On 02.03.2017 15:22, Alex Sharaz wrote: > Hi, > Looking for some help setting up my 1st strong swan vpn server and having > some IPTABLES lack of knowledge issues. > > I've an Ubuntu 16.04 server with strongswan 5.3.5 packages installed. The > plan is to have external user to connect to the server via a public IP > address from outside the university. and enter the campus network via our > checkpoint firewall on a 172.18.64.0/24 <http://172.18.64.0/24> IP address. > Client devices are assigned an IP address by the vpn server. > > e.g. > > outside world --> <144.32.x.y> (interface ens1f0) || VPN server||| > 10.16.35.121 (interface ens1f1) -------|| campus firewall ||---- 144.32/0/0/16 > > netstat -nr on the server gives > > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt Iface > 0.0.0.0 144.32.128.1 0.0.0.0 UG 0 0 0 > ens1f0 > 10.16.35.120 0.0.0.0 255.255.255.248 U 0 0 0 > ens1f1 > 144.32.128.0 0.0.0.0 255.255.254.0 U 0 0 0 > ens1f0 > > So all traffic destined for the campus network needs to go down ens1f1 > interface > > I've set up my own updown script which I know is being invoked but not sure > if I've got the correct stuff in it. > > I can connect to the VPN server and ping 10.167.35.120 and 10.16.35.126 which > is the campus firewall endpoint and that works. > > When connected iptables -S shows > > > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > -A FORWARD -s 172.18.64.1/32 <http://172.18.64.1/32> -i ens1f1 -j ACCEPT > -A FORWARD -d 172.18.64.1/32 <http://172.18.64.1/32> -o ens1f1 -j ACCEPT > > ... or is this too simplistic a set of rules ?
Just don't insert any rules with the updown script. You only need two static rules: -A FORWARD -m policy --pol ipsec --dir in -j ACCEPT -A FORWARD -m policy --pol ipsec --dir out -j ACCEPT Done. Btw, setting the chain policy of the builtin FORWARD chain to ACCEPT and then just ACCEPTing stuff and not dropping anything doesn't make sense. Either decide for whitelisting or blacklisting (preferably whitelisting). And please use iptables-save and -restore. Don't use ifconfig, route or netstat, use iproute2 and ss instead. We're not in the 90s anymore. > > Rgds > Alex > > > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
