LinuxVPNtoPfsense-Linux-Firewall: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(→VPN) |
|||
| Zeile 1: | Zeile 1: | ||
=Interface= | =Interface= | ||
*cat /etc/network/interfaces | *cat /etc/network/interfaces | ||
| − | < | + | <syntaxhighlight lang="bash"> |
auto lo | auto lo | ||
iface lo inet loopback | iface lo inet loopback | ||
| Zeile 20: | Zeile 20: | ||
address 10.66.248.1 | address 10.66.248.1 | ||
netmask 255.255.255.0 | netmask 255.255.255.0 | ||
| − | </ | + | </syntaxhighlight> |
| + | |||
=VPN= | =VPN= | ||
* cat /etc/ipsec.conf | * cat /etc/ipsec.conf | ||
| − | < | + | <syntaxhighlight lang="bash"> |
conn linux2pfsense | conn linux2pfsense | ||
authby=secret | authby=secret | ||
| Zeile 36: | Zeile 37: | ||
keylife=3600 | keylife=3600 | ||
auto=start | auto=start | ||
| − | </ | + | </syntaxhighlight> |
* cat /etc/ipsec.conf | * cat /etc/ipsec.conf | ||
| − | + | <syntaxhighlight lang="bash"> | |
| + | 10.66.252.40 10.66.252.10 : PSK "sysadm" | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | =Firewall= | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | #!/bin/bash | ||
| + | WANIP=10.66.252.40 | ||
| + | WANDEV=ens160 | ||
| + | LANDEV=ens192 | ||
| + | DMZDEV=ens224 | ||
| + | SERVER_DMZ_1=10.66.248.100 | ||
| + | COMPUTER_LAN_1=10.66.254.100 | ||
| + | LAN=10.66.254.0/24 | ||
| + | OTH=10.66.253.0/24 | ||
| + | VPNDEV=tun0 | ||
| + | case $1 in | ||
| + | start) | ||
| + | echo "starte firewall" | ||
| + | echo flushen der Regeln | ||
| + | iptables -F | ||
| + | iptables -F -t nat | ||
| + | echo "setzen der Default Policy" | ||
| + | iptables -P INPUT DROP | ||
| + | iptables -P OUTPUT DROP | ||
| + | iptables -P FORWARD DROP | ||
| + | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | iptables -A OUTPUT -m state --state NEW -j ACCEPT | ||
| + | iptables -A INPUT -i lo -m state --state NEW -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport 8472 -m state --state NEW -j ACCEPT | ||
| + | iptables -A INPUT -p udp -m multiport --dport 500,4500,5000 -m state --state NEW -j ACCEPT | ||
| + | iptables -A INPUT -p esp -m state --state NEW -j ACCEPT | ||
| + | iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -i $VPNDEV -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -o $WANDEV -p tcp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -o $WANDEV -p udp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -o $WANDEV -p icmp -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -o $WANDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -i $WANDEV -o $DMZDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -i $WANDEV -o $LANDEV -p tcp -m multiport --dport 80,443 -d $COMPUTER_LAN_1 -m state --state NEW -j ACCEPT | ||
| + | # iptables -A FORWARD -j ACCEPT | ||
| + | iptables -A FORWARD -i $LANDEV -o $WANDEV -s $LAN -d $OTH -m policy --dir out --pol ipsec -m state --state NEW -j ACCEPT | ||
| + | iptables -A FORWARD -i $WANDEV -o $LANDEV -s $OTH -d $LAN -m policy --dir in --pol ipsec -m state --state NEW -j ACCEPT | ||
| + | |||
| + | |||
| + | iptables -t nat -A POSTROUTING -o $WANDEV -s $LAN -d $OTH -j RETURN | ||
| + | iptables -t nat -A POSTROUTING -o $WANDEV -j SNAT --to-source $WANIP | ||
| + | iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 80 --to $COMPUTER_LAN_1 | ||
| + | iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 443 --to $COMPUTER_LAN_1 | ||
| + | |||
| + | iptables -A INPUT -j LOG --log-prefix "--iptables-in--" | ||
| + | iptables -A OUTPUT -j LOG --log-prefix "--iptables-out--" | ||
| + | iptables -A FORWARD -j LOG --log-prefix "--iptables-for--" | ||
| + | ;; | ||
| + | stop) | ||
| + | echo "stoppe firewall" | ||
| + | echo flushen der Regeln | ||
| + | iptables -F | ||
| + | iptables -F -t nat | ||
| + | echo "setzen der Default Policy" | ||
| + | iptables -P INPUT ACCEPT | ||
| + | iptables -P OUTPUT ACCEPT | ||
| + | iptables -P FORWARD ACCEPT | ||
| + | ;; | ||
| + | *) | ||
| + | echo "usage: $0 start|stop" | ||
| + | ;; | ||
| + | esac | ||
| + | </syntaxhighlight> | ||
Version vom 8. Februar 2022, 07:58 Uhr
Interface
- cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto ens160
iface ens160 inet static
address 10.66.252.40
netmask 255.255.255.0
gateway 10.66.252.1
auto ens192
iface ens192 inet static
address 10.66.254.1
netmask 255.255.255.0
auto ens224
iface ens224 inet static
address 10.66.248.1
netmask 255.255.255.0
VPN
- cat /etc/ipsec.conf
conn linux2pfsense
authby=secret
keyexchange=ikev1
left=10.66.252.40
leftsubnet=10.66.254.0/24
right=10.66.252.10
rightsubnet=10.66.253.0/24
ike=aes256-sha512-modp4096
esp=aes256-sha512-modp4096
ikelifetime=28800
keylife=3600
auto=start
- cat /etc/ipsec.conf
10.66.252.40 10.66.252.10 : PSK "sysadm"
Firewall
#!/bin/bash
WANIP=10.66.252.40
WANDEV=ens160
LANDEV=ens192
DMZDEV=ens224
SERVER_DMZ_1=10.66.248.100
COMPUTER_LAN_1=10.66.254.100
LAN=10.66.254.0/24
OTH=10.66.253.0/24
VPNDEV=tun0
case $1 in
start)
echo "starte firewall"
echo flushen der Regeln
iptables -F
iptables -F -t nat
echo "setzen der Default Policy"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 8472 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 500,4500,5000 -m state --state NEW -j ACCEPT
iptables -A INPUT -p esp -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $VPNDEV -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p tcp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p udp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p icmp -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $DMZDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $LANDEV -p tcp -m multiport --dport 80,443 -d $COMPUTER_LAN_1 -m state --state NEW -j ACCEPT
# iptables -A FORWARD -j ACCEPT
iptables -A FORWARD -i $LANDEV -o $WANDEV -s $LAN -d $OTH -m policy --dir out --pol ipsec -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $LANDEV -s $OTH -d $LAN -m policy --dir in --pol ipsec -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o $WANDEV -s $LAN -d $OTH -j RETURN
iptables -t nat -A POSTROUTING -o $WANDEV -j SNAT --to-source $WANIP
iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 80 --to $COMPUTER_LAN_1
iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 443 --to $COMPUTER_LAN_1
iptables -A INPUT -j LOG --log-prefix "--iptables-in--"
iptables -A OUTPUT -j LOG --log-prefix "--iptables-out--"
iptables -A FORWARD -j LOG --log-prefix "--iptables-for--"
;;
stop)
echo "stoppe firewall"
echo flushen der Regeln
iptables -F
iptables -F -t nat
echo "setzen der Default Policy"
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
*)
echo "usage: $0 start|stop"
;;
esac