cmisip
2003-Aug-27 21:52 UTC
[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet?
I am trying to secure the wireless lan. It is in its own subnet and attached to a linux router with three interfaces : eth0 to the cable modem, eth1 to the wired lan and eth2 to the wireless lan. I have Freeswan ipsec between the laptop in the wireless lan and each of the hosts in the wired lan. The tunnels are up and running. However I want only to accept ipsec connections from the laptop. I want to reject regular ethx connections from the wireless subnet. This is so in case somebody unauthorized gets on my wireless router( he will not have ipsec of course) , he cannot access the rest of the lan. Is this possible? Thanks.
Tom Eastep
2003-Aug-28 07:27 UTC
[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet?
On Wed, 2003-08-27 at 21:52, cmisip wrote:> However I want > only to accept ipsec connections from the laptop. I want to reject > regular ethx connections from the wireless subnet. This is so in case > somebody unauthorized gets on my wireless router( he will not have ipsec > of course) , he cannot access the rest of the lan. Is this possible?Yes -- start by taking a look at my configuration (http://shorewall.net/myfiles.htm). That should give you the general idea of how to go about it. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
cmisip
2003-Aug-28 22:04 UTC
[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet?
Can you give me a little more detail. So far I have managed to remove the policies that allow wireless lan <--> firewall and wlan <--> wired lan and still was able to have a working vpn connection between my laptop (192.168.0.100) and the shorewall router (192.168.1.1=eth1, 192.168.0.1=eth2). I cant seem to be able to setup a working tunnel between the laptop and the rest of the machines in the 192.168.1.0/24 network (other than the router of course) if I disable the wlan <--> fw and wlan <--> loc policies. So far I have played with the tunnels file: ipsec loc 192.168.1.1 ipsec wlan 192.168.0.100 vpn My other settings are: zones: wlan wireless loc wired net Internet vpn VPN interfaces: wlan eth2 loc eth1 net eth0 vpn ipsec0 Since the firewall is in between the local lan and the wireless lan, do I setup a tunnel in both directions like I did in the tunnels file? Or is it just a fluke that I got that working? Must I setup a tunnel for each of the other hosts in the 192.168.1.0/24 network? Thanks On Thu, 2003-08-28 at 09:27, Tom Eastep wrote:> On Wed, 2003-08-27 at 21:52, cmisip wrote: > > However I want > > only to accept ipsec connections from the laptop. I want to reject > > regular ethx connections from the wireless subnet. This is so in case > > somebody unauthorized gets on my wireless router( he will not have ipsec > > of course) , he cannot access the rest of the lan. Is this possible? > > Yes -- start by taking a look at my configuration > (http://shorewall.net/myfiles.htm). That should give you the general > idea of how to go about it. > > -Tom
Tom Eastep
2003-Aug-29 07:01 UTC
[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet?
On Thu, 2003-08-28 at 22:01, cmisip wrote:> Can you give me a little more detail. So far I have managed to remove > the policies that allow wireless lan <--> firewall and wlan <--> wired > lan and still was able to have a working vpn connection between my > laptop (192.168.0.100) and the shorewall router (192.168.1.1=eth1, > 192.168.0.1=eth2). I cant seem to be able to setup a working tunnel > between the laptop and the rest of the machines in the 192.168.1.0/24 > network (other than the router of course) if I disable the wlan <--> fw > and wlan <--> loc policies. So far I have played with the tunnels file: > > ipsec loc 192.168.1.1 > ipsec wlan 192.168.0.100 vpn > > > My other settings are: > > zones: > wlan wireless > loc wired > net Internet > vpn VPN > > interfaces: > wlan eth2 > loc eth1 > net eth0 > vpn ipsec0 > > Since the firewall is in between the local lan and the wireless lan, do > I setup a tunnel in both directions like I did in the tunnels file? Or > is it just a fluke that I got that working? Must I setup a tunnel for > each of the other hosts in the 192.168.1.0/24 network? >I thought I understood what you were trying to do. After reading this post, I haven''t a clue. a) Where are the endpoints of your tunnel(s). b) What kind of tunnels are they (net-to-net, host-to-net, ...). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Aug-29 07:59 UTC
[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet?
On Fri, 2003-08-29 at 07:01, Tom Eastep wrote: I''ve reread the post again and have some more questions/observations.> On Thu, 2003-08-28 at 22:01, cmisip wrote: > > Can you give me a little more detail. So far I have managed to remove > > the policies that allow wireless lan <--> firewall and wlan <--> wired > > lan and still was able to have a working vpn connection between my > > laptop (192.168.0.100) and the shorewall router (192.168.1.1=eth1, > > 192.168.0.1=eth2).So what more do you need? If you make this a host-to-net tunnel, that will allow you access to your local LAN without the need for additional tunnels.> I cant seem to be able to setup a working tunnel > > between the laptop and the rest of the machines in the 192.168.1.0/24 > > network (other than the router of course) if I disable the wlan <--> fw > > and wlan <--> loc policies. So far I have played with the tunnels file: > > > > ipsec loc 192.168.1.1 > > ipsec wlan 192.168.0.100 vpnThe tunnels file is for tunnels WITH AN ENDPOINT ON THE FIREWALL. It has nothing to do with tunnels between hosts other than the firewall. For that, you simply need to pass UDP port 500 in both directions along with protocols 50 and 51.> > > > Since the firewall is in between the local lan and the wireless lan, do > > I setup a tunnel in both directions like I did in the tunnels file? Or > > is it just a fluke that I got that working? Must I setup a tunnel for > > each of the other hosts in the 192.168.1.0/24 network? > >No. What you are trying to do is no different than if you were setting up a roadwarrior tunnel from the internet to your local (wired) network (http://shorewall.net/IPSEC.htm). The only thing that is changing is the name of the zone that the roadwarriors are in (wlan rather than net) but since Shorewall attaches absolutely no meaning to zone names, to Shorewall it is exactly the same. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
cmisip
2003-Aug-29 17:35 UTC
[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet? SOLVED
I was coming from a configuration using a DI 614 wireless router. Hence both the laptop and all the other wired hosts belong to the same 192.168.1.0/24 network. I found out that you cannot create a "host to subnet" ipsec tunnel between the laptop and the 192.168.1.0/24 network because the laptop belongs to the same network. So I had to create "host to host" tunnels between the laptop and the other wired hosts. To allow the laptop to access the internet securely (wireless encryption), I had to create a "host to subnet" tunnel where the subnet is 0.0.0.0/0. Now, I decided to increase security by putting the laptop and wireless router in its own network (192.168.0.0/24) and isolating it from the rest of the wired lan (192.168.1.0/24). This allows me to create a single "host(laptop) to subnet (192.168.1.0/24) tunnel extremely simplifying the ipsec configuration. By using a subnet of 0.0.0.0/0, I can extend the same connection to allow internet access. This is what I missed. Thank you for bringing me back on track. I think I have achieved my goal in this setup. With ipsec ON in the laptop, the laptop is allowed access to the rest of the wired network and the internet. With ipsec OFF on the laptop, all communications between it and the wired lan are via regular ethx connections and shorewall is configured to reject these connections from the wireless lan network. Now if an outsider tries to connect to my wireless router, they will not be able to access the wired lan or the internet at all. Thanks again. I am currently testing the setup. So far it seems to be working well. On Fri, 2003-08-29 at 09:58, Tom Eastep wrote:> On Fri, 2003-08-29 at 07:01, Tom Eastep wrote: > > I''ve reread the post again and have some more questions/observations. > > > On Thu, 2003-08-28 at 22:01, cmisip wrote: > > > Can you give me a little more detail. So far I have managed to remove > > > the policies that allow wireless lan <--> firewall and wlan <--> wired > > > lan and still was able to have a working vpn connection between my > > > laptop (192.168.0.100) and the shorewall router (192.168.1.1=eth1, > > > 192.168.0.1=eth2). > > So what more do you need? If you make this a host-to-net tunnel, that > will allow you access to your local LAN without the need for additional > tunnels. > > > I cant seem to be able to setup a working tunnel > > > between the laptop and the rest of the machines in the 192.168.1.0/24 > > > network (other than the router of course) if I disable the wlan <--> fw > > > and wlan <--> loc policies. So far I have played with the tunnels file: > > > > > > ipsec loc 192.168.1.1 > > > ipsec wlan 192.168.0.100 vpn > > The tunnels file is for tunnels WITH AN ENDPOINT ON THE FIREWALL. It has > nothing to do with tunnels between hosts other than the firewall. For > that, you simply need to pass UDP port 500 in both directions along with > protocols 50 and 51. > > > > > > > > Since the firewall is in between the local lan and the wireless lan, do > > > I setup a tunnel in both directions like I did in the tunnels file? Or > > > is it just a fluke that I got that working? Must I setup a tunnel for > > > each of the other hosts in the 192.168.1.0/24 network? > > > > > No. > > What you are trying to do is no different than if you were setting up a > roadwarrior tunnel from the internet to your local (wired) network > (http://shorewall.net/IPSEC.htm). The only thing that is changing is the > name of the zone that the roadwarriors are in (wlan rather than net) but > since Shorewall attaches absolutely no meaning to zone names, to > Shorewall it is exactly the same. > > -Tom
Joshua Banks
2003-Aug-29 22:48 UTC
[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet? SOLVED
--- cmisip <cmisip@insightbb.com> wrote:> I was coming from a configuration using a DI 614 wireless router. Hence > both the laptop and all the other wired hosts belong to the same > 192.168.1.0/24 network. I found out that you cannot create a "host to > subnet" ipsec tunnel between the laptop and the 192.168.1.0/24 network > because the laptop belongs to the same network. So I had to create > "host to host" tunnels between the laptop and the other wired hosts. To > allow the laptop to access the internet securely (wireless encryption), > I had to create a "host to subnet" tunnel where the subnet is 0.0.0.0/0. > Now, I decided to increase security by putting the laptop and > wireless router in its own network (192.168.0.0/24) and isolating it > from the rest of the wired lan (192.168.1.0/24). This allows me to > create a single "host(laptop) to subnet (192.168.1.0/24) tunnel > extremely simplifying the ipsec configuration. By using a subnet of > 0.0.0.0/0, I can extend the same connection to allow internet access. > This is what I missed. Thank you for bringing me back on track. > > I think I have achieved my goal in this setup. With ipsec ON in the > laptop, the laptop is allowed access to the rest of the wired network > and the internet. With ipsec OFF on the laptop, all communications > between it and the wired lan are via regular ethx connections and > shorewall is configured to reject these connections from the wireless > lan network. > Now if an outsider tries to connect to my wireless router, they will not > be able to access the wired lan or the internet at all. > > Thanks again. I am currently testing the setup. So far it seems to be > working well.Nice job CMISIP, Please let me know how this works out. JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
cmisip
2003-Aug-29 23:27 UTC
[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet? SOLVED
Seems to work well. Both Windows xp and Redhat 9 on the laptop have vpn connections to the rest of the wired lan and the internet. I chronicled everything here: http://cmisip.home.insightbb.com/advanced.htm Its disorganized and may even have a bunch of errors and I will probably need to update it with new information as I learn them. On Sat, 2003-08-30 at 00:48, Joshua Banks wrote:> --- cmisip <cmisip@insightbb.com> wrote: > > I was coming from a configuration using a DI 614 wireless router. Hence > > both the laptop and all the other wired hosts belong to the same > > 192.168.1.0/24 network. I found out that you cannot create a "host to > > subnet" ipsec tunnel between the laptop and the 192.168.1.0/24 network > > because the laptop belongs to the same network. So I had to create > > "host to host" tunnels between the laptop and the other wired hosts. To > > allow the laptop to access the internet securely (wireless encryption), > > I had to create a "host to subnet" tunnel where the subnet is 0.0.0.0/0. > > Now, I decided to increase security by putting the laptop and > > wireless router in its own network (192.168.0.0/24) and isolating it > > from the rest of the wired lan (192.168.1.0/24). This allows me to > > create a single "host(laptop) to subnet (192.168.1.0/24) tunnel > > extremely simplifying the ipsec configuration. By using a subnet of > > 0.0.0.0/0, I can extend the same connection to allow internet access. > > This is what I missed. Thank you for bringing me back on track. > > > > I think I have achieved my goal in this setup. With ipsec ON in the > > laptop, the laptop is allowed access to the rest of the wired network > > and the internet. With ipsec OFF on the laptop, all communications > > between it and the wired lan are via regular ethx connections and > > shorewall is configured to reject these connections from the wireless > > lan network. > > Now if an outsider tries to connect to my wireless router, they will not > > be able to access the wired lan or the internet at all. > > > > Thanks again. I am currently testing the setup. So far it seems to be > > working well. > > > Nice job CMISIP, > > Please let me know how this works out. > > JBanks > > __________________________________ > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. > http://search.yahoo.com > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Joshua Banks
2003-Aug-30 00:10 UTC
[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet? SOLVED
Kool.... Thanks :) JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
cmisip
2003-Aug-30 20:51 UTC
[Shorewall-users] Is there a way to allow vpn connections and block eth connections from a host or subnet? SOLVED
Updated it with Howto regarding connecting Windows XP to the home network across the internet zone. I think, my final project in ipsec. On Sat, 2003-08-30 at 02:09, Joshua Banks wrote:> Kool.... > > > Thanks :) > > > JBanks > > __________________________________ > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. > http://search.yahoo.com > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm