[Openswan Users] need help securing l2tp
James
james at nttmcl.com
Mon Jul 2 19:40:33 EDT 2007
Hey guys i need to secure my L2TP and route things.
I'm trying to firewall it with iptables but keep getting some errors
with things being filtered out:
I'm using NETKEY
Here's my tcpdump output:
527.450975 75.xxx.xxx.xxx -> 217.xxx.xxx.xxx ESP ESP (SPI=0x57a2fa86)
527.451209 217.xxx.xxx.xxx -> 75.xxx.xxx.xxx ICMP Destination
unreachable (Port unreachable)
528.430024 75.xxx.xxx.xxx -> 217.xxx.xxx.xxx ESP ESP (SPI=0x57a2fa86)
528.430124 217.xxx.xxx.xxx -> 75.xxx.xxx.xxx ICMP Destination
unreachable (Port unreachable)
217.xxx = server
75.xxx = client
Here's my iptables script:
#!/bin/sh
IPTABLES=/sbin/iptables
INT=eth2
EXT=eth1
case "$1" in
start)
echo -n "Starting IP Firewall and NAT..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Clear old rules
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z
# Create OUTPUT chain
# INPUT Rules - Add to this section the ports you wish to
explicitly allow connections on
# Below are some common services that are commonly used
# Comment out the lines to disable access to these services
# The port numbers for other services you may wish to
allow can be found in the /etc/services file
# Input Rules
#Allows connections you start
$IPTABLES -A INPUT -i $EXT -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -m state --state ESTABLISHED,RELATED
-j ACCEPT
#Allow Loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#Allow PPP interfaces
$IPTABLES -A INPUT -i ppp+ -j ACCEPT
$IPTABLES -A FORWARD -o ppp+ -j ACCEPT
$IPTABLES -A OUTPUT -o ppp+ -j ACCEPT
#SSH Connections
$IPTABLES -A INPUT -i $EXT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p tcp --dport 22 -j ACCEPT
#DNS Connections
$IPTABLES -A INPUT -i $EXT -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p udp --dport 53 -j ACCEPT
#SNMP
$IPTABLES -A INPUT -i $EXT -p udp --dport 161 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p udp --dport 161 -j ACCEPT
########### EXTERNAL INTERFACE VPN
#L2TPD-FORWARD and MARK
$IPTABLES -A PREROUTING -t mangle -i $EXT -p esp -j MARK
--set-mark 1
$IPTABLES -A PREROUTING -t mangle -i $EXT -p udp --dport 500
--sport 500 -j MARK --set-mark 2
$IPTABLES -A PREROUTING -t mangle -i $EXT -p udp --dport 4500
--sport 4500 -j MARK --set-mark 3
$IPTABLES -A PREROUTING -t mangle -i $EXT -p tcp --dport 500
--sport 500 -j MARK --set-mark 4
$IPTABLES -A PREROUTING -t mangle -i $EXT -p tcp --dport 4500
--sport 4500 -j MARK --set-mark 5
$IPTABLES -A FORWARD -i $EXT -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -m mark --mark 2 -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -m mark --mark 3 -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -m mark --mark 4 -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -m mark --mark 5 -j ACCEPT
$IPTABLES -A FORWARD -i $INT -j ACCEPT
#L2TPD-REJECT
$IPTABLES -A INPUT -i $EXT -p udp --dport 1701 -j REJECT
$IPTABLES -A INPUT -i $EXT -p udp --dport 17 -j REJECT
$IPTABLES -A OUTPUT -o $EXT -p udp --dport 1701 -j REJECT
$IPTABLES -A OUTPUT -o $EXT -p udp --dport 17 -j REJECT
#ISAKMP
$IPTABLES -A INPUT -i $EXT -p udp --sport 500 --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p udp --sport 500 --dport 500 -j ACCEPT
$IPTABLES -A INPUT -i $EXT -p udp --sport 4500 --dport 4500 -j
ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p udp --sport 4500 --dport 4500 -j
ACCEPT
#ESP AND AH
$IPTABLES -A INPUT -i $EXT -p 50 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p 50 -j ACCEPT
$IPTABLES -A INPUT -i $EXT -p 51 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p 51 -j ACCEPT
############### INTERNAL INTERFACE REJECTING
#ISAKMP
$IPTABLES -A INPUT -i $INT -p udp --sport 500 --dport 500 -j REJECT
$IPTABLES -A OUTPUT -o $INT -p udp --sport 500 --dport 500 -j REJECT
#ISAKMP NAT-T
$IPTABLES -A INPUT -i $INT -p udp --sport 4500 --dport 4500 -j
REJECT
$IPTABLES -A OUTPUT -o $INT -p udp --sport 4500 --dport 4500 -j
REJECT
#L2TPD-REJECT
$IPTABLES -A OUTPUT -o $INT -p udp --sport 1701 --dport 1701 -j
REJECT
$IPTABLES -A INPUT -i $INT -p udp --sport 1701 --dport 1701 -j
REJECT
$IPTABLES -A OUTPUT -o $INT -p udp --sport 17 --dport 17 -j REJECT
$IPTABLES -A INPUT -i $INT -p udp --sport 17 --dport 17 -j REJECT
# Allow pings, but reject the rest
$IPTABLES -A INPUT -i $EXT -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT -j REJECT
$IPTABLES -A OUTPUT -o $EXT -j REJECT
echo "done."
;;
stop)
echo -n "Stopping IP Firewall and NAT..."
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z
# Input Rules
echo "done."
;;
restart)
echo -n "Restarting IP Firewall and NAT..."
$0 stop > /dev/null
sleep 1
$0 start > /dev/null
;;
*)
echo "Usage: $0 {start|stop|restart}"
;;
esac
More information about the Users
mailing list