[Openswan Users] Firewall rules for openswan behind NAT

Thu Nov 21 19:44:45 UTC 2013

On Thu, 21 Nov 2013, Fred Weston wrote:

> Date: Thu, 21 Nov 2013 13:24:06
> From: Fred Weston <fred.weston at lpga.com>
> To: Paul Wouters <paul at nohats.ca>, "users at openswan.org" <users at openswan.org>
> Subject: RE: [Openswan Users] Firewall rules for openswan behind NAT
> 
> net.ipv4.ip_forward=1 is present, net.ipv4.conf.default.rp_filter is set to 1, not 0.  None of the other values are in the file.
>
> Could you please help me understand what those values do?

rp_filter is a "smart" method for checking if a packet could not have
legitimately come in through a certain interface. It gets confused when
a decrypted packet's source ip appears "out of nowhere". It must be set
to 0.

The redirect ones are to prevent the kernel from sending redirects ever.
It is another stupid mechanism that gets confused by ipsec. If a packet
comes in on a certain interface, and it would be sent out to the same
interface, this causes a redirect to be sent - after all, why sent it to
the host if the host just sends it back; there must be a better path.
Of course it fails to realise the packet came in encrypted and left
decrypted with a totally different source/dest IP.

Paul
-- 
Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/

> -----Original Message-----
> From: users-bounces at lists.openswan.org [mailto:users-bounces at lists.openswan.org] On Behalf Of Paul Wouters
> Sent: Thursday, November 21, 2013 12:09 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Firewall rules for openswan behind NAT
>
> On Thu, 21 Nov 2013, Fred Weston wrote:
>
> [ cut fred from reply, as it generates errors - guess he might see this on the list itself ]
>
>> Each openswan box does only have one interface.  On that interface it has a 10.x.x.x IP address which serves as both access to the local subnet as well as Internet access via 1:1 NAT to a public IP.
>
> Then check your /etc/sysctl.conf settings to ensure they contain:
>
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1
>
> The linux kernel with xfrm is known to do really stupid icmp redirects when used with only a single interface.
>
> Paul
> --
> Libreswan Developer - https://libreswan.org/ Red Hat Security - http://people.redhat.com/pwouters/
> Personal Blog - https://nohats.ca/
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No employee is 
 authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You.
>