IPSec trough linux firewall

10-18-2007, 06:11 PM

Hello all.

I am sorry for my english.

I have problem fith IPSec

I have this scenerio:

user comp - \
user comp ---> Linux fw (IPtables, NAT) -> intet -> some vpn server
user comp - /

Users try connect from lan to vpn server in internet.

First user establising L2TP VPN corretly and all work OK.
Another users try connect to vpn server, bat if user name and password
is verifing the connection is ended - time out.

Where is problem?

My fw is Debian GNU\Linux 4.0, Kernel 2.6.18

My IPTables:
================================================== =================================================
#!/bin/bash
ipt="/sbin/iptables"
internet="eth0"
lan="eth1"

modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_state
modprobe ipt_limit
modprobe iptable_nat
modprobe iptable_filter
modprobe ip_tables
modprobe ip_gre
modprobe ip_conntrack
modprobe ipt_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_conntrack_tftp

test -x $ipt || exit 0

# Vymaze predchozi nastaveni iptables.
$ipt --flush
$ipt --flush -t nat
$ipt -X SYN_FLOOD
$ipt -Z
$ipt -F

# Nastaveni defaultni politiky.
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP

# Povoleni forwardovani mezi sitovkamy.
echo "1" > /proc/sys/net/ipv4/ip_forward

# Zapnuti ochrany pred IP spoofingem.
for interfaces in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > ${interfaces}
done

# Nastaveni prichozich spojeni. (INPUT)
# Povoleni vseho z localhostu.
$ipt -A INPUT -i lo -j ACCEPT

# Zapnuti ochrany pred SYN flooding.
$ipt -N SYN_FLOOD
$ipt -A INPUT -i $internet -p tcp --syn -j SYN_FLOOD
$ipt -A SYN_FLOOD -m limit --limit 1/s --limit-burst 5 -j RETURN
$ipt -A SYN_FLOOD -j DROP

# Povoleni uz navazanych spojeni.
$ipt -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Povoli SSH pres rozhrani INTERNET (eth0).
$ipt -A INPUT -i $internet -p TCP --dport 22 -j ACCEPT

Michal Dobes napsal(a)# Povoli SSH pres rozhrani LAN (eth1).
$ipt -A INPUT -i $lan -p TCP --dport 22 -j ACCEPT

# Povoli DNS pres rozhrani LAN (eth1) a INTERNET (eth0).
$ipt -A INPUT -i $lan -p UDP --dport 53 -j ACCEPT
$ipt -A INPUT -i $internet -p UDP --dport 53 -j ACCEPT

# Pro zviseni rychlosti komunikace.
$ipt -A INPUT -i $internet -p TCP --dport 113 -j REJECT
$ipt -A INPUT -i $lan -p TCP --dport 113 -j REJECT

# Povoli ICMP na rozhrani INTERNET (eth0).
# $ipt -A INPUT -i $internet -p icmp --icmp-type echo-request -m limit
--limit 1/s --limit-burst 5 -j ACCEPT
# Povoli ICMP na rozhrani LAN (eth1).
$ipt -A INPUT -i $lan -p icmp --icmp-type echo-request -m limit --limit
1/s --limit-burst 5 -j ACCEPT

# Nastaveni odchozich spojeni. (OUTPUT)
$ipt -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$ipt -A OUTPUT -p ALL -s 10.0.0.1 -j ACCEPT
$ipt -A OUTPUT -p ALL -s xxx.xxx.xxx.xxx -j ACCEPT
$ipt -A OUTPUT -m limit --limit 3/hour --limit-burst 5 -j LOG

# Nastaveni preposilani. (FORWARD)

# Povoleni PPTP z internetu.
$ipt -A FORWARD -i $internet -p gre -d 10.0.0.2 -j ACCEPT
$ipt -A FORWARD -i $internet -p tcp -d 10.0.0.2 --dport 1723 -j ACCEPT
# $ipt -A FORWARD -i $internet -p tcp -d 10.0.0.2 --dport 500 -j ACCEPT

# Nastaveni pristupu lan do internetu.
$ipt -A FORWARD -i $lan -o $internet -j ACCEPT

# Povoleni SMTP z internetu.
$ipt -A FORWARD -i $internet -p tcp -d 10.0.0.2 --dport 25 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

# Povoleni POP3 z internetu.
# $ipt -A FORWARD -i $internet -p tcp -d 10.0.0.2 --dport 110 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

# Povoleni HTTPS OWA z internetu.
$ipt -A FORWARD -i $internet -p tcp -d 10.0.0.2 --dport 443 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

# Povoleni uz navazanych spojeni z internetu do lokoalnich siti.
$ipt -A FORWARD -i $internet -o $lan -m state --state
ESTABLISHED,RELATED -j ACCEPT

# Nastaveni maskarady (NAT).
$ipt -t nat -A POSTROUTING -o $internet -j SNAT --to-source xxx.xxx.xxx.xxx
$ipt -t nat -A PREROUTING -p tcp --dport 25 -i $internet -j DNAT --to
10.0.0.2
$ipt -t nat -A PREROUTING -p tcp --dport 443 -i $internet -j DNAT --to
10.0.0.2
$ipt -t nat -A PREROUTING -p tcp --dport 1723 -i $internet -j DNAT --to
10.0.0.2
$ipt -t nat -A PREROUTING -p gre -i $internet -j DNAT --to 10.0.0.2
================================================== =================================================

Thanks in advanced

Jan

10-19-2007, 07:13 PM

Jan Rezab wrote:
> Hello all.
>
> I am sorry for my english.
>
> I have problem fith IPSec
>
> I have this scenerio:
>
> user comp - \
> user comp ---> Linux fw (IPtables, NAT) -> intet -> some vpn server
> user comp - /
>
>
> Users try connect from lan to vpn server in internet.
>
> First user establising L2TP VPN corretly and all work OK.
> Another users try connect to vpn server, bat if user name and password
> is verifing the connection is ended - time out.
>
> Where is problem?
>
> My fw is Debian GNU\Linux 4.0, Kernel 2.6.18
>
> [snip]

You need to use an IPsec client and server that encapsulate ESP in UDP
to support NAT.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
IPSec VPN Firewall problem	Jason A. Rust	Linux Networking	0	02-04-2005 09:22 PM
IPSEC across PIX firewall	=?Utf-8?B?SG91ZGluaQ==?=	Windows Networking	2	11-13-2004 12:28 AM
Kernel 2.6 IPSEC and Firewall	Nadav	Linux Networking	0	02-07-2004 10:06 PM
IPSEC L2tpd gateway za firewall'em	grayman	Linux Networking	1	01-21-2004 10:13 PM
Cisco IPSEC VPN to CheckPoint firewall and linux server concern	qazaka	Linux Networking	0	10-09-2003 08:18 AM