For the Private-IP configuration examples in this document we will use this sample network:
For the registered-IP configuration examples in this document we will use this sample network:Internet-------- 200.200.200.* ppp0 or 200.200.200.200 eth1 Dual-Homed Linux Firewall .--- 10.0.0.1 eth0 | |--- 10.0.0.2 VPN client or server |
The VPN server that the example clients connect to will beInternet-------- 200.200.200.200 eth1 Dual-Homed Linux Firewall .--- 222.0.0.1 eth0 | |--- 222.0.0.2 VPN client or server |
199.0.0.1
The VPN clients that the connect to the example server will be 199.0.0.2
and 199.0.0.3
If your VPN client or server has a registered internet IP address you do not need to masquerade or modify your kernel - the stock kernel will successfully route all VPN traffic. You can skip directly to the registered-IP setup sections below.
If your VPN client or server has a Private-Network IP address as described in RFC1918 you will need to patch your kernel (unless your kernel is 2.0.37 or higher in the 2.0.x series).
If you are setting up a masqueraded VPN server, you will also have to obtain and install the following two packages:
ipportfw
port-forwarding kernel patch and configuration tool from http://www.ox.compsoc.org.uk/~steve/portforwarding.html. Port forwarding has been incorporated into the 2.2.x kernel. See man ipmasqadm
for configuration details. If ipmasqadm
is not included with your distribution it can be obtained at http://juanjox.kernelnotes.org/.
ipfwd
generic-IP redirector from http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/.You do not need port forwarding or ipfwd if you are masquerading only clients.
/usr/src/linux
.
If your kernel version is 2.0.36 or lower, obtain the 2.0.x VPN Masquerade kernel patch from the VPN Masquerade home page in the "Resources" section above.
If your kernel version is 2.0.37 or higher in the 2.0.x series, you do not need to apply any patches. The VPN Masquerade code is included in the kernel. Skip the discussion of patching the kernel.
For the purposes of this document we'll assume you've saved the appropriate patch in /usr/src/ip_masq_vpn.patch.gz
.
cd /usr/src/linux
zcat ../ip_masq_vpn.patch.gz | patch -l -p0 > vpn-patch.log 2>&1
Note that the options are "dash lowercase L, dash lowercase P zero". You may get odd results if you change the order of the arguments, as patch seems to be sensitive to the order they appear on the command line.
vpn-patch.log
file to see if any hunks failed. If you get failed hunks, then you probably either omitted the options or ran the patch program from the wrong directory. Restore your kernel from the backup and try again.ipportfw
patch from the site given above.
There is a known conflict between the VPN Masquerade patch and two other networking patches: the IP Firewall Chains patch and the ipportfw patch. They are all trying to add options at the same location in net/ipv4/Config.in
, and the changes made by one patch alter the context that the other patches are looking for.
If you're applying the VPN Masquerade patch and the IP Firewall Chains or ipportfw patches to your 2.0.x kernel, you will have to manually edit net/ipv4/Config.in
and add the block of configuration options from the patch file that fails to work. Looking at the patch file should show you where in net/ipv4/Config.in
the new options should be added.
The syntax of patch files is simple. For each block of changes to make, there are two sections: the first shows the "before" state, with an indication of lines to be changed or deleted; the second shows the "after" state, with an indication of the lines that have been changed or added. Use the first section to find where to add the lines, and add the lines that are indicated in the second section.
This should not be a problem once those patches are updated for 2.0.37+
NOTE: These are just the settings you need for masquerading. Select whatever other options you need for your specific setup.
* Prompt for development and/or incomplete code/drivers CONFIG_EXPERIMENTAL - You must enable this to see the VPN Masq options. * Networking support CONFIG_NET * Network firewalls CONFIG_FIREWALL * TCP/IP networking CONFIG_INET * IP: forwarding/gatewaying CONFIG_IP_FORWARD * IP: firewalling CONFIG_IP_FIREWALL * IP: masquerading (EXPERIMENTAL) CONFIG_IP_MASQUERADE - This is required. * IP: PPTP masq support (EXPERIMENTAL) CONFIG_IP_MASQUERADE_PPTP - Enables PPTP data channel masquerading, if you are masquerading a PPTP client or server. * IP: PPTP Call ID masq support (EXPERIMENTAL) CONFIG_IP_MASQUERADE_PPTP_MULTICLIENT - Enables PPTP Call ID masquerading; only necessary if you will be masquerading more than one client trying to connect to the same remote server. DO NOT enable this option if you will be masquerading a PPTP server. * IP: IPsec ESP & ISAKMP masq support (EXPERIMENTAL) CONFIG_IP_MASQUERADE_IPSEC - Enables IPsec masquerade, if you are masquerading an IPsec host. * IP: IPSEC masq table lifetime (minutes) - See your network administrator to determine what the "rekey interval" or "key lifetime" is set to. The default lifetime of masq table entries is thirty minutes. If your rekey interval is greater than thirty minutes, then you should increase the lifetime to a value slightly greater than the rekey interval. * IP: always defragment CONFIG_IP_ALWAYS_DEFRAG - Highly recommended for a firewall.
To determine whether the running kernel includes VPN Masquerade support, run the following command:
...and look for the following entries:grep -i masq /proc/ksyms
ip_masq_out_get_isakmp
, ip_masq_in_get_isakmp
, ip_fw_masq_esp
and ip_fw_demasq_esp
ip_fw_masq_gre
and ip_fw_demasq_gre
ip_masq_pptp
If you don't see these entries, VPN Masquerade support is probably not available. If you get complaints about /proc/ksyms
not being available or /proc
not being available, make sure that you have enabled the /proc
filesystem in your kernel configuration.
See the Kernel HOWTO for more details on configuring and recompiling your kernel.
If you are using IPsec masquerade and your system is generating General Protection errors (see /var/log/messages
) or is locking up, see the VPN Masquerade home page for an update. This patch is for 2.0.38, but should work on earlier kernels. It has been submitted to Alan Cox for inclusion in the 2.0.39 kernel.
/usr/src/linux
.
For the purposes of this document we'll assume you've saved the appropriate patch in /usr/src/ip_masq_vpn.patch.gz
.
cd /usr/src
zcat ip_masq_vpn.patch.gz | patch -l -p0 > vpn-patch.log 2>&1
Note that the options are "dash lowercase L, dash lowercase P zero". You may get odd results if you change the order of the arguments, as patch seems to be sensitive to the order they appear on the command line.
Also note that the directory you run the patch command in is different for the 2.2.x kernel patch
vpn-patch.log
file to see if any hunks failed. If you get failed hunks, then you probably either omitted the options or ran the patch program from the wrong directory. Restore your kernel from the backup and try again.ipportfw
patch as port forwarding is now built-in. See the ipmasqadm
man page for more details. If ipmasqadm
is not included with your distribution it can be obtained at http://juanjox.kernelnotes.org/.
Say NO to the following:
* Prompt for development and/or incomplete code/drivers CONFIG_EXPERIMENTAL - You must enable this to see the VPN Masq options. * Networking support CONFIG_NET * Network firewalls CONFIG_FIREWALL * TCP/IP networking CONFIG_INET * IP: firewalling CONFIG_IP_FIREWALL * IP: always defragment CONFIG_IP_ALWAYS_DEFRAG - Required for masquerading. This may or may not be in your kernel config. If not, you should run this in your startup scripts: echo 1 > /proc/sys/net/ipv4/ip_always_defrag * IP: masquerading (EXPERIMENTAL) CONFIG_IP_MASQUERADE - This is required. * IP: masquerading special modules support CONFIG_IP_MASQUERADE_MOD - This is required. * IP: ipportfw masq support (EXPERIMENTAL) CONFIG_IP_MASQUERADE_IPPORTFW - Enable this if you will be masquerading a VPN server. * IP: PPTP masq support CONFIG_IP_MASQUERADE_PPTP - Enables PPTP data channel masquerading, if you are masquerading a PPTP client or server. This is now available as a module. Note that you no longer need to specify Call-ID masquerade. * IP: IPsec ESP & ISAKMP masq support (EXPERIMENTAL) CONFIG_IP_MASQUERADE_IPSEC - Enables IPsec masquerade, if you are masquerading an IPsec host. This is now available as a module. * IP: IPsec masq table lifetime (minutes) - See your network administrator to determine what the "rekey interval" or "key lifetime" is set to. The default lifetime of masq table entries is thirty minutes. If your rekey interval is greater than thirty minutes, then you should increase the lifetime to a value slightly greater than the rekey interval. * IP: Enable parallel sessions (possible security risk - see help) CONFIG_IP_MASQUERADE_IPSEC_PAROK - See the IPsec masquerade technical notes and special security considerations section of the HOWTO for security considerations to be aware of when masquerading IPsec traffic. If you are only masquerading one IPsec client this setting has no effect.
NOTE: These are just the settings you need for masquerading. Select whatever other options you need for your specific setup.
* IP: GRE tunnels over IP CONFIG_NET_IPGRE - This, confusingly, has *NOTHING* to do with PPTP. It enables support for GRE tunnels as used by Cisco routers. The fact that you see this option does not imply that PPTP support is available. You still need to apply the VPN Masquerade patch if the PPTP options listed above do not appear when you are configuring your kernel. DO NOT enable this unless you are setting up a GRE tunnel to a Cisco router.
To determine whether the running kernel includes VPN Masquerade support, run the following command:
...and look for the following entries:grep -i masq /proc/ksyms
ip_masq_esp
and ip_demasq_esp
ip_masq_pptp_tcp
and ip_demasq_pptp_tcp
...and look for the following entries:lsmod
ip_masq_ipsec
ip_masq_pptp
If you don't see these entries, VPN Masquerade support is probably not available - did you remember to modprobe ip_masq_pptp.o
or modprobe ip_masq_ipsec.o
if you compiled them as modules? If VPN masquerade stops working after you reboot, did you remember to add the modprobe
commands into your /etc/rc.d/rc.local
startup script?
If you get complaints about /proc/ksyms
not being available or /proc
not being available, make sure that you have enabled the /proc
filesystem in your kernel configuration.
See the Kernel HOWTO for more details on configuring and recompiling your kernel.
The firewall must now be configured to masquerade the outbound VPN traffic. You may wish to visit http://www.wolfenet.com/~jhardin/ipfwadm.html to take a look at a GUI wrapper around the ipfwadm command that automates a lot of security-related packet filtering setup.
The minimum firewall rules are:
This is a completely open setup, though. It will masquerade any traffic from any host on the local network destined for any host on the internet, and provides no security at all.# Set the default forwarding policy to DENY: ipfwadm -F -p deny # Allow local-network traffic ipfwadm -I -a accept -S 10.0.0.0/8 -D 0.0.0.0/0 -W eth0 ipfwadm -O -a accept -S 0.0.0.0/0 -D 10.0.0.0/8 -W eth0 # Masquerade traffic for internet addresses and allow internet traffic ipfwadm -F -a accept -m -S 10.0.0.0/8 -D 0.0.0.0/0 -W ppp0 ipfwadm -O -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 -W ppp0 ipfwadm -I -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 -W ppp0or, if you have a permanent connection,ipfwadm -F -a accept -m -S 10.0.0.0/8 -D 0.0.0.0/0 -W eth1 ipfwadm -O -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 -W eth1 ipfwadm -I -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 -W eth1
A tight firewall setup would only allow traffic between the client and the server, and would block everything else:
# Set the default policy to DENY: ipfwadm -I -p deny ipfwadm -O -p deny ipfwadm -F -p deny # Allow local-network traffic ipfwadm -I -a accept -S 10.0.0.0/8 -D 0.0.0.0/0 -W eth0 ipfwadm -O -a accept -S 0.0.0.0/0 -D 10.0.0.0/8 -W eth0 # Masquerade only VPN traffic between the VPN client and the VPN server ipfwadm -F -a accept -m -P udp -S 10.0.0.2/32 500 -D 199.0.0.1/32 500 -W ppp0 ipfwadm -F -a accept -m -P tcp -S 10.0.0.2/32 -D 199.0.0.1/32 1723 -W ppp0 ipfwadm -F -a deny -P tcp -S 10.0.0.2/32 -D 199.0.0.1/32 -W ppp0 ipfwadm -F -a deny -P udp -S 10.0.0.2/32 -D 199.0.0.1/32 -W ppp0 ipfwadm -F -a accept -m -P all -S 10.0.0.2/32 -D 199.0.0.1/32 -W ppp0 ipfwadm -O -a accept -P udp -S 200.200.200.0/24 500 -D 199.0.0.1/32 500 -W ppp0 ipfwadm -O -a accept -P tcp -S 200.200.200.0/24 -D 199.0.0.1/32 1723 -W ppp0 ipfwadm -O -a deny -P tcp -S 200.200.200.0/24 -D 199.0.0.1/32 -W ppp0 ipfwadm -O -a deny -P udp -S 200.200.200.0/24 -D 199.0.0.1/32 -W ppp0 ipfwadm -O -a accept -P all -S 200.200.200.0/24 -D 199.0.0.1/32 -W ppp0 ipfwadm -I -a accept -P udp -S 199.0.0.1/32 500 -D 200.200.200.0/24 500 -W ppp0 ipfwadm -I -a accept -P tcp -S 199.0.0.1/32 1723 -D 200.200.200.0/24 -W ppp0 ipfwadm -I -a deny -P tcp -S 199.0.0.1/32 -D 200.200.200.0/24 -W ppp0 ipfwadm -I -a deny -P udp -S 199.0.0.1/32 -D 200.200.200.0/24 -W ppp0 ipfwadm -I -a accept -P all -S 199.0.0.1/32 -D 200.200.200.0/24 -W ppp0or, if you have a permanent connection,ipfwadm -F -a accept -m -P udp -S 10.0.0.2/32 500 -D 199.0.0.1/32 500 -W eth1 ipfwadm -F -a accept -m -P tcp -S 10.0.0.2/32 -D 199.0.0.1/32 1723 -W eth1 ipfwadm -F -a deny -P tcp -S 10.0.0.2/32 -D 199.0.0.1/32 -W eth1 ipfwadm -F -a deny -P udp -S 10.0.0.2/32 -D 199.0.0.1/32 -W eth1 ipfwadm -F -a accept -m -P all -S 10.0.0.2/32 -D 199.0.0.1/32 -W eth1 ipfwadm -O -a accept -P udp -S 200.200.200.200/32 500 -D 199.0.0.1/32 500 -W eth1 ipfwadm -O -a accept -P tcp -S 200.200.200.200/32 -D 199.0.0.1/32 1723 -W eth1 ipfwadm -O -a deny -P tcp -S 200.200.200.200/32 -D 199.0.0.1/32 -W eth1 ipfwadm -O -a deny -P udp -S 200.200.200.200/32 -D 199.0.0.1/32 -W eth1 ipfwadm -O -a accept -P all -S 200.200.200.200/32 -D 199.0.0.1/32 -W eth1 ipfwadm -I -a accept -P udp -S 199.0.0.1/32 500 -D 200.200.200.200/32 500 -W eth1 ipfwadm -I -a accept -P tcp -S 199.0.0.1/32 1723 -D 200.200.200.200/32 -W eth1 ipfwadm -I -a deny -P tcp -S 199.0.0.1/32 -D 200.200.200.200/32 -W eth1 ipfwadm -I -a deny -P udp -S 199.0.0.1/32 -D 200.200.200.200/32 -W eth1 ipfwadm -I -a accept -P all -S 199.0.0.1/32 -D 200.200.200.200/32 -W eth1
Note: these rules only allow VPN traffic and block everything else. You will have to add rules for any other traffic you wish to permit, such as DNS, HTTP, POP, IMAP, etc.
The minimum ipchains firewall rules are:
This is a completely open setup, though. It will masquerade any traffic from any host on the local network destined for any host on the internet, and provides no security at all.# Set the default forwarding policy to DENY: ipchains -P forward DENY # Allow local-network traffic ipchains -A input -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 -i eth0 ipchains -A output -j ACCEPT -s 0.0.0.0/0 -d 10.0.0.0/8 -i eth0 # Masquerade traffic for internet addresses and allow internet traffic ipchains -A forward -j MASQ -s 10.0.0.0/8 -d 0.0.0.0/0 -i ppp0 ipchains -A output -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -i ppp0 ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -i ppp0or, if you have a permanent connection,ipchains -A forward -j MASQ -s 10.0.0.0/8 -d 0.0.0.0/0 -i eth1 ipchains -A output -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth1 ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth1
A tight firewall setup would only allow traffic between the client and the server, and would block everything else:
# Set the default policy to DENY: ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # Allow local-network traffic ipchains -A input -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 -i eth0 ipchains -A output -j ACCEPT -s 0.0.0.0/0 -d 10.0.0.0/8 -i eth0 # Masquerade only VPN traffic between the VPN client and the VPN server # IPsec ipchains -A forward -j MASQ -p udp -s 10.0.0.2/32 500 -d 199.0.0.1/32 500 -i ppp0 ipchains -A output -j ACCEPT -p udp -s 200.200.200.0/24 500 -d 199.0.0.1/32 500 -i ppp0 ipchains -A input -j ACCEPT -p udp -s 199.0.0.1/32 500 -d 200.200.200.0/24 500 -i ppp0 ipchains -A forward -j MASQ -p 50 -s 10.0.0.2/32 -d 199.0.0.1/32 -i ppp0 ipchains -A output -j ACCEPT -p 50 -s 200.200.200.0/24 -d 199.0.0.1/32 -i ppp0 ipchains -A input -j ACCEPT -p 50 -s 199.0.0.1/32 -d 200.200.200.0/24 -i ppp0 # PPTP ipchains -A forward -j MASQ -p tcp -s 10.0.0.2/32 -d 199.0.0.1/32 1723 -i ppp0 ipchains -A output -j ACCEPT -p tcp -s 200.200.200.0/24 -d 199.0.0.1/32 1723 -i ppp0 ipchains -A input -j ACCEPT -p tcp -s 199.0.0.1/32 1723 -d 200.200.200.0/24 -i ppp0 ipchains -A forward -j MASQ -p 47 -s 10.0.0.2/32 -d 199.0.0.1/32 -i ppp0 ipchains -A output -j ACCEPT -p 47 -s 200.200.200.0/24 -d 199.0.0.1/32 -i ppp0 ipchains -A input -j ACCEPT -p 47 -s 199.0.0.1/32 -d 200.200.200.0/24 -i ppp0or, if you have a permanent connection,# IPsec ipchains -A forward -j MASQ -p udp -s 10.0.0.2/32 500 -d 199.0.0.1/32 500 -i eth1 ipchains -A output -j ACCEPT -p udp -s 200.200.200.200/32 500 -d 199.0.0.1/32 500 -i eth1 ipchains -A input -j ACCEPT -p udp -s 199.0.0.1/32 500 -d 200.200.200.200/32 500 -i eth1 ipchains -A forward -j MASQ -p 50 -s 10.0.0.2/32 -d 199.0.0.1/32 -i eth1 ipchains -A output -j ACCEPT -p 50 -s 200.200.200.200/32 -d 199.0.0.1/32 -i eth1 ipchains -A input -j ACCEPT -p 50 -s 199.0.0.1/32 -d 200.200.200.200/32 -i eth1 # PPTP ipchains -A forward -j MASQ -p tcp -s 10.0.0.2/32 -d 199.0.0.1/32 1723 -i eth1 ipchains -A output -j ACCEPT -p tcp -s 200.200.200.200/32 -d 199.0.0.1/32 1723 -i eth1 ipchains -A input -j ACCEPT -p tcp -s 199.0.0.1/32 1723 -d 200.200.200.200/32 -i eth1 ipchains -A forward -j MASQ -p 47 -s 10.0.0.2/32 -d 199.0.0.1/32 -i eth1 ipchains -A output -j ACCEPT -p 47 -s 200.200.200.200/32 -d 199.0.0.1/32 -i eth1 ipchains -A input -j ACCEPT -p 47 -s 199.0.0.1/32 -d 200.200.200.200/32 -i eth1
Note: these rules only allow VPN traffic. You will have to add rules for any other traffic you wish to permit, such as DNS, HTTP, POP, IMAP, etc.
Also note how there rules are much neater and easier to make sense of than the equivalent ipfwadm rules. This is because ipchains allows specification of all IP protocols, not just TCP, UDP, ICMP or ALL.
If your firewall is assigned a dynamic IP address by your ISP (dialup accounts are this way, as are some cable internet services), then you should add the following to the startup script /etc/rc.d/rc.local
:
This enables dynamic IP address following, which means that should your connection drop and be reestablished, any active sessions will be updated to the new IP address rather than using the old IP address. This does not mean that the session will continue across the interruption, rather that it will be closed down quickly.echo 7 > /proc/sys/net/ipv4/ip_dynaddr
If you do not do this, then there may be a "dead period" after you redial and before old masq table entries expire where you're being masqueraded with the wrong IP address, which will prevent your establishing a connection.
This is particularly helpful if you are using a demand-dial daemon such as diald
to manage your dialup connection.
See /usr/src/linux/Documentation/networking/ip_dynaddr.txt
for more details.
If you are setting up VPN masquerade for a Private-IP VPN server (that is, you wish to provide for inbound connections as well as outbound connections), you also need to install two packet-forwarding utilities. One (ipportfw
) forwards inbound TCP or UDP traffic addressed to a specific port on the firewall system to a system on the local network behind the firewall. This is used to redirect the initial inbound 1723/tcp PPTP control channel or 500/udp ISAKMP traffic to the VPN server. The other (ipfwd
) is a more generic forwarding utility that allows you to do this for any IP protocol. It is used to forward the initial inbound 47/ip (GRE) or 50/ip (ESP) data channel traffic to the VPN server.
Outbound responses to the inbound 1723/tcp or 500/udp traffic are masqueraded using the normal IP-Masquerade facilities in the Linux kernel. The outbound 47/ip or 50/ip traffic is masqueraded using the VPN-Masquerade kernel patch you installed earlier.
Once these utilities are installed, you must configure them to forward the traffic to the VPN server.
ipportfw
under 2.0.x kernels
The following commands will set up ipportfw
to forward the initial inbound 500/udp traffic to the IPsec server:
The following commands will set up# Static-IP ipportfw setup for IPsec # Clear the ipportfw forwarding table /sbin/ipportfw -C # Forward traffic addressed to the firewall's 500/udp port # to the IPsec server's 500/udp port /sbin/ipportfw -A -u 200.200.200.200/500 -R 10.0.0.2/500
ipportfw
to forward the initial inbound 1723/tcp traffic to the PPTP server:
Note that the ipportfw command line requires the internet IP address of the firewall, and you cannot specify the interface (e.g.# Static-IP ipportfw setup for PPTP # Clear the ipportfw forwarding table /sbin/ipportfw -C # Forward traffic addressed to the firewall's 1723/tcp port # to the PPTP server's 1723/tcp port /sbin/ipportfw -A -t 200.200.200.200/1723 -R 10.0.0.2/1723
ppp0
) as you can with ipfwadm. This means that for a dynamic-IP connection (such as a typical dialup PPP connection) you have to run these commands every time you connect to the internet and are assigned a new IP address. You can do this quite easily - simply add the following to your /etc/ppp/ip-up
or /etc/ppp/ip-up.local
script:
or:# Dynamic-IP ipportfw setup for IPsec # Clear the ipportfw forwarding table /sbin/ipportfw -C # Forward traffic addressed to the firewall's 500/udp port # to the IPsec server's 500/udp port /sbin/ipportfw -A -u ${4}/500 -R 10.0.0.2/500
See http://www.wolfenet.com/~jhardin/ipfwadm/invocation.html for more information on firewalling with a dynamic IP.# Dynamic-IP ipportfw setup for PPTP # Clear the ipportfw forwarding table /sbin/ipportfw -C # Forward traffic addressed to the firewall's 1723/tcp port # to the PPTP server's 1723/tcp port /sbin/ipportfw -A -t ${4}/1723 -R 10.0.0.2/1723
ipfwd
under both 2.0.x and 2.2.x kernels
The following command will set up ipfwd
to forward the initial inbound 50/ip traffic to the IPsec server:
The following command will set up/sbin/ipfwd --masq 10.0.0.2 50 &
ipfwd
to forward the initial inbound 47/ip traffic to the PPTP server:
It should only be run once, from your/sbin/ipfwd --masq 10.0.0.2 47 &
/etc/rc.d/rc.local
script.
The techniques described here can be generalized to allow masquerading of most any type of server - HTTP, FTP, SMTP, and so forth. Servers that are purely TCP- or UDP-based will not require ipfwd
.
If you are masquerading a PPTP server you also need to make sure that you have not enabled PPTP Call ID masquerade in the kernel. Enabling PPTP Call ID masquerade builds in some assumptions that you're masquerading only PPTP clients, so enabling it will prevent proper masquerade of the PPTP server traffic. This also means that with the 2.0.x version of the patch you cannot simultaneously masquerade a PPTP server and PPTP clients.
Setting up a registered-IP VPN server behind a Linux firewall is a simple matter of making sure the appropriate routing and packet-filter commands are in place. Masquerading is not required.
Unfortunately the 2.0.x-series kernels will not let us specify IP protocol 47 or 50 directly, so this firewall is less secure than it could be. If this is a problem for you, then install the IP Firewall Chains kernel patch or move to the 2.1.x or 2.2.x series kernel, where you can filter by IP protocol.
The firewall rules will look something like this:
# This section should follow your other firewall rules. # Specify the acceptable clients explicitly for tighter security. # Allow the IPsec ISAKMP traffic in and out. ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P udp -S 199.0.0.2/32 500 -D 222.0.0.2/32 500 ipfwadm -O -a accept -W eth1 -V 200.200.200.200 -P udp -D 199.0.0.2/32 500 -S 222.0.0.2/32 500 ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P udp -S 199.0.0.3/32 500 -D 222.0.0.2/32 500 ipfwadm -O -a accept -W eth1 -V 200.200.200.200 -P udp -D 199.0.0.3/32 500 -S 222.0.0.2/32 500 # Allow the PPTP control channel in and out. ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P tcp -S 199.0.0.2/32 -D 222.0.0.2/32 1723 ipfwadm -O -a accept -W eth1 -V 200.200.200.200 -P tcp -D 199.0.0.2/32 -S 222.0.0.2/32 1723 ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P tcp -S 199.0.0.3/32 -D 222.0.0.2/32 1723 ipfwadm -O -a accept -W eth1 -V 200.200.200.200 -P tcp -D 199.0.0.3/32 -S 222.0.0.2/32 1723 # Block all other TCP and UDP traffic from the internet. # This is essentially a "default deny TCP/UDP" that # only applies to the internet interface. ipfwadm -I -a deny -W eth1 -V 200.200.200.200 -P tcp ipfwadm -I -a deny -W eth1 -V 200.200.200.200 -P udp # Specify the acceptable clients explicitly for tighter security. # Note that this is too open since we're forced to # specify "-P all" rather than "-P 47" or "-P 50"... # Allow the PPTP data channel and IPsec ESP traffic in and out. ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P all -S 199.0.0.2/32 -D 222.0.0.2/32 ipfwadm -0 -a accept -W eth1 -V 200.200.200.200 -P all -D 199.0.0.2/32 -S 222.0.0.2/32 ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P all -S 199.0.0.3/32 -D 222.0.0.2/32 ipfwadm -O -a accept -W eth1 -V 200.200.200.200 -P all -D 199.0.0.3/32 -S 222.0.0.2/32 # Block all other traffic from the internet. # This is essentially a "default deny" that # only applies to the internet interface. ipfwadm -I -a deny -W eth1 -V 200.200.200.200
If you are installing firewall rules on forwarding and/or rules on the inner interface, you will have do do something similar. The above example only covers VPN traffic; you will have to merge it into your existing firewall setup to allow any other traffic you need.
Setting up a registered-IP VPN client behind a Linux firewall is similar to setting up a registered-IP VPN server.
The firewall rules will look something like this:
# Allow the IPsec ISAKMP traffic out and in. ipfwadm -O -a accept -W eth1 -V 200.200.200.200 -P udp -S 222.0.0.2/32 500 -D 199.0.0.1/32 500 ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P udp -D 222.0.0.2/32 500 -S 199.0.0.1/32 500 # Allow the PPTP control channel out and in. ipfwadm -O -a accept -W eth1 -V 200.200.200.200 -P tcp -S 222.0.0.2/32 -D 199.0.0.1/32 1723 ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P tcp -D 222.0.0.2/32 -S 199.0.0.1/32 1723 # Block all other TCP and UDP traffic from the internet. # This is essentially a "default deny TCP/UDP" that # only applies to the internet interface. ipfwadm -I -a deny -W eth1 -V 200.200.200.200 -P tcp ipfwadm -I -a deny -W eth1 -V 200.200.200.200 -P udp # Note that this is too open since we're forced to # specify "-P all" rather than "-P 47" or "-P 50"... # Allow the PPTP data channel and IPsec ESP traffic out and in ipfwadm -O -a accept -W eth1 -V 200.200.200.200 -P all -S 222.0.0.2/32 -D 199.0.0.1/32 ipfwadm -I -a accept -W eth1 -V 200.200.200.200 -P all -D 222.0.0.2/32 -S 199.0.0.1/32 # Block all other traffic from the internet. # This is essentially a "default deny" that # only applies to the internet interface. ipfwadm -I -a deny -W eth1 -V 200.200.200.200
Setting up a registered-IP VPN server behind a Linux firewall is a simple matter of making sure the appropriate routing and packet-filter commands are in place. Masquerading is not required.
The firewall rules will look something like this:
# Specify the acceptable clients explicitly for tighter security. # Allow the IPsec ISAKMP traffic in and out. ipchains -A input -j ACCEPT -p udp -s 199.0.0.2/32 500 -d 222.0.0.2/32 500 -i eth1 ipchains -A output -j ACCEPT -p udp -d 199.0.0.2/32 500 -s 222.0.0.2/32 500 -i eth1 ipchains -A input -j ACCEPT -p udp -s 199.0.0.3/32 500 -d 222.0.0.2/32 500 -i eth1 ipchains -A output -j ACCEPT -p udp -d 199.0.0.3/32 500 -s 222.0.0.2/32 500 -i eth1 # Allow the IPsec ESP traffic in and out. ipchains -A input -j ACCEPT -p 50 -s 199.0.0.2/32 -d 222.0.0.2/32 -i eth1 ipchains -A output -j ACCEPT -p 50 -d 199.0.0.2/32 -s 222.0.0.2/32 -i eth1 ipchains -A input -j ACCEPT -p 50 -s 199.0.0.3/32 -d 222.0.0.2/32 -i eth1 ipchains -A output -j ACCEPT -p 50 -d 199.0.0.3/32 -s 222.0.0.2/32 -i eth1 # Allow the PPTP control channel in and out. ipchains -A input -j ACCEPT -p tcp -s 199.0.0.2/32 -d 222.0.0.2/32 1723 -i eth1 ipchains -A output -j ACCEPT -p tcp -d 199.0.0.2/32 -s 222.0.0.2/32 1723 -i eth1 ipchains -A input -j ACCEPT -p tcp -s 199.0.0.3/32 -d 222.0.0.2/32 1723 -i eth1 ipchains -A output -j ACCEPT -p tcp -d 199.0.0.3/32 -s 222.0.0.2/32 1723 -i eth1 # Allow the PPTP tunnel in and out. ipchains -A input -j ACCEPT -p 47 -s 199.0.0.2/32 -d 222.0.0.2/32 -i eth1 ipchains -A output -j ACCEPT -p 47 -d 199.0.0.2/32 -s 222.0.0.2/32 -i eth1 ipchains -A input -j ACCEPT -p 47 -s 199.0.0.3/32 -d 222.0.0.2/32 -i eth1 ipchains -A output -j ACCEPT -p 47 -d 199.0.0.3/32 -s 222.0.0.2/32 -i eth1
If you are installing firewall rules on forwarding and/or rules on the inner interface, you will have do do something similar. The above example only covers VPN traffic; you will have to merge it into your existing firewall setup to allow any other traffic you need.
Setting up a registered-IP VPN client behind a Linux firewall is similar to setting up a registered-IP VPN server.
The firewall rules will look something like this:
# Allow the IPsec ISAKMP traffic out and in. ipchains -A output -j ACCEPT -p udp -s 222.0.0.2/32 500 -d 199.0.0.1/32 500 -i eth1 ipchains -A input -j ACCEPT -p udp -d 222.0.0.2/32 500 -s 199.0.0.1/32 500 -i eth1 # Allow the IPsec ESP traffic out and in. ipchains -A output -j ACCEPT -p 50 -s 222.0.0.2/32 -d 199.0.0.1/32 -i eth1 ipchains -A input -j ACCEPT -p 50 -d 222.0.0.2/32 -s 199.0.0.1/32 -i eth1 # Allow the PPTP control channel out and in. ipchains -A output -j ACCEPT -p tcp -s 222.0.0.2/32 -d 199.0.0.1/32 1723 -i eth1 ipchains -A input -j ACCEPT -p tcp -d 222.0.0.2/32 -s 199.0.0.1/32 1723 -i eth1 # Allow the PPTP tunnel out and in. ipchains -A output -j ACCEPT -p 47 -s 222.0.0.2/32 -d 199.0.0.1/32 -i eth1 ipchains -A input -j ACCEPT -p 47 -d 222.0.0.2/32 -s 199.0.0.1/32 -i eth1
The Linux Router Project at http://www.linuxrouter.org/ provides a Linux-based firewall-on-a-floppy kit. With a '386 PC, two network cards, and a diskette drive, you can set up a full-featured masquerading firewall. No hard disk is needed.
VPN Masquerade is supposed to be included in LRP version 2.2.9 - to verify it is available, see if ip_masq_ipsec
or ip_masq_pptp
are listed in the loadable modules in Package Settings -> Modules
, or grep /proc/ksyms
as described above. If you want to add VPN masquerade to an earlier version of LRP then somebody on the LRP mailing list may be able to provide a diskette image for you, or you can roll your own kernel using the instructions available on the LRP home page.
The firewall rules would be added to the startup script file in Network Settings -> Direct Network Setup
.
If you are going to be using the firewall as an IPsec gateway with FreeS/WAN, you must not enable IPsec masquerade. If you are going to be using the firewall as a PPTP server with PoPToP, or a PPTP client using the Linux PPTP client software, you must not enable PPTP masquerade.
VPN masquerade and a VPN client or server using the same protocols cannot at this time coexist on the same computer.
Your firewall can, however, be a FreeS/WAN IPsec VPN gateway while masquerading PPTP traffic, or vice-versa.