[Openswan Users] need help securing l2tp

James james at nttmcl.com
Mon Jul 2 19:40:33 EDT 2007


Hey guys i need to secure my L2TP and route things.
I'm trying to firewall it with iptables but keep getting some errors 
with things being filtered out:
I'm using NETKEY

Here's my tcpdump output:
527.450975 75.xxx.xxx.xxx -> 217.xxx.xxx.xxx ESP ESP (SPI=0x57a2fa86)
527.451209 217.xxx.xxx.xxx -> 75.xxx.xxx.xxx ICMP Destination 
unreachable (Port unreachable)
528.430024 75.xxx.xxx.xxx -> 217.xxx.xxx.xxx ESP ESP (SPI=0x57a2fa86)
528.430124 217.xxx.xxx.xxx -> 75.xxx.xxx.xxx ICMP Destination 
unreachable (Port unreachable)

217.xxx = server
75.xxx = client


Here's my iptables script:
#!/bin/sh

IPTABLES=/sbin/iptables
INT=eth2
EXT=eth1

case "$1" in
start)
        echo -n "Starting IP Firewall and NAT..."
        echo "1" > /proc/sys/net/ipv4/ip_forward
        echo "1" > /proc/sys/net/ipv4/tcp_syncookies

        # Clear old rules
        $IPTABLES -X
        $IPTABLES -F
        $IPTABLES -Z

        # Create OUTPUT chain

        # INPUT Rules - Add to this section the ports you wish to 
explicitly allow connections on
        #       Below are some common services that are commonly used
        #       Comment out the lines to disable access to these services
        #       The port numbers for other services you may wish to 
allow can be found in the /etc/services file

# Input Rules
#Allows connections you start
        $IPTABLES -A INPUT -i $EXT -m state --state ESTABLISHED,RELATED 
-j ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -m state --state ESTABLISHED,RELATED 
-j ACCEPT

#Allow Loopback
        $IPTABLES -A INPUT -i lo -j ACCEPT
        $IPTABLES -A OUTPUT -o lo -j ACCEPT

#Allow PPP interfaces
        $IPTABLES -A INPUT -i ppp+ -j ACCEPT
        $IPTABLES -A FORWARD -o ppp+ -j ACCEPT
        $IPTABLES -A OUTPUT -o ppp+ -j ACCEPT

#SSH Connections
        $IPTABLES -A INPUT -i $EXT -p tcp --dport 22 -j ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -p tcp --dport 22 -j ACCEPT

#DNS Connections
        $IPTABLES -A INPUT -i $EXT -p udp --dport 53 -j ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -p udp --dport 53 -j ACCEPT
#SNMP
        $IPTABLES -A INPUT -i $EXT -p udp --dport 161 -j ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -p udp --dport 161 -j ACCEPT

########### EXTERNAL INTERFACE VPN

#L2TPD-FORWARD and MARK
        $IPTABLES -A PREROUTING -t mangle -i $EXT -p esp -j MARK  
--set-mark 1
        $IPTABLES -A PREROUTING -t mangle -i $EXT -p udp --dport 500 
--sport 500 -j MARK  --set-mark 2
        $IPTABLES -A PREROUTING -t mangle -i $EXT -p udp --dport 4500 
--sport 4500 -j MARK  --set-mark 3
        $IPTABLES -A PREROUTING -t mangle -i $EXT -p tcp --dport 500 
--sport 500 -j MARK  --set-mark 4
        $IPTABLES -A PREROUTING -t mangle -i $EXT -p tcp --dport 4500 
--sport 4500 -j MARK  --set-mark 5
        $IPTABLES -A FORWARD -i $EXT -m mark --mark 1 -j ACCEPT
        $IPTABLES -A FORWARD -i $EXT -m mark --mark 2 -j ACCEPT
        $IPTABLES -A FORWARD -i $EXT -m mark --mark 3 -j ACCEPT
        $IPTABLES -A FORWARD -i $EXT -m mark --mark 4 -j ACCEPT
        $IPTABLES -A FORWARD -i $EXT -m mark --mark 5 -j ACCEPT
        $IPTABLES -A FORWARD -i $INT -j ACCEPT

#L2TPD-REJECT
      $IPTABLES -A INPUT -i $EXT -p udp --dport 1701 -j REJECT
      $IPTABLES -A INPUT -i $EXT -p udp --dport 17 -j REJECT
      $IPTABLES -A OUTPUT -o $EXT -p udp --dport 1701 -j REJECT
      $IPTABLES -A OUTPUT -o $EXT -p udp --dport 17 -j REJECT

#ISAKMP
        $IPTABLES -A INPUT -i $EXT -p udp --sport 500 --dport 500 -j ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -p udp --sport 500 --dport 500 -j ACCEPT
        $IPTABLES -A INPUT -i $EXT -p udp --sport 4500 --dport 4500 -j 
ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -p udp --sport 4500 --dport 4500 -j 
ACCEPT

#ESP AND AH
        $IPTABLES -A INPUT -i $EXT -p 50 -j ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -p 50 -j ACCEPT
        $IPTABLES -A INPUT -i $EXT -p 51 -j ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -p 51 -j ACCEPT

############### INTERNAL INTERFACE REJECTING

#ISAKMP
        $IPTABLES -A INPUT -i $INT -p udp --sport 500 --dport 500 -j REJECT
        $IPTABLES -A OUTPUT -o $INT -p udp --sport 500 --dport 500 -j REJECT

#ISAKMP NAT-T
        $IPTABLES -A INPUT -i $INT -p udp --sport 4500 --dport 4500 -j 
REJECT
        $IPTABLES -A OUTPUT -o $INT -p udp --sport 4500 --dport 4500 -j 
REJECT

#L2TPD-REJECT
        $IPTABLES -A OUTPUT -o $INT -p udp --sport 1701 --dport 1701 -j 
REJECT
        $IPTABLES -A INPUT -i $INT -p udp --sport 1701 --dport 1701 -j 
REJECT
        $IPTABLES -A OUTPUT -o $INT -p udp --sport 17 --dport 17 -j REJECT
        $IPTABLES -A INPUT -i $INT -p udp --sport 17 --dport 17 -j REJECT

# Allow pings, but reject the rest
        $IPTABLES -A INPUT -i $EXT -p icmp -j ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -p icmp -j ACCEPT
        $IPTABLES -A INPUT -i $EXT -j REJECT
        $IPTABLES -A OUTPUT -o $EXT -j REJECT

        echo "done."
        ;;
stop)
        echo -n "Stopping IP Firewall and NAT..."
        $IPTABLES -X
        $IPTABLES -F
        $IPTABLES -Z

        # Input Rules
        echo "done."
        ;;

restart)
        echo -n "Restarting IP Firewall and NAT..."
        $0 stop > /dev/null
        sleep 1
        $0 start > /dev/null
        ;;

*)
        echo "Usage: $0 {start|stop|restart}"
        ;;
esac



More information about the Users mailing list