I need some help from you with 2 firewalls based on CentOS 7.3.1611 (SELinux enforcing + iptables + IPsec libreswan 3.20).
The scenario is:
Code: Select all
172.16.0.0/24---------- 192.10.10.0/24 ----------10.0.0.0/24
eth1| |eth0 eth0| |eth1
.1| |.110 .120| |.1
LAN <--------| fw01 |------------------------| fw02 |---------LAN
| | INTERNET | |
| | | |
---------- ----------
fw01 iptables ruleset:
Code: Select all
#!/bin/bash
set -x
## Interfaces
if_wan=ens32
if_lan=ens33
## Networks
red_wan=0/0
red_lan=172.16.0.0/24
## Ports
p_ssh="10022"
p_dns="53"
p_http="80"
p_https="443"
p_ike="500"
p_isakmp="4500"
## Flusing rules and chains
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
## Default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
## Allow established & related conections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## Local access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## Allow ping
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
## Input rules (SSH + IPsec)
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp --dport $p_ike -j ACCEPT
iptables -A INPUT -p udp --dport $p_isakmp -j ACCEPT
iptables -A INPUT -p tcp --dport $p_ssh -j ACCEPT
## Output rules (Internet + IPsec)
iptables -A OUTPUT -p esp -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_ike -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_isakmp -j ACCEPT
iptables -A OUTPUT -p tcp --dport $p_ssh -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_dns -j ACCEPT
iptables -A OUTPUT -o $if_wan -p tcp --dport $p_http -j ACCEPT
iptables -A OUTPUT -o $if_wan -p tcp --dport $p_https -j ACCEPT
## LAN access to Internet
iptables -A FORWARD -i $if_lan -s $red_lan -j ACCEPT
## Masquerading traffic to Internet
iptables -t nat -A POSTROUTING -o $if_wan -j MASQUERADE
Code: Select all
## /etc/ipsec.d/fw01tofw02.conf
conn fw01tofw02
left=192.10.10.110
right=192.10.10.120
authby=secret
type=tunnel
conn LANtofw02
also=fw01tofw02
leftsubnet=172.16.0.0/24
leftsourceip=172.16.0.1
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.1
auto=start
## /etc/ipsec.secrets
192.10.10.110 192.10.10.120 : PSK "F1r3w4ll"
## /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.ens32.rp_filter = 0
net.ipv4.conf.ens33.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv6.conf.all.disable_ipv6 = 1
Code: Select all
#!/bin/bash
set -x
## Interfaces
if_wan=ens32
if_lan=ens33
## Networks
red_wan=0/0
red_lan=10.0.0.0/24
## Ports
p_ssh="10022"
p_dns="53"
p_http="80"
p_https="443"
p_ike="500"
p_isakmp="4500"
## Flusing rules and chains
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
## Default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
## Allow established & related conections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## Local access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## Allow ping
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
## Input rules (SSH + IPsec)
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp --dport $p_ike -j ACCEPT
iptables -A INPUT -p udp --dport $p_isakmp -j ACCEPT
iptables -A INPUT -p tcp --dport $p_ssh -j ACCEPT
## Output rules (Internet + IPsec)
iptables -A OUTPUT -p esp -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_ike -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_isakmp -j ACCEPT
iptables -A OUTPUT -p tcp --dport $p_ssh -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_dns -j ACCEPT
iptables -A OUTPUT -o $if_wan -p tcp --dport $p_http -j ACCEPT
iptables -A OUTPUT -o $if_wan -p tcp --dport $p_https -j ACCEPT
## LAN access to Internet
iptables -A FORWARD -i $if_lan -s $red_lan -j ACCEPT
## Masquerading traffic to Internet
iptables -t nat -A POSTROUTING -o $if_wan -j MASQUERADE
Code: Select all
## /etc/ipsec.d/fw02tofw01.conf
conn fw02tofw01
left=192.10.10.120
right=192.10.10.110
authby=secret
type=tunnel
conn LANtofw01
also=fw02tofw01
leftsubnet=10.0.0.0/24
leftsourceip=10.0.0.1
rightsubnet=172.16.0.0/24
rightsourceip=172.16.0.1
auto=start
## /etc/ipsec.secrets
192.10.10.120 192.10.10.110 : PSK "F1r3w4ll"
## /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.ens32.rp_filter = 0
net.ipv4.conf.ens33.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv6.conf.all.disable_ipv6 = 1
Every machine in each LAN access to Internet (OK).
The problem begins when the machines on the LAN want to connect to the other LAN (it can not connect to the other network).
If I stop the iptables service the traffic through the IPsec tunnel is successful, but there is no Internet access.
I need to know what the iptables rule set is to get everything working.
Thanks in advance.