thr3ads.net - Shorewall users - Zebra and Special case of VPN Tunnels [Aug 2005]

If this information is useful, please help other people find it:
Share via:

mike

2005-Aug-08 20:12 UTC

Zebra and Special case of VPN Tunnels

Hi
Configuring a linux box as a firewall and a router using Shorewall .
I met the following problem with the firewall rules :

The system working as a router forwarding icmp redirect packets get 
rejected :
And Some of the ipsec0  traffic get rejected .


Nic configuration :
      192.168.99.0/24                   eth0  loc
      172.16.0.0/16                       eth1  loc
         x.x.x.x/27                          eth2   net                  
                                                                        
10.100.0.0/24
                                                  ipsec0 
-----------------------------------------------Netscreen25    
192.168.100.0/24
                                                                
o-------------------------------------------o two right-subnets

TWO tunnels were created between the 2 device which each going to the 
coresponding private subnet on the netscreen side
Zebra deamon is running on the linux box :
  to get it to work I had to add the following to the generated  
iptables rules  in /etc/shorewall/start

Zebra :
 iptables -A eth1_fwd -o eth1 -j ACCEPT
iptables -A eth0_fwd -o eth0 -j ACCEPT
iptables -A ipsec0_fwd -i eth0 -o ipsec0 -j ACCEPT
iptables -A ipsec0_fwd -i eth1 -o ipsec0 -j ACCEPT

to get the ipsec0 routing to the 10.100.0.0/24:

iptables -A ipsec0_fwd -i ipsec0 -o eth1 -j ACCEPT
iptables -A ipsec0_fwd -i ipsec0 -o eth0 -j ACCEPT  
Log file of the failled packets

Jul  5 16:51:59 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth0 
SRC=10.100.0.5 DST=192.168.99.5 LEN=60 TOS=0x00 PREC0x00 TTL=126 ID=4352
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43534
Jul  5 16:52:04 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth0 
SRC=10.100.0.5 DST=192.168.99.5 LEN=60 TOS=0x00 PREC0x00 TTL=126 ID=4374
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43790
Jul  5 16:53:04 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth0 
SRC=10.100.0.5 DST=192.168.99.5 LEN=92 TOS=0x00 PREC0x00 TTL=1 ID=4595
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=45582
Jul  5 16:53:08 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth0 
SRC=10.100.0.5 DST=192.168.99.5 LEN=92 TOS=0x00 PREC0x00 TTL=1 ID=4605
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=45838

Jul  5 17:16:47 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1 
SRC=10.100.0.5 DST=172.16.50.10 LEN=84 TOS=0x00 PREC0x00 TTL=126 ID=6314 DF
PROTO=ICMP TYPE=0 CODE=0 ID=53042 SEQ=12
Jul  5 17:16:48 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1 
SRC=10.100.0.5 DST=172.16.50.10 LEN=84 TOS=0x00 PREC0x00 TTL=126 ID=6315 DF
PROTO=ICMP TYPE=0 CODE=0 ID=53042 SEQ=13
Jul  5 17:16:49 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1 
SRC=10.100.0.5 DST=172.16.50.10 LEN=84 TOS=0x00 PREC0x00 TTL=126 ID=6318 DF
PROTO=ICMP TYPE=0 CODE=0 ID=53042 SEQ=14
Jul  5 17:16:50 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1 
SRC=10.100.0.5 DST=172.16.50.10 LEN=84 TOS=0x00 PREC0x00 TTL=126 ID=6319 DF
PROTO=ICMP TYPE=0 CODE=0 ID=53042 SEQ=15
Jul  5 17:16:51 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1 
SRC=10.100.0.5 DST=172.16.50.10 LEN=84 TOS=0x00 PREC0x00 TTL=126 ID=6321 DF
PROTO=ICMP TYPE=0 CODE=0 ID=53042 SEQ=16

Jul  5 15:00:37 fw1 kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=ipsec0 
SRC=172.16.50.70 DST=10.100.0.5 LEN=60 TOS=0x00 PREC0x00 TTL=126 ID=26559
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=22604
Jul  5 15:00:38 fw1 kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=ipsec0 
SRC=172.16.50.70 DST=10.100.0.5 LEN=60 TOS=0x00 PREC0x00 TTL=126 ID=26565
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=22860
Jul  5 15:00:39 fw1 kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=ipsec0 
SRC=172.16.50.70 DST=10.100.0.5 LEN=60 TOS=0x00 PREC0x00 TTL=126 ID=26569
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=23116

Is it possible to add these options within the main shorewall framewark 
without these hacks ?
ANY help is appretiated .
Thanks






-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jerry Vonau

2005-Aug-10 12:58 UTC

head link

Re: Zebra and Special case of VPN Tunnels

> Hi
> Configuring a linux box as a firewall and a router using Shorewall .
> I met the following problem with the firewall rules :
> 
> The system working as a router forwarding icmp redirect packets get 
> rejected :
> And Some of the ipsec0  traffic get rejected .
> 
> 
> Nic configuration :
>       192.168.99.0/24                   eth0  loc
>       172.16.0.0/16                       eth1  loc
>          x.x.x.x/27                          eth2   net                  
>                                                                         
> 10.100.0.0/24
>                                                   ipsec0 
> -----------------------------------------------Netscreen25    
> 192.168.100.0/24
>                                                                 
> o-------------------------------------------o two right-subnets
> 
> TWO tunnels were created between the 2 device which each going to the 
> coresponding private subnet on the netscreen side
> Zebra deamon is running on the linux box :
>   to get it to work I had to add the following to the generated  
> iptables rules  in /etc/shorewall/start
> 
> Zebra :
>  iptables -A eth1_fwd -o eth1 -j ACCEPT
> iptables -A eth0_fwd -o eth0 -j ACCEPT
> iptables -A ipsec0_fwd -i eth0 -o ipsec0 -j ACCEPT
> iptables -A ipsec0_fwd -i eth1 -o ipsec0 -j ACCEPT
> 
> to get the ipsec0 routing to the 10.100.0.0/24:
> 
> iptables -A ipsec0_fwd -i ipsec0 -o eth1 -j ACCEPT
> iptables -A ipsec0_fwd -i ipsec0 -o eth0 -j ACCEPT  
> Log file of the failled packets
> 
> Jul  5 16:51:59 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth0 
> SRC=10.100.0.5 DST=192.168.99.5 LEN=60 TOS=0x00 PREC> 0x00 TTL=126
ID=4352 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43534
> Jul  5 16:52:04 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth0 
> SRC=10.100.0.5 DST=192.168.99.5 LEN=60 TOS=0x00 PREC> 0x00 TTL=126
ID=4374 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=43790
> Jul  5 16:53:04 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth0 
> SRC=10.100.0.5 DST=192.168.99.5 LEN=92 TOS=0x00 PREC> 0x00 TTL=1 ID=4595
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=45582
> Jul  5 16:53:08 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth0 
> SRC=10.100.0.5 DST=192.168.99.5 LEN=92 TOS=0x00 PREC> 0x00 TTL=1 ID=4605
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=45838
> 
> Jul  5 17:16:47 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1 
> SRC=10.100.0.5 DST=172.16.50.10 LEN=84 TOS=0x00 PREC> 0x00 TTL=126
ID=6314 DF PROTO=ICMP TYPE=0 CODE=0 ID=53042 SEQ=12
> Jul  5 17:16:48 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1 
> SRC=10.100.0.5 DST=172.16.50.10 LEN=84 TOS=0x00 PREC> 0x00 TTL=126
ID=6315 DF PROTO=ICMP TYPE=0 CODE=0 ID=53042 SEQ=13
> Jul  5 17:16:49 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1 
> SRC=10.100.0.5 DST=172.16.50.10 LEN=84 TOS=0x00 PREC> 0x00 TTL=126
ID=6318 DF PROTO=ICMP TYPE=0 CODE=0 ID=53042 SEQ=14
> Jul  5 17:16:50 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1 
> SRC=10.100.0.5 DST=172.16.50.10 LEN=84 TOS=0x00 PREC> 0x00 TTL=126
ID=6319 DF PROTO=ICMP TYPE=0 CODE=0 ID=53042 SEQ=15
> Jul  5 17:16:51 fw1 kernel: Shorewall:FORWARD:REJECT:IN=ipsec0 OUT=eth1 
> SRC=10.100.0.5 DST=172.16.50.10 LEN=84 TOS=0x00 PREC> 0x00 TTL=126
ID=6321 DF PROTO=ICMP TYPE=0 CODE=0 ID=53042 SEQ=16
> 
> Jul  5 15:00:37 fw1 kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=ipsec0 
> SRC=172.16.50.70 DST=10.100.0.5 LEN=60 TOS=0x00 PREC> 0x00 TTL=126
ID=26559 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=22604
> Jul  5 15:00:38 fw1 kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=ipsec0 
> SRC=172.16.50.70 DST=10.100.0.5 LEN=60 TOS=0x00 PREC> 0x00 TTL=126
ID=26565 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=22860
> Jul  5 15:00:39 fw1 kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=ipsec0 
> SRC=172.16.50.70 DST=10.100.0.5 LEN=60 TOS=0x00 PREC> 0x00 TTL=126
ID=26569 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=23116
> 
> Is it possible to add these options within the main shorewall framewark 
> without these hacks ?
> ANY help is appretiated .
> Thanks
> 
Sounds like ipsec0 is not defined in shorewall interfaces, which allows you to
attach a zone
to the interface. Now all you need is a policy and maybe some rules for traffic
to/from this
zone to any other zone. Can you post the config files and what kernel are you
running?
More info at:

http://www.shorewall.net/IPSEC.htm
http://www.shorewall.net/IPSEC-2.6.html

Jerry




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Shorewall users - Aug 2005 - Zebra and Special case of VPN Tunnels

Zebra and Special case of VPN Tunnels

Re: Zebra and Special case of VPN Tunnels