Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved!] UMA, IPSec Tunnels, and IPTables no worky...
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
eulogious
n00b
n00b


Joined: 18 Feb 2008
Posts: 35

PostPosted: Mon Jan 17, 2011 7:35 am    Post subject: [Solved!] UMA, IPSec Tunnels, and IPTables no worky... Reply with quote

Edit 1-24-11: Solved it, it was t-mobile's problem, but this post is still wrong. See my post towards the end of this thread for the answer.

Hello all,

So after beating my head up a against the wall trying to figure out how to get my wifes blackberry to connect up and use my internet to make calls (UMA) and what not, I finally figured it out.

A little background. I have a gentoo box that is running as my firewall/qos box, and I need to add some rules to get UMA (IPSec passthrough) to work, since t-mobiles cell service sucks at my house. Here's a good article on UMA:

http://www.eetimes.com/design/signal-processing-dsp/4016283/UMA-Demystified-Inside-UMA-enabled-dual-mode-handsets

So after trying several different rules, and spending a ton of time researching, I was able to get it working by adding 6 lines of code and modifying one existing one :lol: Gotta keep it simple sometimes :roll:

Here's the lines I added to the top of my firewall script to make UMA work:

Code:

IPTABLES -A INPUT -p esp -j ACCEPT
IPTABLES -A INPUT -p ah -j ACCEPT
IPTABLES -A INPUT -p udp --dport 500 -j ACCEPT
IPTABLES -A INPUT -p udp --dport 4500 -j ACCEPT
IPTABLES -t nat -I POSTROUTING 1 -p esp -j ACCEPT
IPTABLES -t nat -I POSTROUTING 1 -p ah -j ACCEPT


And then I also changed my masquerading line as well:
Code:

$IPTABLES -t nat -A POSTROUTING ! -p esp -o $EXTIF -j MASQUERADE


And I quote from the somewhere on the net:
Quote:

IPSEC will go through iptables twice. First for the IPSEC encoded packets and finally the decoded packets. You don't want to run the decoded packets through the POSTROUTING NAT a second time. So "! -p esp" becomes your friend here.


So that explains that line, and it makes sense. Don't know if it's needed, but I have it in and everything is working great.

Basically UMA (IPSec) needs to have UDP port 500 and 4500, and PROTOCOL esp(50) and ah(51) (unspecified ports, leave all the ports that use these protocols open) open on the firewall inorder to setup the IPSec tunnel that is needed, AND they need to be left untouched (well, thanks to nat transversal they appear to be untouched anyways. The packet is wrapped in a UDP wrapper so that the router can keep track of it inside the nat'ed network). So in theory this should work for any computer that is trying to create an IPSec tunnel from inside my network to the internet, but again, I have nothing other than the phone running IPSec, so I can't test that assumption out.

And with that the blackberry was able to setup the IPSec tunnel, and everything just started working :D I was stoked. Took me several hours, but I got it done on my own! I think these rules will probably work with any IPSec tunnel, but I am not sure, since UMA is the only IPSec thing I have right now.

This works on my gentoo box that is my router for my network at home. So this allows the IPSec tunnel to be created and not touched. I also had to enable every IPSec option in the kernel, so after several re-compiles I was able to get it as well. I know that was some of my problem early on as well.

The other thing that I needed was to emerge ipsec-tools. Once I did that I was able to learn what IPSec tunnels my computer was capable off. Luckily at the beginning of the ebuild it will tell you what type of tunnels will be allowed. This is where I figured out that I did not have everything enabled in the kernel. So after doing a couple kernal compiles, I got it to say that "only unencrypted tunnels will not be allowed", which I don't care about because an unencrypted tunnel would be pointless with IPSec :lol: This was much better than the 8 other tunnels I had before. So make sure to install ipsec-tools, and watch the beginning of the ebuild to see what tunnels will be allowed.

The main thing that I was doing wrong besides not having the right kernel options, was DNAT'ing. I was trying to forward the ports to my wife's blackberry, and by doing that, you break the IPSec tunnel because you mess with the packets. Thanks to nat transversal (installed with ipsec-tools), the IPSec packets aren't touched, and that allows devices behind a firewall to setup and maintain an IPSec tunnel. So after removing all my forward rules, and just keeping it super simple, UMA started working, and then it all made sense. All I had to do was tell the computer to basically allow those packets to come and go untouched, and that is it. As soon as I DNAT'ed anything, it was all over with. So make sure you are NOT touching the IPSec packets, and you should be good to go.

I should also mentioned that this works fine with my QOS script as well, so with QOS and my firewall running UMA still works great!

I just wanted to post this because I was beating my head up against the wall for several hours trying to figure this out, so maybe this will help someone else out! Oh, and if I am wrong on something, please correct me, I am still trying to learn all this stuff!


Last edited by eulogious on Mon Jan 24, 2011 11:34 pm; edited 4 times in total
Back to top
View user's profile Send private message
eulogious
n00b
n00b


Joined: 18 Feb 2008
Posts: 35

PostPosted: Wed Jan 19, 2011 5:22 pm    Post subject: Reply with quote

Alrighty,

So after going through and trying to lock down my system a little bit more, now UMA doesn't work again. Even when I revert back to my previously working firewall ruleset. So I think I didn't have something correctly to begin with.

Here's a diagram of my setup and what I what to accomplish:

Blackberry on Internal LAN w/Private IP ------> Gentoo NAT Firewall (IPSec Passthrough) ------> T-Mobile's UMA Server (IPSec)

So all my firewall needs to do is pass the packets from the blackberry with a private IP address, to T-Mobile's public UMA server so that the BB and T-mo can setup an IPSec tunnel. Seems simple enough :roll:

Ok, so here's my firewall script:

Code:

#! /sbin/runscript

depend() {
        need net
}

start() {
        ebegin "Starting Firewall v2.0"
#
# 1.0 Created on 6-7-07 by eulogious with help from many in the gentoo forums!
# 1.1 Hardened Policies 1-30-08
# 1.2 Fixed Server Web Browsing Issue, Hardened Policies 1-31-08
# 1.3 Fixed Port Forwarding Issues 2-8-08
# 1.4 Updated for Watchdog2, made into an init script, corrected SSH forwarding issues 2-21-08
# 1.5 Added Squid Transparent Proxy 2-29-08
# 1.6 Took out stopping and clearing the mangle tables when stopping firewall.  Messes with QoS 3-6-08
# 1.7 Fixed shutting down issues.  Stops indepedantly without messing with QoS at all 3-7-08
# 1.8 Added port forwarding to talisman for SSL 7-19-08
# 1.9 Opened port 25 for SMTP so that watchdog2 can be a SMTP gateway 9-10-08
# 2.0 Opened up IPSec for UMA, cleand up a little bit, and did some house work 1-16-11
#
# The location of the iptables and kernel module programs
#
#   If your Linux distribution came with a copy of iptables,
#   most likely all the programs will be located in /sbin.  If
#   you manually compiled iptables, the default location will
#   be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must
#         change the EXTIF or INTIF variables above. For example:
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0"
#
#

SQUID_SERVER="192.168.2.12"
SQUID_PORT="3128"

EXTIF="eth0"
INTIF="eth1"
LOCALNETWORK="192.168.2.0/24"
PUBLICPORTS="1024:65535"
echo "External Interface:  $EXTIF"
echo "Internal Interface:  $INTIF"

EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo "External IP:  $EXTIP"

#Enabling Dynamic Addressing
echo "Enabling DynamicAddr..."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#Setting it all up
echo "Clearing any existing rules and setting default policy..."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -X

#Allow all internal network traffic, and allow it to be forwarded
echo "Allowing Local Connections..."
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT

#Allows all connections out, but only a few good ones back in
echo "Allowing all connections out and only existing and related ones in..."
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state ! --state NEW -i $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -m state ! --state NEW -i $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

#Allow IPSec tunnels, setup for BB and UMA.  Remember the KISS principal here :)
echo "Allowing IPSec Connections..."
$IPTABLES -A INPUT -p udp -s 192.168.2.0/24 -d $EXTIP --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 192.168.2.0/24 -d $EXTIP --dport 4500 -j ACCEPT
$IPTABLES -A INPUT -p esp -s 192.168.2.0/24 -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -p ah -s 192.168.2.0/24 -d $EXTIP -j ACCEPT
$IPTABLES -A OUTPUT -p udp -s $EXTIP -d 192.168.2.0/24 --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -s $EXTIP -d 192.168.2.0/24 --dport 4500 -j ACCEPT
$IPTABLES -A OUTPUT -p esp -s $EXTIP -d 192.168.2.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -p ah -s $EXTIP -d 192.168.2.0/24 -j ACCEPT
$IPTABLES -t nat -I POSTROUTING 1 -p 50 -j ACCEPT

#Allow pptpd connections (port 1723)
echo "Allowing PPTP(VPN) Connections..."
$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A OUTPUT -p 47 -j ACCEPT

#Opening ports on Watchdog
echo "Enabling SSH on port 2222 for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT

echo "Enabling HTTP on port 80 for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

echo "Enabling SMTP on port 25 for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

#Forwarding other ports to computers on the internal LAN
echo "Forwading SSH To Buckfutter..."
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 22 -j DNAT --to 192.168.2.2
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.2 --dport 22 -j ACCEPT

echo "Forwarding Bittorent Port 8888 to 192.168.2.2..."
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8888 -j DNAT --to 192.168.2.2
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.2 --dport 8888 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 8888 -j DNAT --to 192.168.2.2
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d 192.168.2.2 --dport 8888 -j ACCEPT

#Allowing DNS
echo "Allowing DNS..."
$IPTABLES -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $EXTIP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -s $EXTIP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 --sport 53 -d $EXTIP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -s $EXTIP --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT

#Transparent Squid Proxy/Web Accelerator
echo "Enabling Transparent Proxy..."
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

#Here we define a new chain which is going to handle
#packets we don't want to respond to
#limit the amount of logs to 10/min
$IPTABLES -N Firewall
$IPTABLES -A Firewall -m limit --limit 10/minute -j LOG --log-prefix "Firewall: "
$IPTABLES -A Firewall -j DROP

#log those packets and inform the sender that the packet was rejected
$IPTABLES -N Rejectwall
$IPTABLES -A Rejectwall -m limit --limit 10/minute -j LOG --log-prefix "Rejectwall: "
$IPTABLES -A Rejectwall -j REJECT

#here we create a chain to deal with unlegitimate packets
#and limit the number of alerts to 10/min
#packets will be drop without informing the sender
$IPTABLES -N Badflags
$IPTABLES -A Badflags -m limit --limit 10/minute -j LOG --log-prefix "Badflags: "
$IPTABLES -A Badflags -j DROP

#A list of well known combination of Bad TCP flags
#we redirect those to the Badflags chain
#which is going to handle them (log and drop)
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags

#Accept certain icmp message, drop the others
#and log them through the Firewall chain
echo "Allowing some ICMP requests, but not all..."
# 0 => echo reply
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
# 3 => Destination Unreachable
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
# 11 => Time Exceeded
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# 8 => Echo
#avoid ping flood
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j Firewall

#Drop netbios from the outside, no log, just drop
echo "Dropping netbios from the outside..."
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP

#Actually allowing the "internet" to work and making sure IPSec packets don't get touched
echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF..."
$IPTABLES -t nat -A POSTROUTING ! -p 50 -o $EXTIF -j SNAT --to $EXTIP
#$IPTABLES -t nat -A POSTROUTING ! -p 50 -o $EXTIF -j MASQUERADE
#$IPTABLES -A FORWARD -i $EXTIF -j ACCEPT

# Dropping Everything Else
echo "Blocking Everything Else And Logging It..."
$IPTABLES -A INPUT -j Rejectwall

#Some extra things that need to be taken care of
echo "Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "Changing TCP Keepalive to 25 min..."
echo "1500" > /proc/sys/net/ipv4/tcp_keepalive_time

echo "Successfully Started Firewall v2.0 On Watchdog2"
eend $?
}

stop() {
        ebegin "Stopping Firewall v2.0"
IPTABLES=/sbin/iptables
   
   $IPTABLES -P INPUT ACCEPT
   $IPTABLES -P OUTPUT ACCEPT
   $IPTABLES -P FORWARD ACCEPT

   $IPTABLES -F
   $IPTABLES -F INPUT
   $IPTABLES -F OUTPUT
   $IPTABLES -F FORWARD
   $IPTABLES -F -t nat
   $IPTABLES -X
        eend $?
}


Here is the snipet of the code I changed from what I posted in my first post:

Code:

$IPTABLES -A INPUT -p udp -s 192.168.2.0/24 -d $EXTIP --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 192.168.2.0/24 -d $EXTIP --dport 4500 -j ACCEPT
$IPTABLES -A INPUT -p esp -s 192.168.2.0/24 -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -p ah -s 192.168.2.0/24 -d $EXTIP -j ACCEPT
$IPTABLES -A OUTPUT -p udp -s $EXTIP -d 192.168.2.0/24 --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -s $EXTIP -d 192.168.2.0/24 --dport 4500 -j ACCEPT
$IPTABLES -A OUTPUT -p esp -s $EXTIP -d 192.168.2.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -p ah -s $EXTIP -d 192.168.2.0/24 -j ACCEPT
$IPTABLES -t nat -I POSTROUTING 1 -p 50 -j ACCEPT


and:

Code:

$IPTABLES -t nat -A POSTROUTING ! -p 50 -o $EXTIF -j SNAT --to $EXTIP


I changed to using the SNAT rule instead of MASQUERADE because my remote connection seemed to "hiccup" every few minuets where my screen freezes up for about 5 seconds and then starts working ok when using MASQUERADE, but after switching over the to SNAT rule, hasn't happened since. I figured since I am getting my IP address anyways and using it for some of my rules, the benefits of using MASQUERADE where negated, so I just used the "permanant" SNAT instead. No more hiccuping since :D

I also moved some rules around and what not, but that was all below the IPSec stuff, so it should not matter.

What I am doing wrong here? Do I need to forward port 500 to the BB? That's the only thing I can think that I am missing, is some sort of port forwarding, but that doesn't explain why it worked perfect for a day... I am just confused :?

Here are some links to the sites I have used while trying to figure all of this out:

http://ipsec-tools.sourceforge.net/checklist.html

http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO-3.html

http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

I think that I have the right idea, I must just be missing something, so any help would be awesome! Thanks!
Back to top
View user's profile Send private message
eulogious
n00b
n00b


Joined: 18 Feb 2008
Posts: 35

PostPosted: Sat Jan 22, 2011 6:24 pm    Post subject: Reply with quote

So it's been a few days, and no one can help me out here? Nobody has tried this before? I have a hard time believing that no one has done any sort of IPSec pass through with IPTables :?

Conformation that I am at least on the right track is really all I want. I don't want someone else to write the rules for me, I just don't know if I am anywhere close to where I should be, so ANY help would be nice!

Here's my "new" iptables script, I have tweaked things a little bit more, and now I can see the tunnel established, but then it drops, and I get errors on the phone :( But it's progress!

Code:

#! /sbin/runscript

depend() {
        need net
}

start() {
        ebegin "Starting Firewall v2.0"
#
# 1.0 Created on 6-7-07 by eulogious with help from many in the gentoo forums!
# 1.1 Hardened Policies 1-30-08
# 1.2 Fixed Server Web Browsing Issue, Hardened Policies 1-31-08
# 1.3 Fixed Port Forwarding Issues 2-8-08
# 1.4 Updated for Watchdog2, made into an init script, corrected SSH forwarding issues 2-21-08
# 1.5 Added Squid Transparent Proxy 2-29-08
# 1.6 Took out stopping and clearing the mangle tables when stopping firewall.  Messes with QoS 3-6-08
# 1.7 Fixed shutting down issues.  Stops indepedantly without messing with QoS at all 3-7-08
# 1.8 Added port forwarding to talisman for SSL 7-19-08
# 1.9 Opened port 25 for SMTP so that watchdog2 can be a SMTP gateway 9-10-08
# 2.0 Opened up IPSec for UMA, cleand up a little bit, and did some house work 1-16-11
#
# The location of the iptables and kernel module programs
#
#   If your Linux distribution came with a copy of iptables,
#   most likely all the programs will be located in /sbin.  If
#   you manually compiled iptables, the default location will
#   be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must
#         change the EXTIF or INTIF variables above. For example:
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0"
#
#

SQUID_SERVER="192.168.2.12"
SQUID_PORT="3128"

EXTIF="eth0"
INTIF="eth1"
LOCALNET="192.168.2.0/24"
PUBLICPORTS="1024:65535"
echo "External Interface:  $EXTIF"
echo "Internal Interface:  $INTIF"

EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo "External IP:  $EXTIP"

#Setting it all up
echo "Enabling DynamicAddr..."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "Clearing any existing rules and setting default policy..."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -X

#Here we define a new chain which is going to handle packets we don't want to respond to
#and limit the amount of logs to 10/min
$IPTABLES -N Firewall
$IPTABLES -A Firewall -m limit --limit 10/minute -j LOG --log-prefix "Firewall: "
$IPTABLES -A Firewall -j DROP

#log those packets and inform the sender that the packet was rejected
$IPTABLES -N Rejectwall
$IPTABLES -A Rejectwall -m limit --limit 10/minute -j LOG --log-prefix "Rejectwall: "
$IPTABLES -A Rejectwall -j REJECT

#here we create a chain to deal with unlegitimate packets and limit the number of alerts to 10/min
#packets will be drop without informing the sender
$IPTABLES -N Badflags
$IPTABLES -A Badflags -m limit --limit 10/minute -j LOG --log-prefix "Badflags: "
$IPTABLES -A Badflags -j DROP

#Allow all internal network traffic, and allow it to be forwarded
echo "Allowing Local Connections..."
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -j ACCEPT
$IPTABLES -A INPUT -s $LOCALNET -d $LOCALNET -j ACCEPT
$IPTABLES -A OUTPUT -s $LOCALNET -d $LOCALNET -j ACCEPT
$IPTABLES -A FORWARD -s $LOCALNET -d $LOCALNET -j ACCEPT

#Allow IPSec tunnels, setup for Tiffy's BB and UMA.
echo "Allowing IPSec Connections..."
$IPTABLES -A INPUT -p esp -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT
$IPTABLES -A INPUT -p ah -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -m udp -p udp --dport 500 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -m udp -p udp --dport 4500 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED --dport 500 -j ACCEPT      
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p ah -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED   --dport 4500 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p esp -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT
$IPTABLES -t nat -I POSTROUTING 1 -p esp -j ACCEPT
$IPTABLES -t nat -I POSTROUTING 2 -p ah -j ACCEPT

#Allow pptpd connections (port 1723)
echo "Allowing PPTP(VPN) Connections..."
$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A OUTPUT -p 47 -j ACCEPT

#Opening ports on Watchdog
echo "Enabling SSH on port 2222 for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT

echo "Enabling HTTP on port 80 for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

echo "Enabling SMTP on port 25 for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

echo "Enabling DNS for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED -m udp -p udp --dport 53 -j ACCEPT

#Forwarding other ports to computers on the internal LAN
echo "Forwading SSH To Buckfutter..."
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.2 --dport 22 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 22 -j DNAT --to 192.168.2.2

echo "Forwarding Bittorent Port 8888 to 192.168.2.2..."
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.2 --dport 8888 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8888 -j DNAT --to 192.168.2.2
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d 192.168.2.2 --dport 8888 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 8888 -j DNAT --to 192.168.2.2

#Transparent Squid Proxy/Web Accelerator
echo "Enabling Transparent Proxy..."
iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

#A list of well known combination of Bad TCP flags
#we redirect those to the Badflags chain
#which is going to handle them (log and drop)
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags

#Accept certain icmp message, drop the others
#and log them through the Firewall chain
echo "Allowing some ICMP requests, but not all..."
# 0 => echo reply
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
# 3 => Destination Unreachable
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
# 11 => Time Exceeded
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# 8 => Echo
#avoid ping flood
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j Firewall

#Drop netbios from the outside, no log, just drop
echo "Dropping netbios from the outside..."
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP

#Allows only a few good ones back in
echo "Allowing only existing and related connections in..."
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state ! --state NEW -i $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -m state ! --state NEW -i $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

#Actually allowing the "internet" to work and making sure IPSec packets don't get touched
echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF..."
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

# Dropping Everything Else
echo "Blocking Everything Else And Logging It..."
$IPTABLES -A INPUT -j Rejectwall

#Extra things that need to be taken care of
echo "Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "Changing TCP Keepalive to 25 min..."
echo "1500" > /proc/sys/net/ipv4/tcp_keepalive_time

#Done!
echo "Successfully Started Firewall v2.0 On Watchdog2"
eend $?
}

stop() {
        ebegin "Stopping Firewall v2.0"
IPTABLES=/sbin/iptables
   
   $IPTABLES -P INPUT ACCEPT
   $IPTABLES -P OUTPUT ACCEPT
   $IPTABLES -P FORWARD ACCEPT

   $IPTABLES -F
   $IPTABLES -F INPUT
   $IPTABLES -F OUTPUT
   $IPTABLES -F FORWARD
   $IPTABLES -F -t nat
   $IPTABLES -X
        eend $?
}


ANY pointers, help, comments, etc, would be awesome! Thanks!


Last edited by eulogious on Sat Jan 22, 2011 7:27 pm; edited 2 times in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15641

PostPosted: Sat Jan 22, 2011 7:17 pm    Post subject: Reply with quote

eulogious wrote:
So it's been a few days, and no one can help me out here? Nobody has tried this before? I have a hard time believing that no one has done any sort of IPSec pass through with IPTables :?
A great wall of text can discourage readers. I glanced at the subject line and skimmed the first few paragraphs for an obvious question, then moved on when I could not find one. Since no one else has shown an interest, I will try to help you later tonight.
Back to top
View user's profile Send private message
eulogious
n00b
n00b


Joined: 18 Feb 2008
Posts: 35

PostPosted: Sat Jan 22, 2011 7:21 pm    Post subject: Reply with quote

Hu wrote:
eulogious wrote:
So it's been a few days, and no one can help me out here? Nobody has tried this before? I have a hard time believing that no one has done any sort of IPSec pass through with IPTables :?
A great wall of text can discourage readers. I glanced at the subject line and skimmed the first few paragraphs for an obvious question, then moved on when I could not find one. Since no one else has shown an interest, I will try to help you later tonight.


No worries :) I figured it was something like that... Maybe I will update the title a little bit. I didn't want to start a new post when I just posted this... I also try to post as much info as I can get because usually it's asked for at some point, hence all the text I posted up. I got more dumps and other stuff I could post, but then it just gets too messy to post it all :lol:

So just to be clear on my question...

Am I doing IPSec passthrough correctly in my script?

And as a side note, anything I should change in my script for the better? It's works great for me now, but any suggestions would be nice!

I hope that clarifies it a little bit :)

Thanks again!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15641

PostPosted: Sun Jan 23, 2011 12:12 am    Post subject: Reply with quote

eulogious wrote:
Code:

echo "External Interface:  $EXTIF"
echo "Internal Interface:  $INTIF"
echo "External IP:  $EXTIP"
einfo?
eulogious wrote:
Code:

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
This is redundant. Using a bare -F is sufficient, without listing chain names too.
eulogious wrote:
Code:

$IPTABLES -A FORWARD -i lo -j ACCEPT

Unnecessary.
eulogious wrote:
Code:

$IPTABLES -A INPUT -s $LOCALNET -d $LOCALNET -j ACCEPT
$IPTABLES -A OUTPUT -s $LOCALNET -d $LOCALNET -j ACCEPT
$IPTABLES -A FORWARD -s $LOCALNET -d $LOCALNET -j ACCEPT

This seems redundant in light of the rule handling input/output by $INTIF.
eulogious wrote:
Code:

$IPTABLES -A INPUT -p esp -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT
$IPTABLES -A INPUT -p ah -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -m udp -p udp --dport 500 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -m udp -p udp --dport 4500 -j ACCEPT

Does the device establish a VPN connection to your Gentoo machine?
eulogious wrote:
Code:

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED --dport 500 -j ACCEPT      
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p ah -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED   --dport 4500 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p esp -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT

Why use -m state here?
eulogious wrote:
Code:

$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A OUTPUT -p 47 -j ACCEPT

You can probably call GRE by name here.
eulogious wrote:
Code:

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

Brave man.
eulogious wrote:
Code:

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

Why?
eulogious wrote:
Code:

#A list of well known combination of Bad TCP flags
#we redirect those to the Badflags chain
#which is going to handle them (log and drop)

Why bother?
eulogious wrote:
Code:

#Drop netbios from the outside, no log, just drop
echo "Dropping netbios from the outside..."
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP

You should probably prevent NetBIOS from traversing the firewall, too.
eulogious wrote:
Code:

#Allows only a few good ones back in
echo "Allowing only existing and related connections in..."
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state ! --state NEW -i $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -m state ! --state NEW -i $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

This line is redundant.
eulogious wrote:
Code:

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW,INVALID -j DROP

This line will never match for INVALID.
eulogious wrote:
Code:

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

This line is redundant.
eulogious wrote:
Code:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

SNAT is implicit to $EXTIP.
Back to top
View user's profile Send private message
eulogious
n00b
n00b


Joined: 18 Feb 2008
Posts: 35

PostPosted: Sun Jan 23, 2011 12:58 am    Post subject: Reply with quote

Hu wrote:
eulogious wrote:
Code:

echo "External Interface:  $EXTIF"
echo "Internal Interface:  $INTIF"
echo "External IP:  $EXTIP"
einfo?


?? I don't know what you are asking here. This is just informational for me so that I know what variables are being used when the script is run.

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
This is redundant. Using a bare -F is sufficient, without listing chain names too.


Good to know :)

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A FORWARD -i lo -j ACCEPT

Unnecessary.


My noobness is going to show here :oops: , but why is this unnecessary? Am I allowing it by default?

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A INPUT -s $LOCALNET -d $LOCALNET -j ACCEPT
$IPTABLES -A OUTPUT -s $LOCALNET -d $LOCALNET -j ACCEPT
$IPTABLES -A FORWARD -s $LOCALNET -d $LOCALNET -j ACCEPT

This seems redundant in light of the rule handling input/output by $INTIF.


I figured that much when I did that, but I wanted to make sure all my bases were covered.

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A INPUT -p esp -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT
$IPTABLES -A INPUT -p ah -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -m udp -p udp --dport 500 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -m udp -p udp --dport 4500 -j ACCEPT

Does the device establish a VPN connection to your Gentoo machine?


No. The device is a phone and it's connecting to T-Mobile's UMA servers located somewhere on the internet, where I do not know, nor do I have any info on them (like key info, IP's, that sort of thing).

Here is a diagram of what I am trying to do:

Blackberry on Internal LAN w/Private IP ------> Gentoo NAT Firewall (IPSec Passthrough) ------> T-Mobile's UMA Server (IPSec)

The Blackberry needs to create an IPSec tunnel through my firewall to T-Mobile's UMA server inorder for UMA to work.

So what am I doing wrong??

I also have EVERY option for IPSec complied into the kernel, along with ipsec-tools installed, so nat-t should be installed and working. Like I said earlier I can establish the tunnel, but it then drops after a couple mins with errors on the phone.

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED --dport 500 -j ACCEPT      
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p ah -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED   --dport 4500 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p esp -d $LOCALNET -m state --state NEW,ESTABLISHED,RELATED,INVALID,UNTRACKED -j ACCEPT

Why use -m state here?


Main reason I did it was that when I do get UMA working, I want to lock it down, so I will remove some of the states. But for testing purposes, I wanted all my bases covered. Same with the input lines above. If there is no need for it, it can come out, I am not hell bent on using -m state or anything.

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A OUTPUT -p 47 -j ACCEPT

You can probably call GRE by name here.


For sure. I have been going back and forth using names and numbers lately...

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

Brave man.


I wouldn't say brave... I have been hosting my own website and domain for about 6 years now with no problems running this script and running this same computer. So this is needed :)

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

Why?


I am also hosting my own DNS server on the same box.

Hu wrote:

eulogious wrote:
Code:

#A list of well known combination of Bad TCP flags
#we redirect those to the Badflags chain
#which is going to handle them (log and drop)

Why bother?


Any reason not too? I don't see how it could hurt...

Hu wrote:

eulogious wrote:
Code:

#Drop netbios from the outside, no log, just drop
echo "Dropping netbios from the outside..."
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP

You should probably prevent NetBIOS from traversing the firewall, too.


Ya, very true. I might just remove this line, I don't have any windows computers on my network anyways :lol:

Hu wrote:

eulogious wrote:
Code:

#Allows only a few good ones back in
echo "Allowing only existing and related connections in..."
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state ! --state NEW -i $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -m state ! --state NEW -i $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

This line is redundant.


What part is redundant? I figured at least denying most new connections would be a good thing, and I don't think I have don't that anywhere else.

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW,INVALID -j DROP

This line will never match for INVALID.


?? Noob alert :oops:

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

This line is redundant.


Right again :)

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

SNAT is implicit to $EXTIP.


What do you mean by this? I take it that I don't need the interface then?

So this would work as well:

Code:

$IPTABLES -t nat -A POSTROUTING -j SNAT --to $EXTIP


I think that is what you mean...

Thanks so much for taking the time to go through it and give me some pointers! I really appreciate! So don't take any of my comments above as me being as ass or anything :) I am still trying to learn all this, and the more time I spend with it, the more I get it, but there are still some concepts I am struggling with, so thanks for any help you can give me! :D In fact I think I am going to go through and remove some stuff you mentioned right now!

The big thing that I am concerned with is the IPSec pass through though. I am really struggling with trying to figure it out...
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15641

PostPosted: Sun Jan 23, 2011 6:20 am    Post subject: Reply with quote

eulogious wrote:
?? I don't know what you are asking here. This is just informational for me so that I know what variables are being used when the script is run.
I suggest using einfo instead, as that produces slightly nicer looking output.
eulogious wrote:
My noobness is going to show here :oops: , but why is this unnecessary? Am I allowing it by default?
Traffic only traverses FORWARD if it is not locally originated by or destined to the system. Traffic is only on lo if it is locally generated. These conditions are mutually exclusive.
eulogious wrote:
No. The device is a phone and it's connecting to T-Mobile's UMA servers located somewhere on the internet
Then why are you allowing the phone to send to the VPN-related ports on the Gentoo device? ;)
eulogious wrote:
So what am I doing wrong??
When in doubt, take packet captures of the various flows and see where it gets stuck. Since the IPsec VPN itself is failing, the encryption of the data flowing over the VPN is irrelevant to us. We only want to see the control messages.
eulogious wrote:

Main reason I did it was that when I do get UMA working, I want to lock it down, so I will remove some of the states. But for testing purposes, I wanted all my bases covered. Same with the input lines above. If there is no need for it, it can come out, I am not hell bent on using -m state or anything.
Since you listed every even vaguely likely state, the state match is not useful as written. It might become useful once you trim down the states as you describe.
eulogious wrote:

Any reason not too? I don't see how it could hurt...
It may not hurt, but I do not see any advantage in spending the processing power for it.
eulogious wrote:

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
This line is redundant.

What part is redundant? I figured at least denying most new connections would be a good thing, and I don't think I have don't that anywhere else.
You have an earlier line that allows anything in the FORWARD chain for ESTABLISHED,RELATED without any interface qualifiers, so that preceding rule will capture any traffic that this rule could otherwise match.
eulogious wrote:

Hu wrote:

eulogious wrote:
Code:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW,INVALID -j DROP
This line will never match for INVALID.

?? Noob alert :oops:
You have a preceding line which accepts everything not in state NEW. State INVALID is not state NEW.
eulogious wrote:
Hu wrote:

eulogious wrote:
Code:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

SNAT is implicit to $EXTIP.

What do you mean by this? I take it that I don't need the interface then?
If you do not include a --to, SNAT should look up the IP address of the outbound interface and use that.
Back to top
View user's profile Send private message
eulogious
n00b
n00b


Joined: 18 Feb 2008
Posts: 35

PostPosted: Mon Jan 24, 2011 10:27 pm    Post subject: Reply with quote

Hu wrote:
eulogious wrote:
?? I don't know what you are asking here. This is just informational for me so that I know what variables are being used when the script is run.
I suggest using einfo instead, as that produces slightly nicer looking output.


Ahh, thanks! I looked up some info on einfo and figured out how to use it. I do like the output better, thanks for the tip!

Hu wrote:

eulogious wrote:
My noobness is going to show here :oops: , but why is this unnecessary? Am I allowing it by default?
Traffic only traverses FORWARD if it is not locally originated by or destined to the system. Traffic is only on lo if it is locally generated. These conditions are mutually exclusive.


It's statements like this that all of a sudden make it all click. Thanks! I get why it is unnecessary now!

Hu wrote:

eulogious wrote:
No. The device is a phone and it's connecting to T-Mobile's UMA servers located somewhere on the internet
Then why are you allowing the phone to send to the VPN-related ports on the Gentoo device? ;)


Thanks to the statement above, it now makes sense :) I don't need the INPUT statements. I don't have them for my other forward rules, so why should I need them here!

Hu wrote:

eulogious wrote:
So what am I doing wrong??
When in doubt, take packet captures of the various flows and see where it gets stuck. Since the IPsec VPN itself is failing, the encryption of the data flowing over the VPN is irrelevant to us. We only want to see the control messages.


So after installing wireshark, I did just that. I found out that IPSec passthrough is working and I authenticate on the first server, but fail after they hand me off to the security gateway. More on this below :)

Hu wrote:

eulogious wrote:

Main reason I did it was that when I do get UMA working, I want to lock it down, so I will remove some of the states. But for testing purposes, I wanted all my bases covered. Same with the input lines above. If there is no need for it, it can come out, I am not hell bent on using -m state or anything.
Since you listed every even vaguely likely state, the state match is not useful as written. It might become useful once you trim down the states as you describe.


I just took the -m state statements out, they just cluttered up the screen ;)

Hu wrote:

eulogious wrote:

Any reason not too? I don't see how it could hurt...
It may not hurt, but I do not see any advantage in spending the processing power for it.


Well this machine is a P4 1.6Ghz w/1.5gb of RAM, and all it does serve as my firewall, so I gots lots of power to spare :twisted:

Hu wrote:

eulogious wrote:

Hu wrote:

eulogious wrote:
Code:

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
This line is redundant.

What part is redundant? I figured at least denying most new connections would be a good thing, and I don't think I have don't that anywhere else.
You have an earlier line that allows anything in the FORWARD chain for ESTABLISHED,RELATED without any interface qualifiers, so that preceding rule will capture any traffic that this rule could otherwise match.


Ahh yes, I see it now. I took care of that :)

Hu wrote:

eulogious wrote:

Hu wrote:

eulogious wrote:
Code:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW,INVALID -j DROP
This line will never match for INVALID.

?? Noob alert :oops:
You have a preceding line which accepts everything not in state NEW. State INVALID is not state NEW.


Right yet again, fixed.

Hu wrote:

eulogious wrote:
Hu wrote:

eulogious wrote:
Code:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

SNAT is implicit to $EXTIP.

What do you mean by this? I take it that I don't need the interface then?
If you do not include a --to, SNAT should look up the IP address of the outbound interface and use that.


Ok, so it doesn't hurt to have it on there so it doesn't have to look it up. I will just keep it because I think it looks better :lol: But that's just me :) Good info to know though, so thanks for the info!

So I got it to work, and I don't think it was anything I was doing that was messing it up.

After I installed wireshark, I was able to find out that I was able to connect up to t-mobile fine, I was just not getting anywhere once I got to them. So after spending a couple of hours looking over packet dumps, I called up t-mobile to see what could be done. After spending an hour on the phone with them, my landline died and I was disconnected. But this was during a transfer to the next person up the chain, so no biggie. I called back and verified what we had talking about and made sure my account was notated and all that jazz, and called it a night with the problem, well almost. I decided to just look over everything and check everything out, so I logged into my access point, looked around, rebooted it, and at this point is when I checked the phone, and low and behold it connect to UMA. So I tried to make a call, and it worked!

So at first glance I thought it had to do with my access point, but then I remember I tried the phone at my parents house and it worked the first night, but it didn't work when I tried it again, so the problem was specific to my house. Well kinda, I was getting error at my house, and no error at all at my parents, I just could not make calls.

Anyways, long story short is that it seems like it was something on t-mobiles end, and my packet dumps confirmed this, even though t-mobile didn't. The last thing that the tech did was reset all my provisions, which means he reset all the info on the account and resent it to all the servers, and from what I can remember from working at t-mobile in the tier 3 tech support department was that when you did that, sometimes it takes a little while for it to propagate down to all the servers, and I think that is what happened here. It was almost an hour on the dot since I got off the phone with t-mobile that I notice the phone was working, so I am pretty sure the issue was on their end, and by calling in and talking with the tech, they were able to reset something and make it work.

Now I am going to give some more background on what UMA is and how it works, just in case someone else runs into this and has questions, since it took me several days to get this info and make sense of it. Hopefully it will help someone else out.

Here's a link to a PDF I found that sums UMA up nicely: UMA Explanation This PDF is what really help me understand how UMA works. It's got great pictures and everything. I used this as my source for my explanation below. I was also able to confirm all of this with my packet dumps, so this is what lead me to believe it was t-mobile's problem, not mine. I am really glad I found this!

Since this forum doesn't allow pictures for some reason, I have to use crappy symbols to make this work, so forgive my crude drawings :lol:

This is the process and the chain of the data while establishing a UMA connection:

BB --> AP --> -- LAN --> FireWall --> DNS Lookup --> PSG/PUNC --> SSG/SUNC

Here's the breakdown of the above...

The Blackberry (BB) connects to the AP (Access Point) and gets access to the LAN. Once the BB has established access to the LAN, it the attempts to get out on the internet, and in my case this required getting access through my firewall. Once it can get outside the local network and on to the internet, the BB then sends out a DNS query for the PSG/PUNC (Provisioning Security Gateway & UNC) ip address and in some cases, such as initial connection from a new location, the handset may need to find the Provisioning Security Gateway and the Provisioning UNC. If this is required, DNS lookups to psgw.t-mobilesgws.com will be observed. It then uses IKEv2 with UDP port 500 for an initial ISAKMP exchange, followed by UDP 4500. At the end of this phase, the handset will be redirected to a particular SSG (Serving Security Gateway, several Serving Security Gateways exist). The BB then uses DNS again to find the address of the Serving Security Gateway. At this point IKEv2 authentication should complete with the Serving Security Gateway using UDP port 500 and subsequent traffic is within the IPSec tunnel to the Security Gateway using UDP port 4500. The handset connects through the tunnel to the Serving UNC and then the backend switches the connection over the the UMA connections seemlesslly, and then all should be golden.

So I was able to connect to the PSG and authenticate, but not the SSG, and that's why the tunnel was failing. So after several hours, I was able to deduce this and make the call to t-mobile. Luckily t-mobile does have good customer care, so it wasn't that big of a pain, so that was nice :)

Ok, last but not least... This is the firewall that I am running now. If anyone would chime in with anymore suggestion, or fixes that it needs, I am all ears! Thanks a ton Hu, you have really helped me out, I really appreciate it man!

Code:

#! /sbin/runscript

depend() {
        need net
}

start() {
        ebegin "Starting Firewall v2.0"
#
# 1.0 Created on 6-7-07 by eulogious with help from many in the gentoo forums!
# 1.1 Hardened Policies 1-30-08
# 1.2 Fixed Server Web Browsing Issue, Hardened Policies 1-31-08
# 1.3 Fixed Port Forwarding Issues 2-8-08
# 1.4 Updated for Watchdog2, made into an init script, corrected SSH forwarding issues 2-21-08
# 1.5 Added Squid Transparent Proxy 2-29-08
# 1.6 Took out stopping and clearing the mangle tables when stopping firewall.  Messes with QoS 3-6-08
# 1.7 Fixed shutting down issues.  Stops indepedantly without messing with QoS at all 3-7-08
# 1.8 Added port forwarding to talisman for SSL 7-19-08
# 1.9 Opened port 25 for SMTP so that watchdog2 can be a SMTP gateway 9-10-08
# 2.0 Opened up IPSec for UMA, cleand up a little bit, and did some house work 1-16-11
#
# The location of the iptables and kernel module programs
#
#   If your Linux distribution came with a copy of iptables,
#   most likely all the programs will be located in /sbin.  If
#   you manually compiled iptables, the default location will
#   be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#

IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe

#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must
#         change the EXTIF or INTIF variables above. For example:
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0"
#
#

SQUID_SERVER="192.168.2.12"
SQUID_PORT="3128"

EXTIF="eth0"
INTIF="eth1"
LOCALNET="192.168.2.0/24"
PUBLICPORTS="1024:65535"
einfo "External Interface:  $EXTIF"
einfo "Internal Interface:  $INTIF"

EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
einfo "External IP:  $EXTIP"

#Setting it all up
einfo "Enabling DynamicAddr..."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

einfo "Clearing any existing rules and setting default policy..."
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

#Here we define a new chain which is going to handle packets we don't want to respond to
#and limit the amount of logs to 10/min
$IPTABLES -N Firewall
$IPTABLES -A Firewall -m limit --limit 10/minute -j LOG --log-prefix "Firewall: "
$IPTABLES -A Firewall -j DROP

#log those packets and inform the sender that the packet was rejected
$IPTABLES -N Rejectwall
$IPTABLES -A Rejectwall -m limit --limit 10/minute -j LOG --log-prefix "Rejectwall: "
$IPTABLES -A Rejectwall -j REJECT

#here we create a chain to deal with unlegitimate packets and limit the number of alerts to 10/min
#packets will be drop without informing the sender
$IPTABLES -N Badflags
$IPTABLES -A Badflags -m limit --limit 10/minute -j LOG --log-prefix "Badflags: "
$IPTABLES -A Badflags -j DROP

#Allow all internal network traffic, and allow it to be forwarded
einfo "Allowing Local Connections..."
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#$IPTABLES -A OUTPUT -o lo -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -j ACCEPT

#Allow IPSec tunnels, setup for Tiffy's BB and UMA.
einfo "Allowing IPSec Connections..."
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p ah -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 500 -j ACCEPT      
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p esp -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 4500 -j ACCEPT
$IPTABLES -t nat -I POSTROUTING 1 -p esp -j ACCEPT

#Allow pptpd connections (port 1723)
einfo "Allowing PPTP(VPN) Connections..."
$IPTABLES -A INPUT -p gre -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A OUTPUT -p gre -j ACCEPT

#Opening ports on Watchdog
einfo "Enabling SSH on port 2222 for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT

einfo "Enabling HTTP on port 80 for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

einfo "Enabling SMTP on port 25 for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

einfo "Enabling DNS for Watchdog2..."
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

#Forwarding other ports to computers on the internal LAN
einfo "Forwading SSH To Buckfutter..."
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.2 --dport 22 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 22 -j DNAT --to 192.168.2.2

einfo "Forwarding Bittorent Port 8888 to 192.168.2.2..."
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d 192.168.2.2 --dport 8888 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8888 -j DNAT --to 192.168.2.2
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -d 192.168.2.2 --dport 8888 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 8888 -j DNAT --to 192.168.2.2

#Transparent Squid Proxy/Web Accelerator
einfo "Enabling Transparent Proxy..."
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

#Allows only a few good ones back in
einfo "Allowing only existing and related connections in..."
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state ! --state NEW -i $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -m state ! --state NEW -i $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW -j DROP

#A list of well known combination of Bad TCP flags
#we redirect those to the Badflags chain
#which is going to handle them (log and drop)
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags

#Accept certain icmp message, drop the others
#and log them through the Firewall chain
einfo "Allowing some ICMP requests, but not all..."
# 0 => echo reply
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
# 3 => Destination Unreachable
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
# 11 => Time Exceeded
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# 8 => Echo
#avoid ping flood
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j Firewall

#Actually allowing the "internet" to work and making sure IPSec packets don't get touched
einfo "Enabling SNAT functionality on $EXTIF going to IP: $EXTIP..."
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

# Dropping Everything Else
einfo "Blocking Everything Else And Logging It..."
$IPTABLES -A INPUT -j Rejectwall
$IPTABLES -A FORWARD -j Rejectwall

#Extra things that need to be taken care of
einfo "Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward

einfo "Changing TCP Keepalive to 25 min..."
echo "1500" > /proc/sys/net/ipv4/tcp_keepalive_time

#Done!
einfo "Successfully Started Firewall v2.0 On Watchdog2"

eend $?
}

stop() {
        ebegin "Stopping Firewall v2.0"
IPTABLES=/sbin/iptables
   
   $IPTABLES -F
   $IPTABLES -F INPUT
   $IPTABLES -F OUTPUT
   $IPTABLES -F FORWARD
   $IPTABLES -F -t nat
   $IPTABLES -X
   
   $IPTABLES -P INPUT ACCEPT
   $IPTABLES -P OUTPUT ACCEPT
   $IPTABLES -P FORWARD ACCEPT

        eend $?
}


I commented out all my ouput lines, since my default policy is to accept everything, no need to worry about that right now. Since I trust everything on my network, I am not too worried about the output rules. I will get to that some other time :lol:

I think I added/changed everything you mentioned Hu, but if you could look over it, I would be really grateful! Thanks again! I am happy that UMA works now!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum