User Tools

Site Tools


doc:howto:vpn.ipsec.firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:vpn.ipsec.firewall [2012/12/21 16:07]
miceliux Open gateway ports in IPv6
doc:howto:vpn.ipsec.firewall [2013/10/28 08:29] (current)
lorema
Line 1: Line 1:
 ====== IPsec Firewall ====== ====== IPsec Firewall ======
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/​howto/​vpn.overview]] |
 +
 +:!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.firewall.racoon|here]].
  
 When configuring firewalls, tunnels and zones we always have to keep security in mind. First rule should be: Everything that is not allowed explicitly should be denied automatically. This article provides an easy but quite powerful security concept for your IPsec VPN setup. If you missed the [[vpn.ipsec.basics|basics]] please have look over there first. When configuring firewalls, tunnels and zones we always have to keep security in mind. First rule should be: Everything that is not allowed explicitly should be denied automatically. This article provides an easy but quite powerful security concept for your IPsec VPN setup. If you missed the [[vpn.ipsec.basics|basics]] please have look over there first.
Line 15: Line 18:
   * VPN and WAN in the same zone needs fine granular rules to ensure that packets won't reach an unallowed target.   * VPN and WAN in the same zone needs fine granular rules to ensure that packets won't reach an unallowed target.
  
-**Conclusion:​ Create a new zone and call it vpn.** It is not required to assign an interface to it. If you want to rename the zone to something else you have to adapt parameter **zone** in [[doc:uci:racoon|/​etc/​config/​racoon]].+**Conclusion:​ Create a new zone and call it vpn.** It is not required to assign an interface to it. If you want to rename the zone to something else you have to adapt parameter **zone** in [[doc:uci:ipsec|/​etc/​config/​ipsec]].
  
 ===== Default Rules ===== ===== Default Rules =====
Line 38: Line 41:
   * NAT-T: Handling of IPsec between natted devices   * NAT-T: Handling of IPsec between natted devices
  
-The easiest will be to allow all traffic to the Endpoint ports. Although being security paranoid we have to think about [[vpn.ipsec.roadwarrior|road warriors]] that want to connect from random internet addresses. The input_rule queue is a a good place to activate those rules manually with the following commands.+The easiest will be to allow all traffic to the Endpoint ports. Although being security paranoid we have to think about [[vpn.ipsec.roadwarrior.racoon|road warriors]] that want to connect from random internet addresses. The input_rule queue is a a good place to activate those rules manually with the following commands.
  
 <​code>​ <​code>​
Line 72: Line 75:
   * The second one was quite trickier. Sort the VPN rules to the top of the list and put a blocking rule behind the last VPN rule in the chain. This new blocking rule must of course once again check against all networks behind VPN tunnels.   * The second one was quite trickier. Sort the VPN rules to the top of the list and put a blocking rule behind the last VPN rule in the chain. This new blocking rule must of course once again check against all networks behind VPN tunnels.
  
-And that what it has to look like afterwards. The zone_VPN_ACCEPT and zone_VPN_REJECT are populated and zone_VPN_REJECT chain inserted at the right position. The VPN networks defined in our /​etc/​config/​racoon ​are 192.168.10.0/​24 and 62.40.12.192/​26. ​+And that what it has to look like afterwards. The zone_VPN_ACCEPT and zone_VPN_REJECT are populated and zone_VPN_REJECT chain inserted at the right position. The VPN networks defined in our /​etc/​config/​ipsec are 192.168.10.0/​24 and 62.40.12.192/​26. ​
  
 {{:​doc:​howto:​ipsec_chain_mod.png|}} {{:​doc:​howto:​ipsec_chain_mod.png|}}
Line 112: Line 115:
  
 Finally we have a look at the script. It injects all the additionally required settings according to  Finally we have a look at the script. It injects all the additionally required settings according to 
-[[doc:uci:racoon|/​etc/​config/​racoon]] into the OpenWrt firewall. Save it as **/etc/racoon/​firewall.sh** and put a calling line into **/​etc/​firewall.user** so it gets loaded automatically. **REMARK: This script only enables VPN firewall rules that have been set in the LUCI web interface. There is no guarantee that manually implemented rules in /​etc/​config/​firewall will work!**+[[doc:uci:ipsec|/​etc/​config/​ipsec]] into the OpenWrt firewall. Save it as **/etc/ipsec/​firewall.sh** and put a calling line into **/​etc/​firewall.user** so it gets loaded automatically. **REMARK: This script only enables VPN firewall rules that have been set in the LUCI web interface. There is no guarantee that manually implemented rules in /​etc/​config/​firewall will work!**
  
 <code bash> <code bash>
 #!/bin/sh #!/bin/sh
-#/etc/racoon/​firewall.sh - version ​14 +#/etc/ipsec/​firewall.sh - version ​2 
- +
 . /​etc/​functions.sh . /​etc/​functions.sh
- +
 GetZone() { GetZone() {
   config_get zone "​$1"​ zone vpn   config_get zone "​$1"​ zone vpn
 } }
-  + 
-GetSA() {+GetTunnel() {
   local remote_subnet   local remote_subnet
   local local_subnet   local local_subnet
   local local_nat   local local_nat
- +
   config_get remote_subnet "​$1"​ remote_subnet   config_get remote_subnet "​$1"​ remote_subnet
   config_get local_subnet ​ "​$1"​ local_subnet   config_get local_subnet ​ "​$1"​ local_subnet
Line 138: Line 141:
   iptables -A zone_${zone}_INPUT -s $remote_subnet -j zone_${zone}   iptables -A zone_${zone}_INPUT -s $remote_subnet -j zone_${zone}
   iptables -A zone_${zone}_FORWARD -s $remote_subnet -j zone_${zone}_forward   iptables -A zone_${zone}_FORWARD -s $remote_subnet -j zone_${zone}_forward
- +
   if [ "​$local_nat"​ == ""​ ]; then   if [ "​$local_nat"​ == ""​ ]; then
     iptables -t nat -A zone_${zone}_nat -d $remote_subnet -j ACCEPT     iptables -t nat -A zone_${zone}_nat -d $remote_subnet -j ACCEPT
Line 148: Line 151:
   fi   fi
 } }
-  + 
-GetTunnel() {+GetRemote() {
   local enabled   local enabled
-  local remote +  local gateway 
- +
   config_get_bool enabled "​$1"​ enabled 0   config_get_bool enabled "​$1"​ enabled 0
-  config_get ​     ​remote  ​"​$1" ​remote+  config_get ​     ​gateway ​"​$1" ​gateway
   [[ "​$enabled"​ == "​0"​ ]] && return   [[ "​$enabled"​ == "​0"​ ]] && return
-  + 
-  config_list_foreach "​$1" ​sainfo GetSA+  config_list_foreach "​$1" ​tunnel GetTunnel
 } }
  
Line 190: Line 193:
   config_list_foreach "​$1"​ listen GetDevice   config_list_foreach "​$1"​ listen GetDevice
 } }
- +
 zone=vpn zone=vpn
-config_load ​racoon +config_load ​ipsec 
-config_foreach GetZone ​racoon+config_foreach GetZone ​ipsec
  
 if [ -x /​usr/​sbin/​ip6tables ]; then if [ -x /​usr/​sbin/​ip6tables ]; then
Line 205: Line 208:
   ip6tables -F zone_${zone}_ACCEPT   ip6tables -F zone_${zone}_ACCEPT
 fi fi
- +
 iptables -N zone_${zone}_gateway iptables -N zone_${zone}_gateway
 iptables -I input -j zone_${zone}_gateway iptables -I input -j zone_${zone}_gateway
Line 212: Line 215:
   ip6tables -I input -j zone_${zone}_gateway   ip6tables -I input -j zone_${zone}_gateway
 fi fi
-config_foreach GetInterface ​racoon +config_foreach GetInterface ​ipsec 
- +
 iptables -t nat -F zone_${zone}_nat iptables -t nat -F zone_${zone}_nat
 iptables -t nat -I POSTROUTING 2 -j zone_${zone}_nat iptables -t nat -I POSTROUTING 2 -j zone_${zone}_nat
 iptables -t nat -I PREROUTING 2 -j zone_${zone}_prerouting iptables -t nat -I PREROUTING 2 -j zone_${zone}_prerouting
- +
 # sort VPN rules to top of forward zones and insert VPN reject marker afterwards # sort VPN rules to top of forward zones and insert VPN reject marker afterwards
 ForwardZones=`iptables -S | awk '/​.N.*zone.*_forward/​{print $2}' | grep -v ${zone}` ForwardZones=`iptables -S | awk '/​.N.*zone.*_forward/​{print $2}' | grep -v ${zone}`
Line 227: Line 230:
   iptables -S $ForwardZone | grep -v zone_${zone}_ACCEPT | \   iptables -S $ForwardZone | grep -v zone_${zone}_ACCEPT | \
     grep -v "​^-N"​ | awk '{ print "​iptables " $0}' >> /​tmp/​fwrebuild     grep -v "​^-N"​ | awk '{ print "​iptables " $0}' >> /​tmp/​fwrebuild
- +
   chmod +x /​tmp/​fwrebuild   chmod +x /​tmp/​fwrebuild
   /​tmp/​fwrebuild   /​tmp/​fwrebuild
   rm /​tmp/​fwrebuild   rm /​tmp/​fwrebuild
 done done
- +
 # link zone_vpn via zone_vpn_INPUT # link zone_vpn via zone_vpn_INPUT
 iptables -N zone_${zone}_INPUT iptables -N zone_${zone}_INPUT
 iptables -I input -j zone_${zone}_INPUT iptables -I input -j zone_${zone}_INPUT
- +
 # link zone_vpn_forward via zone_vpn_FORWARD # link zone_vpn_forward via zone_vpn_FORWARD
 iptables -N zone_${zone}_FORWARD iptables -N zone_${zone}_FORWARD
 iptables -I forward -j zone_${zone}_FORWARD iptables -I forward -j zone_${zone}_FORWARD
-  + 
-config_foreach ​GetTunnel tunnel+config_foreach ​GetRemote remote
 </​code>​ </​code>​
  
doc/howto/vpn.ipsec.firewall.1356102451.txt.bz2 · Last modified: 2012/12/21 16:07 by miceliux