Shorewall users - Aug 2003 - Is there a way to allow vpn connections and block eth connections from a host or subnet?

I am trying to secure the wireless lan.  It is in its own subnet and
attached to a linux router with three interfaces : eth0 to the cable
modem, eth1 to the wired lan and eth2 to the wireless lan.  I have
Freeswan ipsec between the laptop in the wireless lan and each of the
hosts in the wired lan.  The tunnels are up and running.  However I want
only to accept ipsec connections from the laptop.  I want to reject
regular ethx connections from the wireless subnet.  This is so in case
somebody unauthorized gets on my wireless router( he will not have ipsec
of course) , he cannot access the rest of the lan.  Is this possible? 
Thanks.

On Wed, 2003-08-27 at 21:52, cmisip wrote:
>  However I want
> only to accept ipsec connections from the laptop.  I want to reject
> regular ethx connections from the wireless subnet.  This is so in case
> somebody unauthorized gets on my wireless router( he will not have ipsec
> of course) , he cannot access the rest of the lan.  Is this possible? 
Yes -- start by taking a look at my configuration
(http://shorewall.net/myfiles.htm). That should give you the general
idea of how to go about it.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Can you give me a little more detail.  So far I have managed to remove
the policies that allow wireless lan <--> firewall and wlan <-->
wired
lan and still was able to have a working vpn connection between my
laptop (192.168.0.100) and the shorewall router (192.168.1.1=eth1,
192.168.0.1=eth2).  I cant seem to be able to setup a working tunnel
between the laptop and the rest of the machines in the 192.168.1.0/24
network (other than the router of course) if I disable the wlan <--> fw
and wlan <--> loc policies.  So far I have played with the tunnels file:

ipsec   loc  192.168.1.1 
ipsec   wlan 192.168.0.100 vpn


My other settings are:

zones:
wlan wireless
loc  wired
net  Internet
vpn VPN

interfaces:
wlan eth2
loc  eth1
net eth0
vpn   ipsec0    

Since the firewall is in between the local lan and the wireless lan, do
I setup a tunnel in both directions like I did in the tunnels file?  Or
is it just a fluke that I got that working?  Must I setup a tunnel for
each of the other hosts in the 192.168.1.0/24 network?

Thanks

On Thu, 2003-08-28 at 09:27, Tom Eastep wrote:
> On Wed, 2003-08-27 at 21:52, cmisip wrote:
> >  However I want
> > only to accept ipsec connections from the laptop.  I want to reject
> > regular ethx connections from the wireless subnet.  This is so in case
> > somebody unauthorized gets on my wireless router( he will not have
ipsec
> > of course) , he cannot access the rest of the lan.  Is this possible? 
> 
> Yes -- start by taking a look at my configuration
> (http://shorewall.net/myfiles.htm). That should give you the general
> idea of how to go about it.
> 
> -Tom

On Thu, 2003-08-28 at 22:01, cmisip wrote:
> Can you give me a little more detail.  So far I have managed to remove
> the policies that allow wireless lan <--> firewall and wlan
<--> wired
> lan and still was able to have a working vpn connection between my
> laptop (192.168.0.100) and the shorewall router (192.168.1.1=eth1,
> 192.168.0.1=eth2).  I cant seem to be able to setup a working tunnel
> between the laptop and the rest of the machines in the 192.168.1.0/24
> network (other than the router of course) if I disable the wlan <-->
fw
> and wlan <--> loc policies.  So far I have played with the tunnels
file:
> 
> ipsec   loc  192.168.1.1 
> ipsec   wlan 192.168.0.100 vpn
> 
> 
> My other settings are:
> 
> zones:
> wlan wireless
> loc  wired
> net  Internet
> vpn VPN
> 
> interfaces:
> wlan eth2
> loc  eth1
> net eth0
> vpn   ipsec0    
> 
> Since the firewall is in between the local lan and the wireless lan, do
> I setup a tunnel in both directions like I did in the tunnels file?  Or
> is it just a fluke that I got that working?  Must I setup a tunnel for
> each of the other hosts in the 192.168.1.0/24 network?
> 
I thought I understood what you were trying to do. After reading this
post, I haven''t a clue.

a) Where are the endpoints of your tunnel(s).
b) What kind of tunnels are they (net-to-net, host-to-net, ...).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-08-29 at 07:01, Tom Eastep wrote:

I''ve reread the post again and have some more questions/observations.
> On Thu, 2003-08-28 at 22:01, cmisip wrote:
> > Can you give me a little more detail.  So far I have managed to remove
> > the policies that allow wireless lan <--> firewall and wlan
<--> wired
> > lan and still was able to have a working vpn connection between my
> > laptop (192.168.0.100) and the shorewall router (192.168.1.1=eth1,
> > 192.168.0.1=eth2).
So what more do you need? If you make this a host-to-net tunnel, that
will allow you access to your local LAN without the need for additional
tunnels.
>  I cant seem to be able to setup a working tunnel
> > between the laptop and the rest of the machines in the 192.168.1.0/24
> > network (other than the router of course) if I disable the wlan
<--> fw
> > and wlan <--> loc policies.  So far I have played with the
tunnels file:
> > 
> > ipsec   loc  192.168.1.1 
> > ipsec   wlan 192.168.0.100 vpn
The tunnels file is for tunnels WITH AN ENDPOINT ON THE FIREWALL. It has
nothing to do with tunnels between hosts other than the firewall. For
that, you simply need to pass UDP port 500 in both directions along with
protocols 50 and 51.

> > 
> > Since the firewall is in between the local lan and the wireless lan,
do
> > I setup a tunnel in both directions like I did in the tunnels file? 
Or
> > is it just a fluke that I got that working?  Must I setup a tunnel for
> > each of the other hosts in the 192.168.1.0/24 network?
> > 
No.

What you are trying to do is no different than if you were setting up a
roadwarrior tunnel from the internet to your local (wired) network
(http://shorewall.net/IPSEC.htm). The only thing that is changing is the
name of the zone that the roadwarriors are in (wlan rather than net) but
since Shorewall attaches absolutely no meaning to zone names, to
Shorewall it is exactly the same.

-Tom
-- 

Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I was coming from a configuration using a DI 614 wireless router.  Hence
both the laptop and all the other wired hosts belong to the same
192.168.1.0/24 network.  I found out that you cannot create a "host to
subnet" ipsec tunnel between the laptop and the 192.168.1.0/24 network
because the laptop belongs to the same network.  So I had to create
"host to host" tunnels between the laptop and the other wired hosts. 
To
allow the laptop to access the internet securely (wireless encryption),
I had to create a "host to subnet" tunnel where the subnet is
0.0.0.0/0.
      Now, I decided to increase security by putting the laptop and
wireless router in its own network (192.168.0.0/24) and isolating it
from the rest of the wired lan (192.168.1.0/24).  This allows me to
create a single "host(laptop) to subnet (192.168.1.0/24) tunnel
extremely simplifying the ipsec configuration. By using a subnet of
0.0.0.0/0, I can extend the same connection to allow internet access. 
This is what I missed.  Thank you for bringing me back on track.    

I think I have achieved my goal in this setup.  With ipsec ON in the
laptop, the laptop is allowed access to the rest of the wired network
and the internet.  With ipsec OFF on the laptop, all communications
between it and the wired lan are via regular ethx connections and
shorewall is configured to reject these connections from the wireless
lan network. 
Now if an outsider tries to connect to my wireless router, they will not
be able to access the wired lan or the internet at all.

Thanks again. I am currently testing the setup.  So far it seems to be
working well.




On Fri, 2003-08-29 at 09:58, Tom Eastep wrote:
> On Fri, 2003-08-29 at 07:01, Tom Eastep wrote:
> 
> I''ve reread the post again and have some more
questions/observations.
> 
> > On Thu, 2003-08-28 at 22:01, cmisip wrote:
> > > Can you give me a little more detail.  So far I have managed to
remove
> > > the policies that allow wireless lan <--> firewall and wlan
<--> wired
> > > lan and still was able to have a working vpn connection between
my
> > > laptop (192.168.0.100) and the shorewall router
(192.168.1.1=eth1,
> > > 192.168.0.1=eth2).
> 
> So what more do you need? If you make this a host-to-net tunnel, that
> will allow you access to your local LAN without the need for additional
> tunnels.
> 
> >  I cant seem to be able to setup a working tunnel
> > > between the laptop and the rest of the machines in the
192.168.1.0/24
> > > network (other than the router of course) if I disable the wlan
<--> fw
> > > and wlan <--> loc policies.  So far I have played with the
tunnels file:
> > > 
> > > ipsec   loc  192.168.1.1 
> > > ipsec   wlan 192.168.0.100 vpn
> 
> The tunnels file is for tunnels WITH AN ENDPOINT ON THE FIREWALL. It has
> nothing to do with tunnels between hosts other than the firewall. For
> that, you simply need to pass UDP port 500 in both directions along with
> protocols 50 and 51.
> 
> 
> > > 
> > > Since the firewall is in between the local lan and the wireless
lan, do
> > > I setup a tunnel in both directions like I did in the tunnels
file?  Or
> > > is it just a fluke that I got that working?  Must I setup a
tunnel for
> > > each of the other hosts in the 192.168.1.0/24 network?
> > > 
> 
> No.
> 
> What you are trying to do is no different than if you were setting up a
> roadwarrior tunnel from the internet to your local (wired) network
> (http://shorewall.net/IPSEC.htm). The only thing that is changing is the
> name of the zone that the roadwarriors are in (wlan rather than net) but
> since Shorewall attaches absolutely no meaning to zone names, to
> Shorewall it is exactly the same.
> 
> -Tom

--- cmisip <cmisip@insightbb.com> wrote:
> I was coming from a configuration using a DI 614 wireless router.  Hence
> both the laptop and all the other wired hosts belong to the same
> 192.168.1.0/24 network.  I found out that you cannot create a "host to
> subnet" ipsec tunnel between the laptop and the 192.168.1.0/24 network
> because the laptop belongs to the same network.  So I had to create
> "host to host" tunnels between the laptop and the other wired
hosts.  To
> allow the laptop to access the internet securely (wireless encryption),
> I had to create a "host to subnet" tunnel where the subnet is
0.0.0.0/0.
>       Now, I decided to increase security by putting the laptop and
> wireless router in its own network (192.168.0.0/24) and isolating it
> from the rest of the wired lan (192.168.1.0/24).  This allows me to
> create a single "host(laptop) to subnet (192.168.1.0/24) tunnel
> extremely simplifying the ipsec configuration. By using a subnet of
> 0.0.0.0/0, I can extend the same connection to allow internet access. 
> This is what I missed.  Thank you for bringing me back on track.    
> 
> I think I have achieved my goal in this setup.  With ipsec ON in the
> laptop, the laptop is allowed access to the rest of the wired network
> and the internet.  With ipsec OFF on the laptop, all communications
> between it and the wired lan are via regular ethx connections and
> shorewall is configured to reject these connections from the wireless
> lan network. 
> Now if an outsider tries to connect to my wireless router, they will not
> be able to access the wired lan or the internet at all.
> 
> Thanks again. I am currently testing the setup.  So far it seems to be
> working well.

Nice job CMISIP,

Please let me know how this works out.

JBanks

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

Seems to work well.  Both Windows xp and Redhat 9 on the laptop have vpn
connections to the rest of the wired lan and the internet.  I chronicled
everything here:
http://cmisip.home.insightbb.com/advanced.htm

Its disorganized and may even have a bunch of errors and I will probably
need to update it with new information as I learn them.



On Sat, 2003-08-30 at 00:48, Joshua Banks wrote:
> --- cmisip <cmisip@insightbb.com> wrote:
> > I was coming from a configuration using a DI 614 wireless router. 
Hence
> > both the laptop and all the other wired hosts belong to the same
> > 192.168.1.0/24 network.  I found out that you cannot create a
"host to
> > subnet" ipsec tunnel between the laptop and the 192.168.1.0/24
network
> > because the laptop belongs to the same network.  So I had to create
> > "host to host" tunnels between the laptop and the other
wired hosts.  To
> > allow the laptop to access the internet securely (wireless
encryption),
> > I had to create a "host to subnet" tunnel where the subnet
is 0.0.0.0/0.
> >       Now, I decided to increase security by putting the laptop and
> > wireless router in its own network (192.168.0.0/24) and isolating it
> > from the rest of the wired lan (192.168.1.0/24).  This allows me to
> > create a single "host(laptop) to subnet (192.168.1.0/24) tunnel
> > extremely simplifying the ipsec configuration. By using a subnet of
> > 0.0.0.0/0, I can extend the same connection to allow internet access. 
> > This is what I missed.  Thank you for bringing me back on track.    
> > 
> > I think I have achieved my goal in this setup.  With ipsec ON in the
> > laptop, the laptop is allowed access to the rest of the wired network
> > and the internet.  With ipsec OFF on the laptop, all communications
> > between it and the wired lan are via regular ethx connections and
> > shorewall is configured to reject these connections from the wireless
> > lan network. 
> > Now if an outsider tries to connect to my wireless router, they will
not
> > be able to access the wired lan or the internet at all.
> > 
> > Thanks again. I am currently testing the setup.  So far it seems to be
> > working well.
> 
> 
> Nice job CMISIP,
> 
> Please let me know how this works out.
> 
> JBanks
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Kool....


Thanks :)


JBanks

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

Updated it with Howto regarding connecting Windows XP to the home
network across the internet zone. I think, my final project in ipsec.


On Sat, 2003-08-30 at 02:09, Joshua Banks wrote:
> Kool....
> 
> 
> Thanks :)
> 
> 
> JBanks
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm