceeded
|
|
### from/to Internet
|
|
$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
|
|
### to Lan
|
|
$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
|
|
### to Peer Lan
|
|
$IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
|
|
$IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
|
|
|
|
# ICMP PINGs
|
|
## from Internet
|
|
$IPC -A input -p icmp -s $ANY -d $MY_EXT --icmp-type echo-request -i $EXT_IF -j ACCEPT
|
|
$IPC -A output -p icmp -s $MY_EXT -d $ANY --icmp-type echo-reply -i $EXT_IF -j ACCEPT
|
|
## from LAN
|
|
$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $INT_IF -j ACCEPT
|
|
$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $INT_IF -j ACCEPT
|
|
## from Peer LAN
|
|
$IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $IPSEC_IF -j ACCEPT
|
|
$IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $IPSEC_IF -j ACCEPT
|
|
|
|
# SSH
|
|
## from SSH_PEER_HOST
|
|
$IPC -A input -p tcp -s $SSH_PEER_HOST -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
|
|
$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $SSH_PEER_HOST -i $EXT_IF -j ACCEPT
|
|
## to SSH_PEER_HOST
|
|
$IPC -A input -p tcp \! -y -s $SSH_PEER_HOST 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
|
|
$IPC -A output -p tcp -s $MY_EXT -d $SSH_PEER_HOST 22 -i $EXT_IF -j ACCEPT
|
|
## from PEER
|
|
$IPC -A input -p tcp -s $PEER_EXT -d $MY_EXT 22 -i $EXT_IF -j ACCEPT
|
|
$IPC -A output -p tcp \! -y -s $MY_EXT 22 -d $PEER_EXT -i $EXT_IF -j ACCEPT
|
|
## to PEER
|
|
$IPC -A input -p tcp \! -y -s $PEER_EXT 22 -d $MY_EXT -i $EXT_IF -j ACCEPT
|
|
$IPC -A output -p tcp -s $MY_EXT -d $PEER_EXT 22 -i $EXT_IF -j ACCEPT
|
|
|
|
# ipxtunnel
|
|
$IPC -A input -p udp -s $PEER_INT 2005 -d $MY_INT 2005 -i $IPSEC_IF -j ACCEPT
|
|
$IPC -A output -p udp -s $MY_INT 2005 -d $PEER_INT 2005 -i $IPSEC_IF -j ACCEPT
|
|
|
|
---------------- end of rc.firewall ----------------------
|
|
|
|
To understand this we need to look on this scheme:
|
|
|
|
++-----------------------<----------------------------+
|
|
|| ipsec0 |
|
|
\/ |
|
|
eth0 +--------+ /---------/ yes /---------/ yes +-----------------------+
|
|
------>| INPUT |-->/ ?local? /----->/ ?IPsec? /----->| decrypt decapsulate |
|
|
eth1 +--------+ /---------/ /---------/ +-----------------------+
|
|
|| no || no
|
|
\/ \/
|
|
+----------+ +---------+ +-------+
|
|
| routing | | local | | local |
|
|
| decision | | deliver | | send |
|
|
+----------+ +---------+ +-------+
|
|
|| ||
|
|
\/ \/
|
|
+---------+ +----------+
|
|
| forward | | routing |
|
|
+---------+ | decision |
|
|
|| +----------+
|
|
|| ||
|
|
++----------------<-----------------++
|
|
||
|
|
\/
|
|
+--------+ eth0
|
|
| OUTPUT | eth1
|
|
+--------+ ipsec0
|
|
||
|
|
\/
|
|
/---------/ yes +-----------------------+
|
|
/ ?IPsec? /----->| encrypt encapsulate |
|
|
/---------/ +-----------------------+
|
|
|| no ||
|
|
|| ||
|
|
|| \/ eth0, eth1
|
|
++-----------------------++-------------->
|
|
|
|
This explain how a packet traverse TCP/IP stack in IPsec capable kernel.
|
|
|
|
FIX ME, please, if there are any errors
|
|
|
|
Test the new firewall now.
|
|
|
|
|
|
Now about IPX. I tried 3 programs for tunneling IPX: tipxd, SIB and ipxtunnel
|
|
|
|
tipxd didn't send packets.. :(
|
|
SIB and ipxtunnel worked fine :)
|
|
With ipxtunnel there was a little problem. In sources there are an error.
|
|
|
|
--------------------- in main.c ------------------------
|
|
< bytes += p.len;
|
|
---
|
|
> bytes += len;
|
|
--------------------------------------------------------
|
|
|
|
After this FIX everything goes right...
|
|
|
|
------------------- /etc/ipxtunnel.conf ----------------
|
|
port 2005
|
|
remote 192.168.101.97 2005
|
|
interface eth1
|
|
--------------- end of /etc/ipxtunnel.conf -------------
|
|
|
|
I use IPX tunnel between .1.1 and .2.10 so we don't need to encrypt nor
|
|
authenticate encapsulated IPX packets, it is done with IPsec.
|
|
|
|
If you don't wont to use iproute2 to change source IP you need to use SIB
|
|
(it is able to bind local address) or establish tunnel between .0.1 and
|
|
.0.10 (external IPs, you need to do encryption in the program, but it isn't
|
|
strong).
|
|
|
|
For now I'm using ipxtunnel.
|
|
|
|
I think that's all for the moment. If there are any error, please e-mail me:
|
|
poltorak@df.ru . It would be cool if someone puts the scheme of TCP/IP in
|
|
kernel and firewall example on FreeS/WAN's manual pages.
|
|
|
|
PoltoS
|
|
</PRE>
|
|
<HR>
|
|
<A HREF="toc.html">Contents</A>
|
|
<A HREF="background.html">Previous</A>
|
|
<A HREF="makecheck.html">Next</A>
|
|
</BODY>
|
|
</HTML>
|