VPN
Welcome to Notes on setting up
tunneling using Debian 3.0 and Kernels 2.4.xx
At present you will need to be on at least Woody to get some needed
libraries.
There are 3 kinds of tunnels in Linux. There's IP in IP tunneling, GRE tunneling and tunnels that live outside the kernel (like, for example PPTP). Here we will concentrate on Ipsec, initially using plain authentication, 509.x will follow.
An excellent page for ip routeing is here
Documentation for IPSEC at Freeswan's web site
Setup
Install freeswan, iproute, nmap and traceroute with apt-get update followed by apt-get install freeswan iproute nmap traceroute
Try some of these useful commands (you will need these later so test them out now) provided by iproute are,
ip link list
ip address show
ip route show
ip route list table local
ip route list table main
IPSEC
Quote "These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPSEC gateway machine and decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a network which is effectively private even though it includes machines at
several different sites connected by the insecure Internet."
This work is based on the official web site stuff at http://www.freeswan.org/intro.html http://www.freeswan.org/intro.html
The latest addition to Debian 3.0 / woody is the freeswan deb package, so that should make our life easier.
Initial setup
Upgrade Potato to Woody so we get freeswan and ( needed for libgmp3, libgmp3-dev)
Install packages libgmp3, libgmp3-dev with apt-get install libgmp3 libgmp3-devif not installed with the freeswan package.
Compile a debianised kernel as per my page install this kernel and make sure its working as you expect, eg Iptables functions. Please see this page if need be for Iptables on Debian.
Make a symbolic linux to linux from kernel-source-2.4.18 to linux with
ln -s kernel-source-2.4.18 linux while in /usr/src
Ipsec Patching for Debian
1) apt-get install kernel-patch-freeswan
2) Check /usr/src/linux/debian changelog and if needed edit the revision from std.1.x to ipsec1.x (then --revision= should not be needed
3) From /usr/src/linux execute export PATCH_THE_KERNEL=YES
4) make-kpkg clean (DO NOT skip this or the kernel will NOT be patched!)
5) then make-kpkg --config=menuconfig --revision=ipsec.1.x
kernel_image
If the debian changelog bitches and the compile halts cd debian and nano changelog, changing the first line or so to the revision you want. Then cd .. and try and compile again, leaving --revision=xxxx out of the command line (you just edited the changelog so its not needed)
5) At the end of this process there should be a valid kernel-image.xxxx.ipsec.1.x.deb waiting for you in /usr/src/, install with dpkg -i kernel-image-2.4xxxxx.ipsec.1.0_i386.deb, now reboot.
6) cd /etc/network and nano options, make sure spoofprotect=no as it upsets ipsec.
7) Now reconfigure freeswan with dpkg-reconfigure freeswan set encryption at 1024 or even 2048 work through the options, eg nz, ni, wgtn, thing, thing, kabuto.thing.dyndnf.org, thing@thing.dyndnf.org, the script will now stop and start ipsec, look for errors at this point, eg ipsec not aware kernel.
8) As a second test type ipsec whack --status
whack should reply, it may not make much sense as the conf files are not configured, but it should be running if all is well.
Configuration Laptop to Firewall - Linux
First cp /etc/ipsec.conf to /etc/ipsec.conf-orig, the initial ipsec.conf looks something like this,
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=rsasig
leftrsasigkey=%dns
rightrsasigkey=%dns
# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
left=%defaultroute
right=%opportunistic
# uncomment to enable incoming; change to auto=route for outgoing
#auto=add
# sample VPN connection
conn sample
# Left security gateway, subnet behind it, next hop toward right.
left=10.0.0.1
leftsubnet=172.16.0.0/24
leftnexthop=10.22.33.44
# Right security gateway, subnet behind it, next hop toward left.
right=10.12.12.1
rightsubnet=192.168.0.0/24
rightnexthop=10.101.102.103
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
#auto=add
At this point rebooting should see ipsec initialise, typing ipsec whack --status should show,
000 interface ipsec0/eth0 172.31.0.10
000
000
That is not much yet.
laptop /etc/ipsec.conf
My VPN network looks like this,
[laptop]eth0/172.31.0.1=====wi-fi=====172.31.0.1/eth1[firewall]eth0/192.168.1.76-----192.168.1.1/eth1[firewall]eth0-----internet
In /etc/ is a file called ipsec.secrets in here is your public key followed by your private key eg,
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: RSA {
# RSA 2048 bits kabuto Sat Jul 21 18:49:46 2001
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQODNQ0I5lhx7QhcoE5g8SRbLvEKBp20qmFZ+sosD3nVpuKWyuOKakrjp7nyhZStItdhuOCFbUE9o7YGMlpfCT1khEJltkl/r2FhR5Y+yHBAOXTreEvpKDt2fWkAyfCXBJkxhGoKVfs0JWbtnPXT7uvskwz34K6JTl9WmnRnN/oO9pJyVvnqqqqJyU86j2zfWd0DlJ7AokFSrOb2YdwukZbxm5fqEQQrnIa1CrlSh/5DP9ehsOYtZsZbbmpWdIGkI2Iukrpu7sIzeq4dP+/7fU99oTI+cMUtrE2NqqpRSU8DaEq4LwKcVKet6CxWC4Mx4LT0JvX1s0951FrBMh9MwXdV
#IN KEY 0x4200 4 1 AQODNQ0I2lhx7QhcoE5g8SRbLvEKBp20qmFZ+sosD3nVpuKWyuOKakrjp7nyhZStItdhuOCFbUE9o7YGMlpfCT1khEJltkl/r2FhR5Y+yHBAOXTreEvpKDt2fWkAyfCXBJkxhGoKVfs0JWbtnPXT7uvskwz34K6JTl9WmnRnN/oO9pJyVvnETGEJyU86j2zfWd0DlJ7AokFSrOb2YdwukZbxm5fqEQQrnIa1CrlSh/5DP9ehsOYtZsZbbmpWdIGkI2Iukrpu7sIzeq4dP+/7fU99oTI+cMUtrE2NqqpRSU8DaEq4LwKcVKet6CxWC4Mx4LT0JvX1s0951FrBMh9MwXDV
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: 0x83350d08da5871ed085ca04e60f1245b2ef10a069db4aa6159faca2c0f79d5a6e296cae38a6a4ae3a7b9f28594ad22d761b8e0856d413da3b606325a5f093d64844265b6497faf616147963ec870403974eb784be9283b767d6900c9f097049931846a0a55fb342566ed9cf5d3eeebec930cf7e0ae894e5f569a746737fa0ef6927256f9c44c6109c94f3a8f6cdf59dd03949ec0a24152ace6f661dc2e9196f19b97ea11042b9c86b50ab95287fe433fd7a1b0e62d66c65b6e6a567481a423622e92ba6eeec2337aae1d3feffb7d4f7da1323e70c52dac4d8daaaa51494f03684ab82f029c54a7ade82c560b8331e0b4f426f5f5b34f79d45ac1321f4cc170d5
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent:
0xxxxxxxxxxxxxxxxxxxxxxxxxx
Prime1:
0xxxxxxxxxxxxxxxxxxxxxxxxxx
Prime2:
0xxxxxxxxxxxxxxxxxxxxxxxxxx
Exponent1:
0xxxxxxxxxxxxxxxxxxxxxxxxxx
Exponent2:
0xxxxxxxxxxxxxxxxxxxxxxxxxx
Coefficient:
0xxxxxxxxxxxxxxxxxxxxxxxxxx
}
# do not change the indenting of that "}"
Do not edit this file in any way!!!!!
The only part we want is,
0sAQODNQ0I5lhx7QhcoE5g8SRbLvEKBp20qmFZ+sosD3nVpuKWyuOKakrjp7nyhZStItdhuOCFbUE9o7YGMlpfCT1khEJltkl/r2FhR5Y+yHBAOXTreEvpKDt2fWkAyfCXBJkxhGoKVfs0JWbtnPXT7uvskwz34K6JTl9WmnRnN/oO9pJyVvnqqqqJyU86j2zfWd0DlJ7AokFSrOb2YdwukZbxm5fqEQQrnIa1CrlSh/5DP9ehsOYtZsZbbmpWdIGkI2Iukrpu7sIzeq4dP+/7fU99oTI+cMUtrE2NqqpRSU8DaEq4LwKcVKet6CxWC4Mx4LT0JvX1s0951FrBMh9MwXdV
which is the public key for the "left" machine (laptop).
This together with the right key (firewall) gets put into the ipsec.conf file which ends up looking like this,
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
#interfaces="ipsec0=eth0"
#Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
#ssj leftrsasigkey=%dns
#ssj rightrsasigkey=%dns
# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
#conn me-to-anyone
#ssj left=%defaultroute
#ssj right=%opportunistic
#ssj keylife=1h
#ssj rekey=no
# uncomment this next line to enable it
#auto=route
# sample VPN connection
#conn sample
conn wifi
# Left security gateway, subnet behind it, next hop toward right.
leftid=@tecra.thing.dyndns.org
leftrsasigkey=0sAQOl6V1mY.........
left=%defaultroute
#leftnexthop=172.31.0.1
#leftsubnet=0.0.0.0/0
#ssjleftnexthop=10.22.33.44
# Right security gateway, subnet behind it, next hop toward left.
rightid=@kabuto.thing.dyndns.org
rightrsasigkey=0sAQO4....
right=172.31.0.1
rightsubnet=0.0.0.0/0
#rightsubnet=192.168.1.0/24
#ssj rightnexthop=10.101.102.103
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
#auto=add
auto=start
rp_filter
This is on by default, turn it off by opening /etc/network/options and changing spoofprotect to no eg
ip_forward=yes
spoofprotect=no
syncookies=no
Once rebooted do a ipsec whack --status should give something like this,
000 interface ipsec0/eth0 172.31.0.10
000
000 algorithm ESP encryot: id=3, name=ESP_3DES
000 etc etc etc
With ipsec look showing this,
tecra Sun Sep 29 16:12:03 NZST 2001
172.31.0.10/32 -> 0.0.0.0/0 => tun0x1002@172.31.0.1 esp0x7e9978be@172.31.0.1 (0)
ipsec0->eth0 mtu=16260(1500)->1500
etc
etc
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.31.0.1 128.0.0.0 UG 40 0 0 ipsec0
128.0.0.0 172.31.0.1 128.0.0.0 UG 40 0 0 ipsec0
172.31.0.0 0.0.0.0 255.255.0.0 U 40 0 0 eth0
172.31.0.0 0.0.0.0 255.255.0.0 U 40 0 0 ipsec0
and route -n shows,
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.31.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.31.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ipsec0
0.0.0.0 172.31.0.1 128.0.0.0 UG 0 0 0 ipsec0
128.0.0.0 172.31.0.1 128.0.0.0 UG 0 0 0 ipsec0
The updated route commands tried earlier should now show ipsec0 eg ip route list table main,
172.31.0.0/16 dev eth0 proto kernel scope link src 172.31.0.10
172.31.0.0/16 dev ipsec0 proto kernel scope link src 172.31.0.10
0.0.0.0/1 via 172.31.0.1 dev ipsec0
128.0.0.0/1 via 172.31.0.1 dev ipsec0
ip route show,
172.31.0.0/16 dev eth0 proto kernel scope link src 172.31.0.10
172.31.0.0/16 dev ipsec0 proto kernel scope link src 172.31.0.10
0.0.0.0/1 via 172.31.0.1 dev ipsec0
128.0.0.0/1 via 172.31.0.1 dev ipsec0
ip address show,
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: tunl0@NONE: mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
3: ipsec0: mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:10:5a:6a:b4:f9 brd ff:ff:ff:ff:ff:ff
inet 172.31.0.10/16 brd 172.31.255.255 scope global ipsec0
4: ipsec1: mtu 0 qdisc noop qlen 10
link/ipip
5: ipsec2: mtu 0 qdisc noop qlen 10
link/ipip
6: ipsec3: mtu 0 qdisc noop qlen 10
link/ipip
9: eth0: mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:5a:6a:b4:f9 brd ff:ff:ff:ff:ff:ff
inet 172.31.0.10/16 brd 172.31.255.255 scope global eth0
IPTABLES - authentication
You will need a few lines, the first one,
iptables -A INPUT -p udp --dport 500 -j ACCEPT
Allows the RSA key authentication to take place, the next rule allows the actual traffic/tunnels to be created,
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
Use for each side, these will allow ssh, telnet, www, smtp, pop/imap.
Note these 3 lines are not terribly secure by themselves as they are not that specific, however for a dynamic IP situation we may not be able to get any better (but remember the authenication string is simply huge). I need to tighten them up a bit if I can!
IPTABLES - IPSEC - laptop
#!/bin/bash
#iptables firewall script
#rev 2 17/06/01
#rev 3 20/11/01 ipsec input rules added and tightened
#rev 4 8/12/01 Rule to allow netbios over ipsec added.
#rev 5 8/12/01 tidy up some unclean & invalid etc with rules
#rev6 28/9/2002 laptop script
#flush rules so we can reload easy
iptables -F
iptables -X
iptables -Z
echo "flushing old rules"
#start ip_forwarding
#started in /etc/network/options
#set constants
outer_nic="eth0"
rh_fwall="172.31.0.1"
echo "firewall constants setup"
#load any modules needed for connection tracking
#allow passive ftp
/sbin/modprobe ip_conntrack_ftp
#irc module
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe
echo "started connection tracking"
#individual port forwarding
echo "no portfw started"
#echo "portfw started"
#forward rules
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#ipsec rule for NETBIOS/SAMBA over the tunnel
iptables -A FORWARD -i ipsec0 -j ACCEPT
#clean up a bad syn which needs a specific rule
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#clean these up as well
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m unclean -j DROP
#Final default policy
#iptables -P FORWARD ACCEPT
iptables -P FORWARD DROP
echo "FORWARD rules now in place"
#INPUT rules
#specific ipsec lines
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
echo "ipsec rules in place"
#general
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $outer_nic -j ACCEPT
iptables -A INPUT -i ipsec0 -j ACCEPT
#allow ping replies (may not be desired)
#iptables -A INPUT -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT
#me playing below with icmp
iptables -A INPUT -p icmp -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 4 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
iptables -P INPUT DROP
#iptables -P INPUT ACCEPT
echo "INPUT rules now in place"
#limit logging levels to save clutter and /var from being swamped
#iptables -A FORWARD -m limit --limit 3/m -j LOG
#iptables -A FORWARD -j LOG
echo "log limiting in place"
#specific defence rules eg DoS attacks
#syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit -j ACCEPT
#furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
#ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit
echo "DoS defences setup"
exit
Firewall /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
#ssj interfaces=%defaultroute
interfaces="ipsec0=eth1"
#Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
#ssj leftrsasigkey=%dns
#ssj rightrsasigkey=%dns
# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
#conn me-to-anyone
#ssj left=%defaultroute
#ssj right=%opportunistic
#ssj keylife=1h
#ssj rekey=no
# uncomment this next line to enable it
#auto=route
# sample VPN connection
#conn sample
conn wifi
# Left security gateway, subnet behind it, next hop toward right.
leftid=@tecra.thing.dyndns.org
leftrsasigkey=0sAQOl6V1mY............
left=%any
#ssj leftsubnet=172.31.0.0/16
#ssj leftnexthop=10.22.33.44
# Right security gateway, subnet behind it, next hop toward left.
rightid=@kabuto.thing.dyndns.org
rightrsasigkey=0sAQO43hL.................
right=172.31.0.1
rightsubnet=0.0.0.0/0
#rightsubnet=192.168.1.0/24
#ssj rightnexthop=10.101.102.103
# To authorize this connection, but not actually start it, at startup,
#(connection startup is by the laptop) uncomment this.
auto=add
#auto=start
IPTABLES - IPSEC - firewall
#!/bin/bash
#iptables firewall script
#17/06/01
#14/5/02 flushing and prerouting logs added, other rules added but not
#27/9/2002 mods for wireless laptop and 3 nics active (hopefully)
#start ip_forwarding
#started in /etc/network/options
# rules below to be tested
# Disable response to ping.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# network. Source routing is rarely used for legitimate purposes.
#/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter
# your routeing tables, possibly to a bad end.
#/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#These 3 lines below allow flushing without a
#reBoot.
iptables -F
iptables -X
iptables -Z
echo "flushed rules"
#set constants
outer_nic="eth0"
wifi_nic1="eth1"
inner_nic2="eth2"
wifiipsec="ipsec0"
wifi_nw1="172.31.0.0/16"
echo "firewall constants setup"
#load any modules needed for connection tracking
#allow passive ftp
/sbin/modprobe ip_conntrack_ftp
echo "started connection tracking"
#individual port forwarding
echo "no portfw started"
#post routeing rules
iptables -t nat -A POSTROUTING -s $wifi_nw1 -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $wifi_nw2 -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $wifi_nw2 -d 0.0.0.0/0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $wifi_nw1 -o inner_nic2 \
#-j MASQUERADE
#forward rules
iptables -A FORWARD -i $wifi_nic1 -j DROP
#iptables -A FORWARD -i $wifi_nic1 -j ACCEPT
iptables -A FORWARD -i $wifiipsec -j ACCEPT
#iptables -A FORWARD -i $inner_nic2 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P FORWARD DROP
echo "FORWARD rules now in place"
#INPUT rules
#specific ipsec lines
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
echo "IPSEC rules now in place"
#echo "IPSEC rules not activated"
#general
#iptables -A INPUT -s $inner_fw -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -s $wifi_nw1 -p tcp --syn --dport 22 -j ACCEPT
#iptables -A INPUT -i $wifi_nic1 -p TCP --destination-port 22 -j ACCEPT
#iptables -A INPUT -s $inner_fw -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $outer_nic -j ACCEPT
iptables -A INPUT -i $wifiipsec -j ACCEPT
#allow ping replies (may not be desired)
#iptables -A INPUT -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT
#me playing below with icmp
iptables -A INPUT -p icmp -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 4 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
#to be tested
#iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS:
#"
#iptables -A INPUT -i $outer_nic -f -j DROP
iptables -P INPUT DROP
echo "INPUT rules now in place"
#output tables are default
#echo "output rules now in place"
#limit logging levels to save clutter and /var from being swamped
iptables -A FORWARD -m limit -j LOG
echo "log limiting in place"
#specific defence rules eg DoS attacks
#syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit \
--limit 1/s -j ACCEPT
#ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit \
--limit 1/s -j ACCEPT
echo "DoS defences setup"
exit
+++++++++++++ignore below this line for now+++++++++++++++++++++30/9/2002~still being written++++++++++++++++++
Testing - IPSEC
We should now be in a position to test the tunnel, it should be up and running, on each side of the tunnel inside the subnet should be a suitable client such as linux boxen, start by trying to ping each other (do not do this on the tunnel/firewall boxes themeselves this will NOT work) this should work fine. Next try telnet/ssh.
For netbios use ./smbclient -NL servername from a Sun / Linux box.
This will give you an output like this if all is well,
# ./smbclient -NL kasper
added interface ip=172.31.0.16 bcast=172.31.255.255 nmask=255.255.0.0
Got a positive name query response from 172.16.0.16 ( 172.16.0.16 )
Anonymous login successful
Domain=[TEST] OS=[Unix] Server=[Samba 2.0.8]
Sharename Type Comment
--------- ---- -------
homes Disk Home Directories
IPC$ IPC IPC Service (kasper server (Samba 2.0.8))
Server Comment
--------- -------
KASPER kasper server (Samba 2.0.8)
Workgroup Master
--------- -------
TEST KASPER
and from the other side,
kasper:~# smbclient -NL katana
added interface ip=172.16.0.16 bcast=172.16.255.255 nmask=255.255.0.0
Anonymous login successful
Domain=[TEST] OS=[Unix] Server=[Samba 2.2.2]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ Disk IPC Service (Samba Server)
Server Comment
--------- -------
Workgroup Master
--------- -------
Further tests that you can use are, on a remote linux/sun client ./nmblookup kasper which should give a reply like,
querying kasper on 172.31.255.255
172.16.0.16 kasper < 00 >
On a NT4 client try c:\ > net view \\kasper which should give you a reply something like this,
kasper server < samba 2.0.8 >
Share Name Type Used as Comment
---------------------------------------------------
homes Disk Home Directories
thing Disk Home Directories
The command completed successfully.
C:\ >
Further reading - IPTABLES
An excellent page for iptables is here, and worth reading
Copyright Thing 5/10/2002 to be used freely without restriction,
however if this page is copied to your own web site please drop me a line with the URL - thanks.
This page has been created with help from users on the samba and freeswan mailing lists, thier help is gratefully acknowledged.
The Debian logo is a trademark of Debian, who in no way endorse or take responsibility for information on this site.