Portál AbcLinuxu, 14. července 2025 06:52
Riesim nasledujuci problem s forwardom IPsecu. Siet tvori server(eth0 xxx.xxx.xxx.xxx, wlan0 10.10.10.1) a laptop (wlan0 10.10.10.2). Spojene je to cez wifi prostrednictvom IPsec tools + racoon + x509 certifikaty. Spojenie je OK. Prihlasenie je mozne len s platnym certifikatom.
Problem nastane ak na serveri spustim forwarding a SNAT z wlan0 do eth0 - itranetu. Server uz nevyzaduje sifrovane spojenie a overovanie podla certifikatov. Tj moze sa pripojit kazdy.... 
. Setkey pritom defaultne vytvara poziadavok na autentifikaciu.
ipsec-tools.conf -laptop
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 10.10.10.2 10.10.10.1 any -P out ipsec
esp/transport//require;
spdadd 10.10.10.1 10.10.10.2 any -P in ipsec
esp/transport//require;
racoon.conf - laptop
path certificate "/etc/racoon/certs";
remote 10.10.10.1
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier_ asn1dn;
verify_cert on;
certificate_type x509 "laptop.public" "laptop.private";
peers_certfile x509 "server.public";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous
{
lifetime time 30min;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
setkey -DP - laptop
10.10.10.1[any] 10.10.10.2[any] any
in ipsec
esp/transport//require
created: Sep 18 18:59:32 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=120 seq=2 pid=3115
refcnt=1
10.10.10.2[any] 10.10.10.1[any] any
out ipsec
esp/transport//require
created: Sep 18 18:59:32 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=113 seq=1 pid=3115
refcnt=1
10.10.10.1[any] 10.10.10.2[any] any
fwd ipsec
esp/transport//require
created: Sep 18 18:59:32 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=130 seq=0 pid=3115
refcnt=1
Ipsec-tools.conf , racoon.conf a setkey -DP pre server su rovnake (ip adresy, certifikaty su prehodene 
). Iptables zrejme urobia forwarding a SNAT pred tym ako IPsec overi spojenie. Ako by sa dalo nastavit aby to robili az po overeni? Alebo mam niekde v konfiguracii chybu?
. Dam tu svoj firewall zo servera a ak budete vediet poradit budem rad....
#!/bin/sh
# Internal interface LAN
INTIF=eth0
# Internal interface WIFI
INTIF1=wlan0
IPT=iptables
IFC=ifconfig
G=grep
SED=sed
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -F
$IPT -t nat -P PREROUTING DROP
$IPT -t nat -P POSTROUTING DROP
$IPT -t nat -P OUTPUT DROP
$IPT -t nat -F
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/ip_forward
INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET="$INTIP/$INTMSK"
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl 2> /dev/null
$IPT -A DROPl -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl -j DROP
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP1 -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $LPDIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $INTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $INTIP1 -j ACCEPT
# Block broadcasts
$IPT -A INPUT -i $INTIF -d $INTBC -j DROP
$IPT -A INPUT -i $INTIF1 -d $INTBC1 -j DROP
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 161:162 1214 1999 2049 3049 4329 6346 3128
8000 8080 12345 65535"
# TCP ports:
# 98 is Linuxconf
# 512-515 is rexec, rlogin, rsh, printer(lpd)
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
echo -n "FW: Blocking attacks to TCP port "
for i in $TCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp --dport $i -j DROPl
$IPT -A OUTPUT -p tcp --dport $i -j DROPl
$IPT -A FORWARD -p tcp --dport $i -j DROPl
done
echo ""
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp --dport $i -j DROPl
$IPT -A OUTPUT -p udp --dport $i -j DROPl
$IPT -A FORWARD -p udp --dport $i -j DROPl
done
echo ""
TCPSERV="domain http https ftp ftp-data"
UDPSERV="domain"
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $INTIF -p tcp -s $INTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
# $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
# --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $INTIF -p udp -s $INTIP \
--dport $i -m state --state NEW -j ACCEPT
# $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \
# --dport $i -m state --state NEW -j ACCEPT
done
echo ""
TCPSAMBA="netbios-ns netbios-dgm netbios-ssn microsoft-ds"
UDPSAMBA="netbios-ns netbios-dgm netbios-ssn microsoft-ds"
echo -n "FW: Allowing inside systems to use SAMBA "
for i in $TCPSAMBA;
do
echo -n "$i "
$IPT -A INPUT -i $INTIF -p tcp -s $INTNET \
--dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p tcp -s $INTIP \
--sport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing inside systems to use SAMBA "
for i in $UDPSAMBA;
do
echo -n "$i "
$IPT -A INPUT -i $INTIF -p udp -s $INTNET \
--dport $i -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p udp -s $INTIP \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""
# IPSEC
echo "Allowing IPsec"
$IPT -A INPUT -i $INTIF1 -p udp --sport 500 --dport 500 -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -p udp --sport 500 --dport 500 -j ACCEPT
$IPT -A INPUT -i $INTIF1 -p 50 -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -p 50 -j ACCEPT
# DHCP
$IPT -A INPUT -i $INTIF -p udp --sport 67 --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
# Allow firewall to ping internal systems
$IPT -A OUTPUT -o $INTIF -p icmp -s $INTIP \
--icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTIP1 -j ACCEPT
# Allow ping internal systems to firewall
$IPT -A INPUT -i $INTIF -p icmp -s $INTNET \
--icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INTIF1 -p icmp -s $INTNET1 \
--icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -t nat -A PREROUTING -j ACCEPT
#$IPT -t nat -A POSTROUTING -o $INTIF -s $INTNET1 -j SNAT --to $INTIP
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
#$IPT -A OUTPUT -o $INTIF1 -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log & block whatever is left
$IPT -A INPUT -j DROPl
$IPT -A OUTPUT -j REJECTl
$IPT -A FORWARD -j DROPl
Zvyraznil som pravidla pre forwarding a NAT. Nech sa v tom vyzna aj niekto iny okrem mna.
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.