1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
4 <TITLE>Introduction to FreeS/WAN
</TITLE>
5 <META HTTP-EQUIV=
"Content-Type" CONTENT=
"text/html; CHARSET=iso-8859-1">
6 <STYLE TYPE=
"text/css"><!--
7 BODY { font-family: serif }
8 H1 { font-family: sans-serif }
9 H2 { font-family: sans-serif }
10 H3 { font-family: sans-serif }
11 H4 { font-family: sans-serif }
12 H5 { font-family: sans-serif }
13 H6 { font-family: sans-serif }
14 SUB { font-size: smaller }
15 SUP { font-size: smaller }
16 PRE { font-family: monospace }
20 <A HREF=
"toc.html">Contents
</A>
21 <A HREF=
"background.html">Previous
</A>
22 <A HREF=
"makecheck.html">Next
</A>
24 <H1><A name=
"user.examples">FreeS/WAN script examples
</A></H1>
25 This file is intended to hold a collection of user-written example
26 scripts or configuration files for use with FreeS/WAN.
27 <P> So far it has only one entry.
</P>
28 <H2><A name=
"poltorak">Poltorak's Firewall script
</A></H2>
30 From: Poltorak Serguei
<poltorak@dataforce.net
>
31 Subject: [Users] Using FreeS/WAN
32 Date: Tue,
16 Oct
2001
36 I'm using FreeS/WAN IPsec for half a year. I learned a lot of things about
37 it and I think it would be interesting for someone to see the result of my
38 experiments and usage of FreeS/WAN. If you find a mistake in this
39 file, please e-mail me. And excuse me for my english... I'm learning.. :)
41 I'll talk about vary simple configuration:
43 addresses prefix =
192.168
45 lan1 sgw1
.0.0/
24 (Internet) sgw2 lan2
46 .1.0/
24---[
.1.1 ;
.0.1 ]===================[
.0.10 ; .
2.10 ]---
.2.0/
24
49 We need to let lan1 see lan2 across Internet like it is behind sgw1. The
50 same for lan2. And we need to do IPX bridge for Novel Clients and NDS
54 ------------------- ipsec.conf -------------------
60 leftsubnet=
192.168.1.0/
24
63 rightsubnet=
192.168.2.0/
24
67 --------------- end of ipsec.conf ----------------
69 ping
.2.x from
.1.y (y !=
1)
70 It works?? Fine. Let's continue...
72 Why y !=
1 ?? Because kernel of sgw1 have
2 IP addresses and it will choose
73 the first IP (which is used to go to Internet)
.0.1 and the packet won't go
74 through IPsec tunnel :( But if do ping on
.1.1 kernel will respond from
75 that address (
.1.1) and the packet will be tunneled. The same problem occurred then
76 .2.x sends a packet to
.1.2 which is down at the moment. What happens?
.1.1
77 sends ARP requesting
.1.2... after
3 tries it send to
.2.x an destunreach,
78 but from his
"natural
" IP or
.0.1 . So the error message won't be delivered!
81 Resolution... One can manipulate with ipsec0 or ipsec0:
0 to solve the
82 problem (if ipsec0 has
.1.1 kernel will send packets correctly), but there
83 are powerful and elegant iproute2 :) We simply need to change source address
84 of packet that goes to other secure lan. This is done with
86 ip route replace
192.168.2.0/
24 via
192.168.0.10 dev ipsec0 src
192.168.1.1
90 The second step. We want install firewall on sgw1 and sgw2. Encryption of
91 traffic without security isn't a good idea. I don't use {left|right}firewall,
92 because I'm running firewall from init scripts.
94 We want IPsec data between lan1-lan2, some ICMP errors (destination
95 unreachable, TTL exceeded, parameter problem and source quench), replying on
96 pings from both lans and Internet, ipxtunnel data for IPX and of course SSH
97 between sgw1 and sgw2 and from/to one specified host.
99 I'm using ipchains. With iptables there are some changes.
101 ---------------- rc.firewall ---------------------
104 # Firewall for IPsec lan1-lan2
116 SGW2_EXT=
192.168.0.10
117 SGW2_INT=
192.168.2.10
120 # SSH from and to this host
121 SSH_PEER_HOST=_SOME_HOST_
123 # this is for left. exchange these values for right.
140 $IPC -A input -i lo -j ACCEPT
141 $IPC -A output -i lo -j ACCEPT
143 # for IPsec SGW1-SGW2
145 $IPC -A input -p udp -s $PEER_EXT
500 -d $MY_EXT
500 -i $EXT_IF -j ACCEPT
146 $IPC -A output -p udp -s $MY_EXT
500 -d $PEER_EXT
500 -i $EXT_IF -j ACCEPT
148 $IPC -A input -p
50 -s $PEER_EXT -d $MY_EXT -i $EXT_IF -j ACCEPT
149 ### we don't need this line ### $IPC -A output -p
50 -s $MY_EXT -d $PEER_EXT -i $EXT_IF -j ACCEPT
151 $IPC -A forward -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
152 $IPC -A forward -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
153 $IPC -A output -s $PEER_LAN -d $MY_LAN -i $INT_IF -j ACCEPT
154 $IPC -A input -s $PEER_LAN -d $MY_LAN -i $IPSEC_IF -j ACCEPT
155 $IPC -A input -s $MY_LAN -d $PEER_LAN -i $INT_IF -j ACCEPT
156 $IPC -A output -s $MY_LAN -d $PEER_LAN -i $IPSEC_IF -j ACCEPT
162 $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
163 $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
165 $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
166 $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
168 $IPC -A input -p icmp --icmp-type destination-unreachable -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
169 $IPC -A output -p icmp --icmp-type destination-unreachable -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
173 $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
174 $IPC -A output -p icmp --icmp-type source-quench -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
176 $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
177 $IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
179 $IPC -A input -p icmp --icmp-type source-quench -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
180 $IPC -A output -p icmp --icmp-type source-quench -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
184 $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
185 $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
187 $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
188 $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
190 $IPC -A input -p icmp --icmp-type parameter-problem -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
191 $IPC -A output -p icmp --icmp-type parameter-problem -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
193 ## Time To Live exceeded
195 $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_EXT -i $EXT_IF -j ACCEPT
196 $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_EXT -d $ANY -i $EXT_IF -j ACCEPT
198 $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $INT_IF -j ACCEPT
199 $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $INT_IF -j ACCEPT
201 $IPC -A input -p icmp --icmp-type time-exceeded -s $ANY -d $MY_INT -i $IPSEC_IF -j ACCEPT
202 $IPC -A output -p icmp --icmp-type time-exceeded -s $MY_INT -d $ANY -i $IPSEC_IF -j ACCEPT
206 $IPC -A input -p icmp -s $ANY -d $MY_EXT --icmp-type echo-request -i $EXT_IF -j ACCEPT
207 $IPC -A output -p icmp -s $MY_EXT -d $ANY --icmp-type echo-reply -i $EXT_IF -j ACCEPT
209 $IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $INT_IF -j ACCEPT
210 $IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $INT_IF -j ACCEPT
212 $IPC -A input -p icmp -s $ANY -d $MY_INT --icmp-type echo-request -i $IPSEC_IF -j ACCEPT
213 $IPC -A output -p icmp -s $MY_INT -d $ANY --icmp-type echo-reply -i $IPSEC_IF -j ACCEPT
216 ## from SSH_PEER_HOST
217 $IPC -A input -p tcp -s $SSH_PEER_HOST -d $MY_EXT
22 -i $EXT_IF -j ACCEPT
218 $IPC -A output -p tcp \! -y -s $MY_EXT
22 -d $SSH_PEER_HOST -i $EXT_IF -j ACCEPT
220 $IPC -A input -p tcp \! -y -s $SSH_PEER_HOST
22 -d $MY_EXT -i $EXT_IF -j ACCEPT
221 $IPC -A output -p tcp -s $MY_EXT -d $SSH_PEER_HOST
22 -i $EXT_IF -j ACCEPT
223 $IPC -A input -p tcp -s $PEER_EXT -d $MY_EXT
22 -i $EXT_IF -j ACCEPT
224 $IPC -A output -p tcp \! -y -s $MY_EXT
22 -d $PEER_EXT -i $EXT_IF -j ACCEPT
226 $IPC -A input -p tcp \! -y -s $PEER_EXT
22 -d $MY_EXT -i $EXT_IF -j ACCEPT
227 $IPC -A output -p tcp -s $MY_EXT -d $PEER_EXT
22 -i $EXT_IF -j ACCEPT
230 $IPC -A input -p udp -s $PEER_INT
2005 -d $MY_INT
2005 -i $IPSEC_IF -j ACCEPT
231 $IPC -A output -p udp -s $MY_INT
2005 -d $PEER_INT
2005 -i $IPSEC_IF -j ACCEPT
233 ---------------- end of rc.firewall ----------------------
235 To understand this we need to look on this scheme:
237 ++-----------------------
<----------------------------+
240 eth0 +--------+ /---------/ yes /---------/ yes +-----------------------+
241 ------
>| INPUT |--
>/ ?local? /-----
>/ ?IPsec? /-----
>| decrypt decapsulate |
242 eth1 +--------+ /---------/ /---------/ +-----------------------+
245 +----------+ +---------+ +-------+
246 | routing | | local | | local |
247 | decision | | deliver | | send |
248 +----------+ +---------+ +-------+
251 +---------+ +----------+
252 | forward | | routing |
253 +---------+ | decision |
256 ++----------------
<-----------------++
264 /---------/ yes +-----------------------+
265 / ?IPsec? /-----
>| encrypt encapsulate |
266 /---------/ +-----------------------+
270 ++-----------------------++--------------
>
272 This explain how a packet traverse TCP/IP stack in IPsec capable kernel.
274 FIX ME, please, if there are any errors
276 Test the new firewall now.
279 Now about IPX. I tried
3 programs for tunneling IPX: tipxd, SIB and ipxtunnel
281 tipxd didn't send packets.. :(
282 SIB and ipxtunnel worked fine :)
283 With ipxtunnel there was a little problem. In sources there are an error.
285 --------------------- in main.c ------------------------
289 --------------------------------------------------------
291 After this FIX everything goes right...
293 ------------------- /etc/ipxtunnel.conf ----------------
295 remote
192.168.101.97 2005
297 --------------- end of /etc/ipxtunnel.conf -------------
299 I use IPX tunnel between
.1.1 and
.2.10 so we don't need to encrypt nor
300 authenticate encapsulated IPX packets, it is done with IPsec.
302 If you don't wont to use iproute2 to change source IP you need to use SIB
303 (it is able to bind local address) or establish tunnel between
.0.1 and
304 .0.10 (external IPs, you need to do encryption in the program, but it isn't
307 For now I'm using ipxtunnel.
309 I think that's all for the moment. If there are any error, please e-mail me:
310 poltorak@df.ru . It would be cool if someone puts the scheme of TCP/IP in
311 kernel and firewall example on FreeS/WAN's manual pages.
316 <A HREF=
"toc.html">Contents
</A>
317 <A HREF=
"background.html">Previous
</A>
318 <A HREF=
"makecheck.html">Next
</A>