Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
Re: [suse-security] VPN and SuSEfirewall2
  • From: Jonathan Baxter <jbaxter@xxxxxxxxxxxxx>
  • Date: Fri, 28 Apr 2006 10:03:16 +0930
  • Message-id: <200604281003.16448.jbaxter@xxxxxxxxxxxxx>
> Does it work with ipsec flag if you change
>
> IPSEC_MATCH="-m policy --dir in --pol ipsec --proto esp"
>
> to
>
> IPSEC_MATCH="-m policy --pol ipsec --proto esp"
>
> in /sbin/SuSEfirewall2?

/sbin/Susefirewall2 barfs with that change:

SuSEfirewall2: batch committing...
iptables-batch v1.3.3: policy match: neither --in nor --out specified
Try `iptables-batch -h' or 'iptables-batch --help' for more information.

Looks like you have to specify a direction. So I added two new variables
to /sbin/SuSEfirewall2:

IPSEC_INPUT_MATCH="-m policy --dir in --pol ipsec --proto esp"
IPSEC_OUTPUT_MATCH="-m policy --dir out --pol ipsec --proto esp"

and then used IPSEC_INPUT_MATCH in place of IPSEC_MATCH for the input chain,
and added IPSEC_OUTPUT_MATCH to the forward chain.

So the "allow_ipsec()" function becomes:

allow_ipsec()
{
if [ -n "$ipsec_chain" ]; then
$IPTABLES -A INPUT -j "input_$ipsec_chain" $IPSEC_INPUT_MATCH
$IPTABLES -A FORWARD -j "forward_$ipsec_chain" $IPSEC_INPUT_MATCH
$IPTABLES -A FORWARD -j "forward_$ipsec_chain" $IPSEC_OUTPUT_MATCH
fi
}

and the forwarding_rules() function becomes:

forwarding_rules()
{
local nets net1 net2 flags more_args_in more_args_out chain
for nets in $FW_FORWARD; do
IFS=, eval set -- \$nets

net1="$1"
net2="$2"
proto="$3"
port="$4"
flags="$5"
rport=""
more_args_in=
more_args_out=

case "$flags" in
"") ;;
ipsec)
more_args_in="$IPSEC_INPUT_MATCH"
more_args_out="$IPSEC_OUTPUT_MATCH"
;;
*)
echo "Error: unsupported flag in FW_FORWARD: $flags"
net1=""
;;
esac

if [ -n "$proto" ] && ! check_proto_port "$proto" "$port" ''
"FW_FORWARD"; then
continue
fi

if [ -n "$net1" -a -n "$net2" ]; then
for chain in $forward_zones; do
chain=forward_$chain
$LAC $IPTABLES -A $chain -j LOG ${LOG}"-`rulelog
$chain`-ACC-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW
$more_args_in
$LAC $IPTABLES -A $chain -j LOG ${LOG}"-`rulelog
$chain`-ACC-FORW " -s $net1 -d $net2 $proto $port -m state --state NEW
$more_args_out
$LAA $IPTABLES -A $chain -j LOG ${LOG}"-`rulelog
$chain`-ACC-FORW " -s $net1 -d $net2 $proto $port $more_args_in
$LAA $IPTABLES -A $chain -j LOG ${LOG}"-`rulelog
$chain`-ACC-FORW " -s $net1 -d $net2 $proto $port $more_args_out
$IPTABLES -A $chain -j "$ACCEPT" -m state --state
NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_in
$IPTABLES -A $chain -j "$ACCEPT" -m state --state
NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_out
$IPTABLES -A $chain -j "$ACCEPT" -m state --state
ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_in
$IPTABLES -A $chain -j "$ACCEPT" -m state --state
ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_out
done
else
error "too few parameters in FW_FORWARD -> $nets"
fi
done
}

(there's almost certainly a better way to do this, but this was the quickest
way for me to hack /sbin/SuSEfirewall2 as-is).

Anyway, with those changes the router/firewall box will forward through the
tunnel in both directions, with the ipsec flag set in FW_FORWARD.

Thanks again for all your help. I can send you my ugly hacked SuSEfirewall2
script if you want it :)

Cheers,

Jonathan

< Previous Next >