The external interface will be protected using an iptables / netfilter
based firewall. The iptables tool was installed
in Section 4.2, “Firewall (iptables)”.
Policies are the rules that the firewall enforces. The ordered list below gives an example of firewall policies.
Network Address/Port Translation (NAT) is a technique in which the source and/or destination addresses/port of IP packets are rewritten as they pass through a router or firewall.
Only packets that were received over ESP (IPsec), are allowed access to the L2TP tunnel. Place a kernel mark on ESP (IPsec) traffic. A separate rule will restrict access to the L2TP tunnel to packets with these kernel marks.
Do not translate between hosts on the internal network.
Redirect SYSLOG directed to the firewall to the SYSLOG host.
Masquerade the hosts on the internal network (so that they can all share one external IP address)
Loopback interface policies
Allow all outgoing and incoming traffic.
LAN interface policies
Allow all outbound traffic to the LAN
Allow inbound DHCP requests
Allow inbound traffic with an IP address on the LAN subnet
Deny all other inbound traffic
WiFi interface policies
Allow all traffic going to the WiFi
Allow inbound DHCP requests
Allow inbound traffic with an IP address on the WiFi subnet
Deny all other inbound traffic
WAN interface (external)
Allow outbound traffic to the WAN
Allow inbound traffic with ESP (IPsec) kernel marks
Allow inbound NTP responses from specific NTP servers
Allow inbound SSH and ESP (IPsec)
Allow inbound RealPlayer and MS Media Player
Allow inbound TFTP and SYSLOG from the remote access router
Deny RIP updates from the remote access router
Deny all other traffic from WAN
Global policies
Accept traffic from the internal network or external interface.
Deny all other traffic
NAT modifies the IP address and port number of packets. This is exactly what IPsec prevents. Instead of trying to fix the problem on the NAT, the Linux 2.6 kernel (and thereby the SISO) supports the "IPsec within UDP" RFC [33]. For this to work, both the IPsec clients and server have to support the RFC. Currently only one client behind the NAT will be able to connect. Most clients automatically detect if NAT-T has to be enabled. To allow multiple L2TP/IPsec clients from behind the same NAT the Stinghorn patch may need to be applied [34].
Firewall Builder [35] is an intuitive graphical interface to configure firewall policies. The binaries for "Fedora Core 5" can be installed as follows.
yum install fwbuilder
The tar ball of this HOWTO
[36]
contains an example fwbuilder source
implementing the policies listed above. The file name of the
example is
examples/apps/fwbuilder/firewall.fwb.
Compile the firewall, and save it as
$PRJ_DIR/apps/fwbuilder/firewall.fw.
The following changes are needed to the compiled firewall
configuration script:
The busybox build-in ip command does not
support the ls option, used by the
firewall script. Simply replaces
ls with show.
Only traffic that was received over an IPsec tunnel should
be allowed to access the L2TP port. This is implemented by
putting kernel marks on ESP protocol traffic. When this
packet is then decrypted, it enters the firewall again. This
time, the firewall will recognize the mark and let the packet
through. These rules however can not be generated from
fwbuilder. Instead the fwbuilder
source firewall.fwb contains comments
that function as markers. The script below replaces these
markers with iptable rules.
When a client pings the server over an IPsec tunnel,
(for some unexplained reason) the
generated ICMP reply passes through the netfilter in the
INVALID state. Allow packets in this
state to be OUTPUT from the firewall.
The script below modifies the firewall.fw
file to make these changes.
MARK_IPSEC="\$IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 15"
ALLOW_MARKED="\$IPTABLES -A INPUT -i eth1 -m mark --mark 15 -j ACCEPT"
ALLOW_OUTPUT_INVALID="\$IPTABLES -A INPUT -m state --state INVALID -j ACCEPT"
sed "s, ls , show ,g;
/^# @MARK_IPSEC/s,.*,$MARK_IPSEC,g
/^# @ALLOW_MARKED/s,.*,$ALLOW_MARKED,g
/^\$IPTABLES -A OUTPUT/s;ESTABLISHED,RELATED;ESTABLISHED,RELATED,INVALID;g " \
< firewall.fw > $ROOTFS_DIR/etc/init.d/firewall
chmod 755 $ROOTFS_DIR/etc/init.d/firewall
An example firewall script and configuration file: