On 01/05/2018 02:46 PM, Colony.three via Shorewall-users wrote: > On 12/14/2017 02:55 PM, cac...@quantum-sci.com > <mailto:cac...@quantum-sci.com> wrote: >> >> On 12/14/2017 02:50 PM, Tom Eastep wrote: >> >> On 12/14/2017 02:28 PM, Colony.three via Shorewall-users wrote: >> >> I have a VM which is the LAN router, and another VM in the >> LAN which >> is the ipsec gateway. (strongswan) >> I'm not fully understanding the guide here; >> http://www.shorewall.net/IPSEC-2.6.html >> >> * >> Does this still apply to kernel 4.*? There isn't a >> http://www.shorewall.net/IPSEC.html >> http://www.shorewall.net/IPSEC-2.6.html >> * >> It doesn't say to set up DNAT on the router. How does >> the router >> know where the ipsec gateway is? >> * >> On the laptop, tunnels should be set as: ipsec net >> 206.162.148.9 >> vpn. But what is that IP? The dynamic IP of the >> laptop, or the >> outside interface of the remote router? >> * >> If the latter, is there a way in the laptop's tunnels >> to, instead of >> an explicit IP, do a DNS request, to get that remote IP? >> * >> Wouldn't I need to set up DNAT in and SNAT out for >> ports 500 and 4500? >> * >> How do I enable protocols 50 & 51? Would that be on >> one or both ports? >> >> There is no Shorewall document that describes configuring the >> local >> responding endpoint on a system behind the Shorewall hosts. Such a >> configuration is of very limited utility, since it only allows >> remote >> access to the local endpoint host, and not to any other local host >> (including the Shorewall host). So the IPSEC-2.6 document only >> covers >> the case where the Shorewall host is the local responding >> endpoint. >> If you really want to configure a host behind the firewall as your >> local responding endpoint, then you must: >> a) Configure IPSEC to use Nat Traversal. >> b) DNAT UDP 500 and 4500 to the local endpoint host. >> You don't need to worry about the other protocols, as they will >> be encapsulated within UDP port 4500 packets. >> -Tom >> >> Thanks. The reason I have this structure in mind is, if ipsec is >> compromised, I want the ne'er-do-well to end up in a benign VM, -not- >> the router. >> You're saying though if I do it this way, then the remote laptop >> can not >> access machines on the LAN other than the gateway? Surely there's an >> ipsec setting. >> >> >> No. You might be able to work around this by using SNAT on the endpoint >> system, such that all traffic from the remote laptop through the local >> endpoint is made to look like it came from the local endpoint host >> itself. Like all NAT, that's a bit of a hack. You wouldn't need >> Shorewall on the local endpoint for that; you could simply execute: >> >> iptables -t nat -A POSTROUTING -j MASQUERADE >> >> >> >> during boot. >> >> -Tom >> > > I have Shorewall running on all machines. :j > > Is there a way to do this in Shorewall? The masq file? > > I have net.ipv4.ip_forward = 1 set in /etc/syscfg.conf. > > I guess this would allow packets to be masqueraded through the Libreswan > gateway to the rest of the LAN -- but out the same interface? (There is > only one in this VM) > > If masquerading can happen out the same interface, does this mean > packets can also go out the LAN router to The The Internets? (Which is > the goal)
Yes. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
