Secure Client, Linux, and ipchains

[roadrunner]

Secure Client, Linux, and ipchains
There are two things you need to do:


Get ipmasqadm, ipfwd, and the PPTP patches for the Linux 2.2 kernel or use a Linux 2.4 kernel. All of these things are detailed at the Linux VPN Masquerade page: ftp://ftp.rubyriver.com/pub/jhardin/..._masq_vpn.html
Configure Secure Client and NAT
Once you've done all this, it is fairly straightforward to enable your system to use SecuRemote securely. These instructions only work with IKE. FWZ with encapsulation is not supported and FWZ without encapsulation probably won't work since Linux appears to drop FWZ encrypted packets in the bit bucket.

An alternative approach is to use something like Firestarter, which is a GUI frontend for ipchains and ipfilter.

In the following ipchains commands, the following conventions are used:


fw1-ip is the external IP of your firewall
client-ip is your SecuRemote Client
linux-ip is the IP of your Linux host
Due to the nature of this configuration, only one SecuRemote client at a specific IP address is supported. Note I am assuming the most paranoid ipchains rules (i.e. only permit that which is required to allow SecuRemote to a specific firewall). It does not include the necessary rules to permit a topology download. This is left as an exercise for the reader.

You can use slightly more lax rules if you'd like, though you absolutely need the ipfwd and ipmasqadm commands.


# Outgoing and incoming rules allowing UDP port 500 packets

/sbin/ipchains -A input -s fw1-ip -d linux-ip 500 -p UDP -j ACCEPT
/sbin/ipchains -A input -s client-ip -d fw1-up 500 -p UDP -j ACCEPT

# Outgoing and incoming rules allowing IP Protocol 50 packets

/sbin/ipchains -A input -s fw1-ip -d linux-ip -p 50 -j ACCEPT
/sbin/ipchains -A input -s client-ip -d fw1-ip -p 50 -j ACCEPT

# Outgoing UDP Encapsulation packets

/sbin/ipchains -A input -s client-ip -d fw1-ip 2746 -p UDP -j ACCEPT

# Forward rules to MASQ and allow connections outbound

/sbin/ipchains -A forward -s client-ip 500 -p UDP -j MASQ
/sbin/ipchains -A forward -s client-ip -p 50 -j MASQ

# ipmasqadm to pick up port 500 and forward it inside

/usr/sbin/ipmasqadm portfw -a -P udp -L linux-ip 500 -R client-ip 500

# ipfwd to get Protocol 50 packets

/usr/sbin/ipfwd client-ip 50 &
With iptables in Linux 2.4, the commands are (ext_if refers to external interface):


/usr/sbin/iptables -A input -s linux-ip -d fw1-ip -p udp --dport 500 -j ACCEPT
/usr/sbin/iptables -A input -s linux-ip -d fw1-ip -p 50 -j ACCEPT
/usr/sbin/iptables -A input -s fw1-ip -d linux-ip -p udp --dport 500 -j ACCEPT
/usr/sbin/iptables -A input -s fw1-ip -d linux-ip -p udp --dport 2746 -j ACCEPT
/usr/sbin/iptables -A input -s fw1-ip -d linux-ip -p 50 -j ACCEPT
/usr/sbin/iptables -A forward -s linux-ip -d fw1-ip -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o ext_if -j MASQUERADE
-- PhoneBoy - 11 Feb 2004


FAQForm
FAQs.Class: SmartClientsFAQs
FAQs.OS:
FAQs.Version: