[strongSwan] IPTables rules for Strongswan gateway on Internet gateway

Willem-Jan Meijer Mon, 30 Nov 2015 05:18:50 -0800

Hello all,

Currently i'm using PPTPD as VPN-server which is working fine, but I want to
migrate to Strongswan IPSec to improve security.


I'll try to describe the situation:

-Debian server acting as internet gateway (router) with services like
iptables apache, postfix, ftp and so on.
        -eth0 is the WAN interface with an external IP-address proivded by
ISP, 92.108.xxx.xxx ($EXTIF, $EXTIP)
        -eth1 is the LAN interface with a static IP-address 192.168.50.1
($INTIF, $INTIP)

Behind eth1 there's a home network with Windows 7 clients which have
IP-addresses assigned by DHCP in the range 192.168.50.100 - 192.168.50.150
Roadwarriors connect to the Debian server. For example. The road warrior
running Windows 7 dials up to "home" and gets an IP-address in the range
192.168.50.234-192.168.238.
When I do ifconfig from the terminal, I see PPTPD bringing up ppp+ tunnel
devices

For PPTPD, I created the following IPTable-rules:


# Accept all packets via ppp* interfaces (for example, ppp0)
$IPTABLES -A INPUT -i ppp+ -j ACCEPT
$IPTABLES -A OUTPUT -o ppp+ -j ACCEPT

# Accept incoming connections to port 1723 (PPTP)
$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT

# Accept GRE packets
$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -p 47 -j ACCEPT

# Enable IP forwarding
$IPTABLES -F FORWARD
$IPTABLES -A FORWARD -j ACCEPT

# Enable NAT for eth0 и ppp* interfaces
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
$IPTABLES -A POSTROUTING -t nat -o ppp+ -j MASQUERADE

With this configuration, roadwarriors are able to communicate with the home
LAN and use shared folders like they are at home, my main purpose of setting
up VPN.

Now i'm setting up Strongswan to achieve the same: LAN-browsing.

I ended up with the next configuration file:

# ipsec.conf - strongSwan IPsec configuration file

config setup
        # uniqueids=never
        charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
        keyexchange=ikev2
        
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-
sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp
4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes2
56-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-m
odp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,a
es256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
        
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384
-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,a
es256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha
1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp204
8,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-
sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-mo
dp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha
1,aes256-sha384,aes256-sha256,aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftsubnet=0.0.0.0/0
        leftcert=vpnHostCert.pem
        [email protected]
        leftfirewall=yes
        right=%any
        rightsourceip=10.10.10.0/24
        rightsubnet=10.10.10.0/24
        rightdns=192.192.168.50.1
        
conn IPSec-IKEv2
        keyexchange=ikev2
        auto=add

conn IPSec-IKEv2-EAP
        also="IPSec-IKEv2"
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any
        auto=add

In the IPTables script, I added the following lines:

# IPSec connections

$IPTABLES -A INPUT -p UDP --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport 4500 -j ACCEPT
$IPTABLES -A INPUT -p ESP -j ACCEPT
$IPTABLES -A INPUT -p 50 -j ACCEPT
$IPTABLES -A INPUT -p 51 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -s 10.10.10.0/24 -o $EXTIF -m policy --dir
out --pol ipsec -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 10.10.10.0/24 -o $EXTIF -j MASQUERADE

But from here, I get stuck. The road warrior is able to bring up the
connection, however, even a ping from the debian server fails. I suppose the
problem is in my IPTables-script but i'm not an IPTables master. Can someone
point me in the right direction to create the iptables rules to be able to
browse my lan from the road warriors?

Attached you will find the full iptables script and ipsec.conf file

Kind regards,
Willem-Jan Meijer

ï»¿#!/bin/sh
#  
###########################################################################

set -x
DEBUG_LEVEL=INFO

EXTIF="eth0"
EXTIP=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'`
EXTBROAD=`ifconfig $EXTIF | awk '/inet addr/ { gsub(".*:", "", $3) ; print $3 
}'`
EXTGW=`/sbin/route -n | grep -A 4 UG | awk '{ print $2}'`

echo External IP: $EXTIP
echo External broadcast: $EXTBROAD
echo Default GW: $EXTGW
echo " --- "

INTIF="eth1"
INTIP=`ifconfig $INTIF | awk '/inet addr/ { gsub(".*:", "", $2) ; print $2 }'`
INT_MASK="`ifconfig $INTIF |grep Mask |cut -d: -f4`"
INTLAN="192.168.50.0/255.255.255.0"

echo Internal Interface: $INTIF
echo Internal IP: $INTIP
echo Internal LAN: $INTLAN
echo " --- "

LOIF="lo"
LOIP="127.0.0.1"

BROADCAST="255.255.255.255"

IPTABLES="`which iptables`"

# /sbin/depmod -a

# /sbin/modprobe ip_tables
# /sbin/modprobe ip_conntrack
# /sbin/modprobe iptable_filter
# /sbin/modprobe iptable_mangle
# /sbin/modprobe iptable_nat
# /sbin/modprobe ipt_LOG
# /sbin/modprobe ipt_limit
# /sbin/modprobe ipt_state

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe nf_conntrack_pptp
/sbin/modprobe nf_nat_pptp

###########################################################################

echo "echo 1 > /proc/sys/net/ipv4/ip_forward" && echo 1 > 
/proc/sys/net/ipv4/ip_forward
echo "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" && echo 1 > 
/proc/sys/net/ipv4/conf/all/rp_filter
echo "echo 1 > /proc/sys/net/ipv4/ip_dynaddr" && echo 1 > 
/proc/sys/net/ipv4/ip_dynaddr

###########################################################################

$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -t filter -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X


$IPTABLES -A INPUT -p ALL -i $INTIF -s $INTLAN -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $INTIF -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT

$IPTABLES -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED -j 
ACCEPT

$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport http -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 631 -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 65500:65534 -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 993 -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 995 -j ACCEPT
$IPTABLES -A INPUT -p TCP --syn -s 0/0 --dport 1723 -j ACCEPT

$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -d 224.0.0.0/8 -j DROP


$IPTABLES -A INPUT -d $EXTBROAD -j DROP 
$IPTABLES -A INPUT -d $BROADCAST -j DROP 

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3


$IPTABLES -A FORWARD -i $INTIF -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3


$IPTABLES -A OUTPUT -p ALL -s $LOIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INTIP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $EXTIP -j ACCEPT

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP

# Forward

#$IPTABLES -t nat -A PREROUTING -p TCP -i $EXTIF -d $EXTIP --dport 60000 -j 
DNAT --to 192.168.50.147:60000
#$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF -d $EXTIP --dport 60000 -j 
DNAT --to 192.168.50.147:60000

#$IPTABLES -A FORWARD -p TCP -i $EXTIF -d 192.168.50.147 --dport 60000 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $EXTIF -d 192.168.50.147 --dport 60000 -j ACCEPT

# IPSec connections

$IPTABLES -A INPUT -p UDP --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport 4500 -j ACCEPT
$IPTABLES -A INPUT -p ESP -j ACCEPT
$IPTABLES -A INPUT -p 50 -j ACCEPT
$IPTABLES -A INPUT -p 51 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -s 10.10.10.0/24 -o $EXTIF -m policy --dir out 
--pol ipsec -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 10.10.10.0/24 -o $EXTIF -j MASQUERADE

# PPTPD test

# Accept all packets via ppp* interfaces
$IPTABLES -A INPUT -i ppp+ -j ACCEPT
$IPTABLES -A OUTPUT -o ppp+ -j ACCEPT

# Accept incoming connections to port 1723 (PPTP)
$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT

# Accept GRE packets
$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A OUTPUT -p 47 -j ACCEPT

# Enable IP forwarding
$IPTABLES -F FORWARD
$IPTABLES -A FORWARD -j ACCEPT

# Enable NAT for eth0 and ppp* interfaces
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
$IPTABLES -A POSTROUTING -t nat -o ppp+ -j MASQUERADE

# ipsec.conf - strongSwan IPsec configuration file

config setup
        # uniqueids=never
        charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
        keyexchange=ikev2
        
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
        
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftsubnet=0.0.0.0/0
        leftcert=vpnHostCert.pem
        [email protected]
        leftfirewall=yes
        right=%any
        rightsourceip=10.10.10.0/24
        rightsubnet=10.10.10.0/24
        rightdns=192.192.168.50.1
#       rightsourceip=%dhcp
#       rightsubnet=192.168.50.0/24
        
conn IPSec-IKEv2
        keyexchange=ikev2
        auto=add

conn IPSec-IKEv2-EAP
        also="IPSec-IKEv2"
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any
        auto=add

conn CiscoIPSec
        keyexchange=ikev1
        # forceencaps=yes
        rightauth=pubkey
        rightauth2=xauth
        auto=add

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] IPTables rules for Strongswan gateway on Internet gateway

Reply via email to