IPsec tunnel (libreswan 3.20) + iptables rules

Issues related to configuring your network
Post Reply
anthony.slash.cl
Posts: 2
Joined: 2017/04/16 17:13:22

IPsec tunnel (libreswan 3.20) + iptables rules

Post by anthony.slash.cl » 2017/04/26 22:12:27

Hello community,

I need some help from you with 2 firewalls based on CentOS 7.3.1611 (SELinux enforcing + iptables + IPsec libreswan 3.20).

The scenario is:

Code: Select all

172.16.0.0/24----------     192.10.10.0/24     ----------10.0.0.0/24
         eth1|        |eth0                eth0|        |eth1
           .1|        |.110                .120|        |.1
LAN <--------|  fw01  |------------------------|  fw02  |---------LAN
             |        |        INTERNET        |        |
             |        |                        |        |
             ----------                        ----------
Every single firewall have the next configurations:

fw01 iptables ruleset:

Code: Select all

#!/bin/bash
set -x
## Interfaces
if_wan=ens32
if_lan=ens33
## Networks
red_wan=0/0
red_lan=172.16.0.0/24
## Ports
p_ssh="10022"
p_dns="53"
p_http="80"
p_https="443"
p_ike="500"
p_isakmp="4500"
## Flusing rules and chains
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
## Default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
## Allow established & related conections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## Local access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## Allow ping
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
## Input rules (SSH + IPsec)
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp --dport $p_ike -j ACCEPT
iptables -A INPUT -p udp --dport $p_isakmp -j ACCEPT
iptables -A INPUT -p tcp --dport $p_ssh -j ACCEPT
## Output rules (Internet + IPsec)
iptables -A OUTPUT -p esp -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_ike -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_isakmp -j ACCEPT
iptables -A OUTPUT -p tcp --dport $p_ssh -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_dns -j ACCEPT
iptables -A OUTPUT -o $if_wan -p tcp --dport $p_http -j ACCEPT
iptables -A OUTPUT -o $if_wan -p tcp --dport $p_https -j ACCEPT
## LAN access to Internet
iptables -A FORWARD -i $if_lan -s $red_lan -j ACCEPT
## Masquerading traffic to Internet
iptables -t nat -A POSTROUTING -o $if_wan -j MASQUERADE
fw01 IPsec configuration:

Code: Select all

## /etc/ipsec.d/fw01tofw02.conf
conn fw01tofw02
    left=192.10.10.110
    right=192.10.10.120
    authby=secret
    type=tunnel

conn LANtofw02
    also=fw01tofw02
    leftsubnet=172.16.0.0/24
    leftsourceip=172.16.0.1
    rightsubnet=10.0.0.0/24
    rightsourceip=10.0.0.1
    auto=start

## /etc/ipsec.secrets
192.10.10.110 192.10.10.120 : PSK "F1r3w4ll"

## /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.ens32.rp_filter = 0
net.ipv4.conf.ens33.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv6.conf.all.disable_ipv6 = 1
fw02 iptables ruleset:

Code: Select all

#!/bin/bash
set -x
## Interfaces
if_wan=ens32
if_lan=ens33
## Networks
red_wan=0/0
red_lan=10.0.0.0/24
## Ports
p_ssh="10022"
p_dns="53"
p_http="80"
p_https="443"
p_ike="500"
p_isakmp="4500"
## Flusing rules and chains
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
## Default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
## Allow established & related conections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## Local access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## Allow ping
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
## Input rules (SSH + IPsec)
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp --dport $p_ike -j ACCEPT
iptables -A INPUT -p udp --dport $p_isakmp -j ACCEPT
iptables -A INPUT -p tcp --dport $p_ssh -j ACCEPT
## Output rules (Internet + IPsec)
iptables -A OUTPUT -p esp -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_ike -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_isakmp -j ACCEPT
iptables -A OUTPUT -p tcp --dport $p_ssh -j ACCEPT
iptables -A OUTPUT -p udp --dport $p_dns -j ACCEPT
iptables -A OUTPUT -o $if_wan -p tcp --dport $p_http -j ACCEPT
iptables -A OUTPUT -o $if_wan -p tcp --dport $p_https -j ACCEPT
## LAN access to Internet
iptables -A FORWARD -i $if_lan -s $red_lan -j ACCEPT
## Masquerading traffic to Internet
iptables -t nat -A POSTROUTING -o $if_wan -j MASQUERADE
fw02 IPsec configuration:

Code: Select all

## /etc/ipsec.d/fw02tofw01.conf
conn fw02tofw01
    left=192.10.10.120
    right=192.10.10.110
    authby=secret
    type=tunnel

conn LANtofw01
    also=fw02tofw01
    leftsubnet=10.0.0.0/24
    leftsourceip=10.0.0.1
    rightsubnet=172.16.0.0/24
    rightsourceip=172.16.0.1
    auto=start

## /etc/ipsec.secrets
192.10.10.120 192.10.10.110 : PSK "F1r3w4ll"

## /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.ens32.rp_filter = 0
net.ipv4.conf.ens33.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv6.conf.all.disable_ipv6 = 1
The tunnel is up in every start of IPsec service (OK).
Every machine in each LAN access to Internet (OK).

The problem begins when the machines on the LAN want to connect to the other LAN (it can not connect to the other network).
If I stop the iptables service the traffic through the IPsec tunnel is successful, but there is no Internet access.


I need to know what the iptables rule set is to get everything working.

Thanks in advance.

anthony.slash.cl
Posts: 2
Joined: 2017/04/16 17:13:22

Re: IPsec tunnel (libreswan 3.20) + iptables rules

Post by anthony.slash.cl » 2017/04/27 16:58:34

Hello community,

Finally I solved the problem.

The key is not to mask the traffic destined for the other LAN and to create the necessary FORWARD rules to allow traffic between LANs.

fw01 iptables

Code: Select all

iptables -A FORWARD -s 172.16.0.0/24 -d 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/24 -d 172.16.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o $if_wan ! -d 10.0.0.0/24 -j MASQUERADE
fw02 iptables

Code: Select all

iptables -A FORWARD -s 10.0.0.0/24 -d 172.16.0.0/24 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/24 -d 10.0.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o $if_wan ! -d 172.16.0.0/24 -j MASQUERADE
Just that...!!!

Thanks anyway to all...

Post Reply