On 12/14/2017 02:55 PM, cac...@quantum-sci.com wrote:
>> On 12/14/2017 02:50 PM, Tom Eastep wrote:
>>
>>> On 12/14/2017 02:28 PM, Colony.three via Shorewall-users wrote:
>>>
>>>> I have a VM which is the LAN router, and another VM in the LAN which
>>>> is the ipsec gateway. (strongswan)
>>>> I'm not fully understanding the guide here;
>>>> http://www.shorewall.net/IPSEC-2.6.html
>>>>
>>>> - Does this still apply to kernel 4.*? There isn't a
>>>> http://www.shorewall.net/IPSEC.html
>>>> http://www.shorewall.net/IPSEC-2.6.html
>>>> - It doesn't say to set up DNAT on the router. How does the router
>>>> know where the ipsec gateway is?
>>>> - On the laptop, tunnels should be set as: ipsec net 206.162.148.9
>>>> vpn. But what is that IP? The dynamic IP of the laptop, or the
>>>> outside interface of the remote router?
>>>> - If the latter, is there a way in the laptop's tunnels to, instead of
>>>> an explicit IP, do a DNS request, to get that remote IP?
>>>> - Wouldn't I need to set up DNAT in and SNAT out for ports 500 and 4500?
>>>> - How do I enable protocols 50 & 51? Would that be on one or both ports?
>>>
>>> There is no Shorewall document that describes configuring the local
>>> responding endpoint on a system behind the Shorewall hosts. Such a
>>> configuration is of very limited utility, since it only allows remote
>>> access to the local endpoint host, and not to any other local host
>>> (including the Shorewall host). So the IPSEC-2.6 document only covers
>>> the case where the Shorewall host is the local responding endpoint.
>>> If you really want to configure a host behind the firewall as your
>>> local responding endpoint, then you must:
>>> a) Configure IPSEC to use Nat Traversal.
>>> b) DNAT UDP 500 and 4500 to the local endpoint host.
>>> You don't need to worry about the other protocols, as they will
>>> be encapsulated within UDP port 4500 packets.
>>> -Tom
>>
>> Thanks. The reason I have this structure in mind is, if ipsec is
>> compromised, I want the ne'er-do-well to end up in a benign VM, -not-
>> the router.
>> You're saying though if I do it this way, then the remote laptop can not
>> access machines on the LAN other than the gateway? Surely there's an
>> ipsec setting.
>
> No. You might be able to work around this by using SNAT on the endpoint
> system, such that all traffic from the remote laptop through the local
> endpoint is made to look like it came from the local endpoint host
> itself. Like all NAT, that's a bit of a hack. You wouldn't need
> Shorewall on the local endpoint for that; you could simply execute:
>
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
> during boot.
>
> -Tom
I have Shorewall running on all machines. :j
Is there a way to do this in Shorewall? The masq file?
I have net.ipv4.ip_forward = 1 set in /etc/syscfg.conf.
I guess this would allow packets to be masqueraded through the Libreswan
gateway to the rest of the LAN -- but out the same interface? (There is only
one in this VM)
If masquerading can happen out the same interface, does this mean packets can
also go out the LAN router to The The Internets? (Which is the goal)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
