Differences

This shows you the differences between two versions of the page.

doc:howto:vpn.ipsec.firewall [2012/12/21 16:07]
miceliux Open gateway ports in IPv6
doc:howto:vpn.ipsec.firewall [2013/10/28 08:29] (current)
lorema
Line 1: Line 1:
====== IPsec Firewall ====== ====== IPsec Firewall ======
 +| For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit [[doc/howto/vpn.overview]] |
 +
 +:!: This page is about strongswan. The old racoon documentation can be found [[vpn.ipsec.firewall.racoon|here]].
When configuring firewalls, tunnels and zones we always have to keep security in mind. First rule should be: Everything that is not allowed explicitly should be denied automatically. This article provides an easy but quite powerful security concept for your IPsec VPN setup. If you missed the [[vpn.ipsec.basics|basics]] please have look over there first. When configuring firewalls, tunnels and zones we always have to keep security in mind. First rule should be: Everything that is not allowed explicitly should be denied automatically. This article provides an easy but quite powerful security concept for your IPsec VPN setup. If you missed the [[vpn.ipsec.basics|basics]] please have look over there first.
Line 15: Line 18:
  * VPN and WAN in the same zone needs fine granular rules to ensure that packets won't reach an unallowed target.   * VPN and WAN in the same zone needs fine granular rules to ensure that packets won't reach an unallowed target.
-**Conclusion: Create a new zone and call it vpn.** It is not required to assign an interface to it. If you want to rename the zone to something else you have to adapt parameter **zone** in [[doc:uci:racoon|/etc/config/racoon]].+**Conclusion: Create a new zone and call it vpn.** It is not required to assign an interface to it. If you want to rename the zone to something else you have to adapt parameter **zone** in [[doc:uci:ipsec|/etc/config/ipsec]].
===== Default Rules ===== ===== Default Rules =====
Line 38: Line 41:
  * NAT-T: Handling of IPsec between natted devices   * NAT-T: Handling of IPsec between natted devices
-The easiest will be to allow all traffic to the Endpoint ports. Although being security paranoid we have to think about [[vpn.ipsec.roadwarrior|road warriors]] that want to connect from random internet addresses. The input_rule queue is a a good place to activate those rules manually with the following commands.+The easiest will be to allow all traffic to the Endpoint ports. Although being security paranoid we have to think about [[vpn.ipsec.roadwarrior.racoon|road warriors]] that want to connect from random internet addresses. The input_rule queue is a a good place to activate those rules manually with the following commands.
<code> <code>
Line 72: Line 75:
  * The second one was quite trickier. Sort the VPN rules to the top of the list and put a blocking rule behind the last VPN rule in the chain. This new blocking rule must of course once again check against all networks behind VPN tunnels.   * The second one was quite trickier. Sort the VPN rules to the top of the list and put a blocking rule behind the last VPN rule in the chain. This new blocking rule must of course once again check against all networks behind VPN tunnels.
-And that what it has to look like afterwards. The zone_VPN_ACCEPT and zone_VPN_REJECT are populated and zone_VPN_REJECT chain inserted at the right position. The VPN networks defined in our /etc/config/racoon are 192.168.10.0/24 and 62.40.12.192/26. +And that what it has to look like afterwards. The zone_VPN_ACCEPT and zone_VPN_REJECT are populated and zone_VPN_REJECT chain inserted at the right position. The VPN networks defined in our /etc/config/ipsec are 192.168.10.0/24 and 62.40.12.192/26.
{{:doc:howto:ipsec_chain_mod.png|}} {{:doc:howto:ipsec_chain_mod.png|}}
Line 112: Line 115:
Finally we have a look at the script. It injects all the additionally required settings according to Finally we have a look at the script. It injects all the additionally required settings according to
-[[doc:uci:racoon|/etc/config/racoon]] into the OpenWrt firewall. Save it as **/etc/racoon/firewall.sh** and put a calling line into **/etc/firewall.user** so it gets loaded automatically. **REMARK: This script only enables VPN firewall rules that have been set in the LUCI web interface. There is no guarantee that manually implemented rules in /etc/config/firewall will work!**+[[doc:uci:ipsec|/etc/config/ipsec]] into the OpenWrt firewall. Save it as **/etc/ipsec/firewall.sh** and put a calling line into **/etc/firewall.user** so it gets loaded automatically. **REMARK: This script only enables VPN firewall rules that have been set in the LUCI web interface. There is no guarantee that manually implemented rules in /etc/config/firewall will work!**
<code bash> <code bash>
#!/bin/sh #!/bin/sh
-#/etc/racoon/firewall.sh - version 14 +#/etc/ipsec/firewall.sh - version 2 
- +
. /etc/functions.sh . /etc/functions.sh
- +
GetZone() { GetZone() {
  config_get zone "$1" zone vpn   config_get zone "$1" zone vpn
} }
-  + 
-GetSA() {+GetTunnel() {
  local remote_subnet   local remote_subnet
  local local_subnet   local local_subnet
  local local_nat   local local_nat
- +
  config_get remote_subnet "$1" remote_subnet   config_get remote_subnet "$1" remote_subnet
  config_get local_subnet  "$1" local_subnet   config_get local_subnet  "$1" local_subnet
Line 138: Line 141:
  iptables -A zone_${zone}_INPUT -s $remote_subnet -j zone_${zone}   iptables -A zone_${zone}_INPUT -s $remote_subnet -j zone_${zone}
  iptables -A zone_${zone}_FORWARD -s $remote_subnet -j zone_${zone}_forward   iptables -A zone_${zone}_FORWARD -s $remote_subnet -j zone_${zone}_forward
- +
  if [ "$local_nat" == "" ]; then   if [ "$local_nat" == "" ]; then
    iptables -t nat -A zone_${zone}_nat -d $remote_subnet -j ACCEPT     iptables -t nat -A zone_${zone}_nat -d $remote_subnet -j ACCEPT
Line 148: Line 151:
  fi   fi
} }
-  + 
-GetTunnel() {+GetRemote() {
  local enabled   local enabled
-  local remote +  local gateway 
- +
  config_get_bool enabled "$1" enabled 0   config_get_bool enabled "$1" enabled 0
-  config_get      remote  "$1" remote+  config_get      gateway "$1" gateway
  [[ "$enabled" == "0" ]] && return   [[ "$enabled" == "0" ]] && return
-  + 
-  config_list_foreach "$1" sainfo GetSA+  config_list_foreach "$1" tunnel GetTunnel
} }
Line 190: Line 193:
  config_list_foreach "$1" listen GetDevice   config_list_foreach "$1" listen GetDevice
} }
- +
zone=vpn zone=vpn
-config_load racoon +config_load ipsec 
-config_foreach GetZone racoon+config_foreach GetZone ipsec
if [ -x /usr/sbin/ip6tables ]; then if [ -x /usr/sbin/ip6tables ]; then
Line 205: Line 208:
  ip6tables -F zone_${zone}_ACCEPT   ip6tables -F zone_${zone}_ACCEPT
fi fi
- +
iptables -N zone_${zone}_gateway iptables -N zone_${zone}_gateway
iptables -I input -j zone_${zone}_gateway iptables -I input -j zone_${zone}_gateway
Line 212: Line 215:
  ip6tables -I input -j zone_${zone}_gateway   ip6tables -I input -j zone_${zone}_gateway
fi fi
-config_foreach GetInterface racoon +config_foreach GetInterface ipsec 
- +
iptables -t nat -F zone_${zone}_nat iptables -t nat -F zone_${zone}_nat
iptables -t nat -I POSTROUTING 2 -j zone_${zone}_nat iptables -t nat -I POSTROUTING 2 -j zone_${zone}_nat
iptables -t nat -I PREROUTING 2 -j zone_${zone}_prerouting iptables -t nat -I PREROUTING 2 -j zone_${zone}_prerouting
- +
# sort VPN rules to top of forward zones and insert VPN reject marker afterwards # sort VPN rules to top of forward zones and insert VPN reject marker afterwards
ForwardZones=`iptables -S | awk '/.N.*zone.*_forward/{print $2}' | grep -v ${zone}` ForwardZones=`iptables -S | awk '/.N.*zone.*_forward/{print $2}' | grep -v ${zone}`
Line 227: Line 230:
  iptables -S $ForwardZone | grep -v zone_${zone}_ACCEPT | \   iptables -S $ForwardZone | grep -v zone_${zone}_ACCEPT | \
    grep -v "^-N" | awk '{ print "iptables " $0}' >> /tmp/fwrebuild     grep -v "^-N" | awk '{ print "iptables " $0}' >> /tmp/fwrebuild
- +
  chmod +x /tmp/fwrebuild   chmod +x /tmp/fwrebuild
  /tmp/fwrebuild   /tmp/fwrebuild
  rm /tmp/fwrebuild   rm /tmp/fwrebuild
done done
- +
# link zone_vpn via zone_vpn_INPUT # link zone_vpn via zone_vpn_INPUT
iptables -N zone_${zone}_INPUT iptables -N zone_${zone}_INPUT
iptables -I input -j zone_${zone}_INPUT iptables -I input -j zone_${zone}_INPUT
- +
# link zone_vpn_forward via zone_vpn_FORWARD # link zone_vpn_forward via zone_vpn_FORWARD
iptables -N zone_${zone}_FORWARD iptables -N zone_${zone}_FORWARD
iptables -I forward -j zone_${zone}_FORWARD iptables -I forward -j zone_${zone}_FORWARD
-  + 
-config_foreach GetTunnel tunnel+config_foreach GetRemote remote
</code> </code>

Back to top

doc/howto/vpn.ipsec.firewall.1356102451.txt.bz2 · Last modified: 2012/12/21 16:07 by miceliux