2004-12-18 21:57:51 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
<article>
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
|
|
|
<title>VPN, Netfilter and Shorewall — The Basics</title>
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
2006-07-07 03:04:16 +02:00
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
2004-12-18 21:57:51 +01:00
|
|
|
|
|
|
|
<copyright>
|
|
|
|
<year>2004</year>
|
|
|
|
|
2005-08-27 17:46:24 +02:00
|
|
|
<year>2005</year>
|
|
|
|
|
2006-01-20 15:54:57 +01:00
|
|
|
<year>2006</year>
|
|
|
|
|
2004-12-18 21:57:51 +01:00
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Gateway-to-gateway traffic vs. Host-to-host traffic.</title>
|
|
|
|
|
|
|
|
<para>The purpose of a <firstterm>Virtual Private Network</firstterm>
|
|
|
|
(VPN) is to provide for secure communication between a set of hosts.
|
|
|
|
Communication between a pair of hosts connected by a VPN occurs in
|
|
|
|
stages:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis role="bold">Local-host-to-local-gateway</emphasis>.
|
|
|
|
This communication is not encrypted; in the case where the traffic
|
|
|
|
originates on the gateway itself, the communication is local to that
|
|
|
|
system.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis
|
|
|
|
role="bold">Local-gateway-to-remote-gateway</emphasis>. This
|
|
|
|
communication is encrypted and can use a tunneling protocol such as
|
|
|
|
GRE, AH or ESP or a standard protocol such as UDP or TCP. Some VPNs
|
|
|
|
use multiple protocols; for example PPTP uses TCP port 1723 and GRE
|
|
|
|
while IPSEC uses UDP port 500 together with ESP or AH.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis role="bold">Remote-gateway-to-remote-host</emphasis>.
|
|
|
|
This is just the unencrypted traffic described in the first item as it
|
|
|
|
is delivered to its destination.</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
<para>Of course, one-way communication generally isn't useful so we need
|
|
|
|
traffic in the other direction as well.</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis
|
|
|
|
role="bold">Remote-host-to-remote-gateway</emphasis>.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis
|
|
|
|
role="bold">Remote-gateway-to-local-gateway</emphasis>.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis
|
|
|
|
role="bold">Local-gateway-to-local-host</emphasis>.</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Relationship to Netfilter</title>
|
|
|
|
|
|
|
|
<para>When Netfilter is configured on a VPN gateway, each VPN packet goes
|
|
|
|
through Netfilter twice! Let's first consider outbound traffic:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis role="bold">Local-host-to-local-gateway</emphasis>.
|
|
|
|
This traffic has a source address in the local network or on the
|
|
|
|
gateway itself. The destination IP address is that of a remote host;
|
2005-05-28 01:34:33 +02:00
|
|
|
either the remote gateway itself or a host behind that gateway.</para>
|
2004-12-18 21:57:51 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para><emphasis
|
|
|
|
role="bold">Local-gateway-to-remote-gateway.</emphasis> This
|
|
|
|
(encrypted) traffic has a source IP address on the gateway and is
|
|
|
|
addressed to the remote gateway.</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
<para>Incoming traffic is similar.</para>
|
2006-01-20 15:54:57 +01:00
|
|
|
|
|
|
|
<graphic align="center" fileref="images/VPNBasics.png" />
|
2004-12-18 21:57:51 +01:00
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>What does this mean with Shorewall?</title>
|
|
|
|
|
2005-05-28 01:34:33 +02:00
|
|
|
<para>When Shorewall is installed on a VPN gateway system, it categorizes
|
2004-12-18 21:57:51 +01:00
|
|
|
the VPN-related traffic slightly differently:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
2004-12-19 17:54:11 +01:00
|
|
|
<para><emphasis role="bold">Local-host-to-remote-host</emphasis> —
|
|
|
|
same as <emphasis role="bold">Local-host-to-local-gateway</emphasis>
|
2004-12-18 21:57:51 +01:00
|
|
|
above.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-12-19 17:54:11 +01:00
|
|
|
<para><emphasis
|
|
|
|
role="bold">Local-gateway-to-remote-gateway</emphasis>.</para>
|
2004-12-18 21:57:51 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-12-19 17:54:11 +01:00
|
|
|
<para><emphasis
|
|
|
|
role="bold">Remote-gateway-to-local-gateway</emphasis>.</para>
|
2004-12-18 21:57:51 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2004-12-19 17:54:11 +01:00
|
|
|
<para><emphasis role="bold">Remote-host-to-local-host</emphasis> —
|
|
|
|
same as <emphasis role="bold">Local-gateway-to-local-host</emphasis>
|
2004-12-18 21:57:51 +01:00
|
|
|
above.</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
<para>Shorewall implements a set of features for dealing with VPN.</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>The <filename>/etc/shorewall/tunnels</filename> file. This file
|
|
|
|
is used to define remote gateways and the type of encrypted traffic
|
|
|
|
that will be passed between the Shorewall system and those remote
|
|
|
|
gateways. In other words, the tunnels file deals with <emphasis
|
|
|
|
role="bold">Local-gateway-to-remote-gateway</emphasis> and <emphasis
|
|
|
|
role="bold">Remote-gateway-to-local-gateway</emphasis> traffic.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The <filename>/etc/shorewall/zones</filename> file. An entry in
|
|
|
|
this file allows you to associated a name with the set of hosts behind
|
|
|
|
the remote gateway (or to the remote gateway itself if it is a
|
|
|
|
standalone system).</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The <filename>/etc/shorewall/interfaces</filename> and
|
|
|
|
<filename>/etc/shorewall/hosts</filename> files. These files are used
|
|
|
|
to associate a set of remote hosts with the zone name defined in
|
|
|
|
<filename>/etc/shorewall/zones</filename>.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The <filename>/etc/shorewall/policy </filename>and
|
|
|
|
<filename>/etc/shorewall/rules files</filename>. These files are used
|
|
|
|
to define the connections that are permitted between the remote and
|
|
|
|
local hosts -- in other words, the <emphasis
|
|
|
|
role="bold">Local-host-to-remote-host</emphasis> and <emphasis
|
|
|
|
role="bold">Remote-host-to-local-host</emphasis> traffic.</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</section>
|
|
|
|
|
2004-12-19 17:54:11 +01:00
|
|
|
<section>
|
|
|
|
<title>Defining Remote Zones</title>
|
|
|
|
|
|
|
|
<para>Most VPN types are implemented using a virtual network device such
|
|
|
|
as pppN (e.g., ppp0), tunN (e.g., tun0), etc. This means that in most
|
|
|
|
cases, remote zone definition is similar to zones that you have already
|
|
|
|
defined.</para>
|
|
|
|
|
2004-12-25 04:13:18 +01:00
|
|
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
2004-12-19 17:54:11 +01:00
|
|
|
|
2006-06-28 02:26:27 +02:00
|
|
|
<programlisting>#ZONE TYPE
|
|
|
|
fw firewall
|
|
|
|
net ipv4
|
|
|
|
loc ipv4
|
|
|
|
<emphasis role="bold">rem ipv4</emphasis></programlisting>
|
2004-12-19 17:54:11 +01:00
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTION
|
|
|
|
net eth0 detect norft1918,routefilter
|
|
|
|
loc eth1 detect
|
2006-06-28 02:26:27 +02:00
|
|
|
<emphasis role="bold">rem ppp0 192.168.10.0/24</emphasis></programlisting>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Allowing Traffic</title>
|
|
|
|
|
|
|
|
<para>Normally, you will just allow all traffic between your remove
|
|
|
|
client(s) and the local zone. You can do that with a couple of
|
|
|
|
policies:</para>
|
|
|
|
|
|
|
|
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST/LIMIT
|
|
|
|
rem loc ACCEPT
|
|
|
|
loc rem ACCEPT</programlisting>
|
|
|
|
|
|
|
|
<para>Similar policies using $FW rather than 'loc' can permit traffic from
|
|
|
|
the remote clients to/from the firewall.</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Different Firewall Policies for Different Remote Systems</title>
|
2004-12-19 17:54:11 +01:00
|
|
|
|
|
|
|
<para>The /etc/shorewall/hosts file comes into play when:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>You have a number of remote networks.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The remote networks have different firewall requirements and you
|
|
|
|
want to divide them into multiple zones.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>There is no fixed relationship between the remote networks and
|
|
|
|
virtual network devices (for example, the VPN uses PPTP and remote
|
|
|
|
gateways connect on demand).</para>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
<para>In this case, your configuration takes the following
|
|
|
|
approach:</para>
|
|
|
|
|
|
|
|
<para><filename>etc/shorewall/zones</filename>:</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE DISPLAY COMMENT
|
|
|
|
net Internet The big bad net
|
|
|
|
loc Local Local LAN
|
2005-10-01 02:36:17 +02:00
|
|
|
<emphasis role="bold">rem1 Remote1 Remote LAN 1
|
|
|
|
rem2 Remote2 Remote LAN 2</emphasis></programlisting>
|
2004-12-19 17:54:11 +01:00
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE INTERFACE BROADCAST OPTION
|
|
|
|
net eth0 detect norft1918,routefilter
|
|
|
|
loc eth1 detect
|
2005-10-01 02:36:17 +02:00
|
|
|
<emphasis role="bold">- tun+ -</emphasis></programlisting>
|
2004-12-19 17:54:11 +01:00
|
|
|
|
|
|
|
<para>/etc/shorewall/hosts:</para>
|
|
|
|
|
|
|
|
<programlisting>#ZONE HOST(S) OPTIONS
|
2005-10-01 02:36:17 +02:00
|
|
|
<emphasis role="bold">rem1 tun+:10.0.0.0/24
|
|
|
|
rem2 tun+:10.0.1.0/24</emphasis></programlisting>
|
2004-12-19 17:54:11 +01:00
|
|
|
|
|
|
|
<para>The <filename>/etc/shorewall/hosts</filename> file is also used with
|
2004-12-25 04:13:18 +01:00
|
|
|
<ulink url="IPSEC-2.6.html">kernel 2.6 native IPSEC</ulink>.</para>
|
2004-12-19 17:54:11 +01:00
|
|
|
</section>
|
|
|
|
|
2004-12-18 21:57:51 +01:00
|
|
|
<section>
|
|
|
|
<title>Eliminating the /etc/shorewall/tunnels file</title>
|
|
|
|
|
2004-12-19 17:54:11 +01:00
|
|
|
<para>The <filename>/etc/shorewall/tunnels</filename> file provides no
|
|
|
|
functionality that could not be implemented using entries in
|
|
|
|
<filename>/etc/shorewall/rules</filename> and I have elimination of the
|
|
|
|
<filename>/etc/shorewall/tunnels</filename> file as a long-term goal. The
|
|
|
|
following sections show how entries in
|
|
|
|
<filename>/etc/shorewall/tunnels</filename> can be replaced by rules for
|
|
|
|
some common tunnel types.</para>
|
2004-12-18 21:57:51 +01:00
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>IPSEC</title>
|
|
|
|
|
2004-12-19 17:54:11 +01:00
|
|
|
<para>/<filename>etc/shorewall/tunnels</filename>:</para>
|
2004-12-18 21:57:51 +01:00
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
ipsec Z1 1.2.3.4 Z2</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
|
2004-12-19 17:54:11 +01:00
|
|
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
2004-12-18 21:57:51 +01:00
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
|
|
|
# PORT PORT(S)
|
|
|
|
ACCEPT $FW Z1:1.2.3.4 udp 500
|
|
|
|
ACCEPT Z1:1.2.3.4 $FW udp 500
|
|
|
|
ACCEPT $FW Z1:1.2.3.4 50
|
|
|
|
ACCEPT Z1:1.2.3.4 $FW 50
|
|
|
|
ACCEPT $FW Z1:1.2.3.4 51
|
|
|
|
ACCEPT Z1:1.2.3.4 $FW 51
|
|
|
|
ACCEPT $FW Z2:1.2.3.4 udp 500
|
|
|
|
ACCEPT Z2:1.2.3.4 $FW udp 500</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
|
2004-12-25 04:13:18 +01:00
|
|
|
<para>The "noah" option causes the rules for protocol 51 to be
|
2004-12-18 21:57:51 +01:00
|
|
|
eliminated. The "ipsecnat" causes UDP port 4500 to be accepted in both
|
|
|
|
directions. If no GATEWAY ZONE is given then the last two rules above
|
|
|
|
are omitted.</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>PPTP</title>
|
|
|
|
|
2004-12-19 17:54:11 +01:00
|
|
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
2004-12-18 21:57:51 +01:00
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
pptpserver Z1 1.2.3.4</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
|
2004-12-19 17:54:11 +01:00
|
|
|
<para>/<filename>etc/shorewall/rules</filename>:</para>
|
2004-12-18 21:57:51 +01:00
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
|
|
|
# PORT PORT(S)
|
|
|
|
|
|
|
|
ACCEPT Z1:1.2.3.4 $FW tcp 1723
|
|
|
|
ACCEPT $FW Z1:1.2.3.4 47
|
|
|
|
ACCEPT Z1:1.2.3.4 $FW 47</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
<para>Tunnel type "pptpclient" simply reverses the direction of the tcp
|
|
|
|
port 1723 rule.</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>OpenVPN</title>
|
|
|
|
|
2004-12-19 17:54:11 +01:00
|
|
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
2004-12-18 21:57:51 +01:00
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
openvpn:P Z1 1.2.3.4</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
|
2004-12-19 17:54:11 +01:00
|
|
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
2004-12-18 21:57:51 +01:00
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
|
|
|
# PORT PORT(S)
|
|
|
|
|
|
|
|
ACCEPT Z1:1.2.3.4 $FW udp P
|
|
|
|
ACCEPT $FW Z1:1.2.3.4 udp P</programlisting>
|
|
|
|
</blockquote>
|
2005-08-27 17:46:24 +02:00
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
openvpnclient:P Z1 1.2.3.4</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
|
|
|
# PORT PORT(S)
|
|
|
|
|
|
|
|
ACCEPT Z1:1.2.3.4 $FW udp - P
|
|
|
|
ACCEPT $FW Z1:1.2.3.4 udp P</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
|
|
|
openvpnserver:P Z1 1.2.3.4</programlisting>
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
|
|
|
# PORT PORT(S)
|
|
|
|
|
|
|
|
ACCEPT Z1:1.2.3.4 $FW udp P
|
|
|
|
ACCEPT $FW Z1:1.2.3.4 udp - P</programlisting>
|
|
|
|
</blockquote>
|
2004-12-18 21:57:51 +01:00
|
|
|
</section>
|
|
|
|
</section>
|
|
|
|
</article>
|