3 <meta http-equiv=
"Content-Type" content=
"text/html">
4 <title>Quick FreeS/WAN installation and configuration
</title>
6 content=
"Linux, IPsec, VPN, security, FreeSWAN, installation, quickstart">
9 Written by Sandy Harris for the Linux FreeS/WAN project
10 Revised by Claudia Schmeing for same
11 Freely distributable under the GNU General Public License
13 More information at www.freeswan.org
14 Feedback to users@lists.freeswan.org
16 RCS ID: $Id: quickstart-firewall.html,v 1.1 2004/03/15 20:35:24 as Exp $
17 Last changed: $Date: 2004/03/15 20:35:24 $
18 Revision number: $Revision: 1.1 $
20 CVS revision numbers do not correspond to FreeS/WAN release numbers.
24 <H1><A name=
"quick_firewall">FreeS/WAN quick start on firewalling
</A></H1>
25 <P>This firewalling information supplements our
26 <A HREF=
"quickstart.html#quick_guide">quickstart guide.
</A></P>
27 <P>It includes tips for firewalling:
</P>
29 <LI><A HREF=
"#firewall.standalone">a standalone system with initiator-only
31 <LI><A HREF=
"#incoming.opp.firewall">incoming opportunistic connections
</A></LI>
32 <LI><A HREF=
"#opp.gate.firewall">an opportunistic gateway
</A></LI>
34 <P>and a list of helpful
<A HREF=
"#resources">resources
</A>.
</P>
35 <H2><A name=
"firewall.standalone">Firewalling a standalone system
</A></H2>
36 <P>Firewall rules on a standalone system doing IPsec can be very simple.
</P>
37 <P>The first step is to allow IPsec packets (IKE on UDP port
500 plus
38 ESP, protocol
50) in and out of your gateway. A script to set up
39 iptables(
8) rules for this is:
</P>
40 <PRE># edit this line to match the interface you use as default route
41 # ppp0 is correct for many modem, DSL or cable connections
42 # but perhaps not for you
48 iptables -A INPUT -p udp -i $world --sport
500 --dport
500 -j ACCEPT
49 iptables -A OUTPUT -p udp -o $world --sport
500 --dport
500 -j ACCEPT
50 # ESP encryption and authentication
51 iptables -A INPUT -p
50 -i $world -j ACCEPT
52 iptables -A OUTPUT -p
50 -o $world -j ACCEPT
</PRE>
53 <P>Optionally, you could restrict this, allowing these packets only to
54 and from a list of known gateways.
</P>
55 <P>A second firewalling step -- access controls built into the IPsec
56 protocols -- is automatically applied:
</P>
58 <DT><A href=
"glossary.html#Pluto">Pluto
</A> -- the FreeS/WAN keying
59 daemon -- deals with the IKE packets.
</DT>
60 <DD>Pluto authenticates its partners during the IKE negotiation, and
61 drops negotiation if authentication fails.
</DD>
62 <DT><A href=
"glossary.html#KLIPS">KLIPS
</A> -- the FreeS/WAN kernel
63 component -- handles the ESP packets.
</DT>
66 <DT>KLIPS drops outgoing packets
</DT>
67 <DD>if they are routed to IPsec, but no tunnel has been negotiated for
69 <DT>KLIPS drops incoming unencrypted packets
</DT>
70 <DD>if source and destination addresses match a tunnel; the packets
71 should have been encrypted
</DD>
72 <DT>KLIPS drops incoming encrypted packets
</DT>
73 <DD>if source and destination address do not match the negotiated
74 parameters of the tunnel that delivers them
</DD>
75 <DD>if packet-level authentication fails
</DD>
79 <P>These errors are logged. See our
<A href=
"trouble.html">
80 troubleshooting
</A> document for details.
</P>
81 <P>As an optional third step, you may wish to filter packets emerging from
82 your opportunistic tunnels.
83 These packets arrive on an interface such as
<VAR>ipsec0
</VAR>, rather than
84 <VAR>eth0
</VAR>,
<VAR>ppp0
</VAR> or whatever. For example, in an iptables(
8)
85 rule set, you would use:
</P>
87 <DT><VAR>-i ipsec+
</VAR></DT>
88 <DD>to specify packets arriving on any ipsec device
</DD>
89 <DT><VAR>-o ipsec+
</VAR></DT>
90 <DD>to specify packets leaving via any ipsec device
</DD>
92 <P>In this way, you can apply whatever additional filtering you like to these
94 <P>The packets emerging on
<VAR>ipsec0
</VAR> are likely
95 to be things that a client application on your machine requested: web
96 pages, e-mail, file transfers and so on. However, any time you initiate
97 an opportunistic connection, you open a two-way connection to
98 another machine (or network). It is conceivable that a Bad Guy there
99 could take advantage of your link.
</P>
100 <P>For more information, read the next section.
</P>
102 <H2><A name=
"incoming.opp.firewall">Firewalling incoming opportunistic
104 <P>The basic firewalling for IPsec does not change when you support
105 incoming connections as well as connections you initiate. You must
106 still allow IKE (UDP port
500) and ESP (protocol
50) packets to and
107 from your machine, as in the rules given
<A href=
"#firewall.standalone">
109 <P>However, there is an additional security concern when you allow
110 incoming opportunistic connections. Incoming opportunistic packets
111 enter your machine via an IPSec tunnel. That is, they all appear as
112 ESP (protocol
50) packets, concealing whatever port and protocol
113 characteristics the packet within the tunnel has. Contained
114 in the tunnel as they pass through
<VAR>ppp0
</VAR> or
<VAR>eth0
</VAR>,
115 these packets can bypass your usual firewall rules on these interfaces.
116 <P>Consequently, you will want to firewall your
<VAR>ipsec
</VAR> interfaces
117 the way you would any publicly accessible interface.
</P>
118 <P>A simple way to do this is to create one iptables(
8) table with
119 all your filtering rules for incoming packets, and apply the entire table to
120 all public interfaces, including
<VAR>ipsec
</VAR> interfaces.
</P>
122 <H2><A name=
"opp.gate.firewall">Firewalling for opportunistic gateways
</A></H2>
123 <P>On a gateway, the IPsec-related firewall rules applied for input and
124 output on the Internet side are exactly as shown
125 <A HREF=
"#firewall.standalone">above
</A>. A gateway
126 exchanges exactly the same things -- UDP
500 packets and IPsec packets
127 -- with other gateways that a standalone system does, so it can use
128 exactly the same firewall rules as a standalone system would.
</P>
129 <P>However, on a gateway there are additional things to do:
</P>
131 <LI>you have other interfaces and need rules for them
</LI>
132 <LI>packets emerging from ipsec processing must be correctly forwarded
</LI>
134 <P>You need additional rules to handle these things. For example, adding
135 some rules to the set shown above we get:
</P>
136 <PRE># edit this line to match the interface you use as default route
137 # ppp0 is correct for many modem, DSL or cable connections
138 # but perhaps not for you
141 # edit these lines to describe your internal subnet and interface
142 localnet=
42.42.42.0/
24
148 iptables -A INPUT -p udp -i $world --sport
500 --dport
500 -j ACCEPT
149 iptables -A OUTPUT -p udp -o $world --sport
500 --dport
500 -j ACCEPT
150 # ESP encryption and authentication
151 iptables -A INPUT -p
50 -i $world -j ACCEPT
152 iptables -A OUTPUT -p
50 -o $world -j ACCEPT
154 # packet forwarding for an IPsec gateway
155 # simplest possible rules
156 $ forward everything, with no attempt to filter
158 # handle packets emerging from IPsec
159 # ipsec+ means any of ipsec0, ipsec1, ...
160 iptables -A FORWARD -d $localnet -i ipsec+ -j ACCEPT
161 # simple rule for outbound packets
162 # let local net send anything
163 # IPsec will encrypt some of it
164 iptables -A FORWARD -s $localnet -i $internal -j ACCEPT
</PRE>
165 <P>On a production gateway, you would no doubt need tighter rules than
167 <H2><A NAME=
"resources">Firewall resources
</A></H2>
168 <P>For more information, see these handy resources:
</P>
170 <LI><A href=
"http://www.netfilter.org/documentation/">netfilter
171 documentation
</A></LI>
174 <LI>Cheswick and Bellovin,
<A href=
"biblio.html#firewall.book">Firewalls
175 and Internet Security
</A></LI>
176 <LI>Zeigler,
<A href=
"biblio.html#Zeigler">Linux Firewalls
</A>,
</LI>
179 <LI><A href=
"firewall.html#firewall">our firewalls document
</A></LI>
180 <LI><A href=
"web.html#firewall.web">our firewall links
</A></LI>
182 <A HREF=
"quickstart.html#quick.firewall">Back to our quickstart guide.
</A>
projects / people / ms / strongswan.git / blob