LinuxVPNtoPfsense-Linux-Firewall: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 23: | Zeile 23: | ||
=VPN= | =VPN= | ||
| + | ==IPsec== | ||
* cat /etc/ipsec.conf | * cat /etc/ipsec.conf | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| Zeile 42: | Zeile 43: | ||
10.66.252.40 10.66.252.10 : PSK "sysadm" | 10.66.252.40 10.66.252.10 : PSK "sysadm" | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| + | ==OpenVPN== | ||
| + | *COMMONNAME=openvpn-linux | ||
| + | *openssl genrsa -aes256 -out ca.key 4096 | ||
| + | *openssl req -new -key ca.key -x509 -days 3650 -out ca.crt | ||
| + | *openssl genrsa -out $COMMONNAME.key 4096 | ||
| + | *openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr | ||
| + | *openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt | ||
| + | *cp ca.crt openvpn-linux.crt openvpn-linux.key /etc/openvpn/ | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | |||
=Firewall= | =Firewall= | ||
Version vom 8. Februar 2022, 08:19 Uhr
Interface
- cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto ens160
iface ens160 inet static
address 10.66.252.40
netmask 255.255.255.0
gateway 10.66.252.1
auto ens192
iface ens192 inet static
address 10.66.254.1
netmask 255.255.255.0
auto ens224
iface ens224 inet static
address 10.66.248.1
netmask 255.255.255.0
VPN
IPsec
- cat /etc/ipsec.conf
conn linux2pfsense
authby=secret
keyexchange=ikev1
left=10.66.252.40
leftsubnet=10.66.254.0/24
right=10.66.252.10
rightsubnet=10.66.253.0/24
ike=aes256-sha512-modp4096
esp=aes256-sha512-modp4096
ikelifetime=28800
keylife=3600
auto=start
- cat /etc/ipsec.conf
10.66.252.40 10.66.252.10 : PSK "sysadm"
OpenVPN
- COMMONNAME=openvpn-linux
- openssl genrsa -aes256 -out ca.key 4096
- openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
- openssl genrsa -out $COMMONNAME.key 4096
- openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
- openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt
- cp ca.crt openvpn-linux.crt openvpn-linux.key /etc/openvpn/
Firewall
#!/bin/bash
WANIP=10.66.252.40
WANDEV=ens160
LANDEV=ens192
DMZDEV=ens224
SERVER_DMZ_1=10.66.248.100
COMPUTER_LAN_1=10.66.254.100
LAN=10.66.254.0/24
OTH=10.66.253.0/24
VPNDEV=tun0
case $1 in
start)
echo "starte firewall"
echo flushen der Regeln
iptables -F
iptables -F -t nat
echo "setzen der Default Policy"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 8472 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 500,4500,5000 -m state --state NEW -j ACCEPT
iptables -A INPUT -p esp -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $VPNDEV -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p tcp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p udp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p icmp -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $DMZDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $LANDEV -p tcp -m multiport --dport 80,443 -d $COMPUTER_LAN_1 -m state --state NEW -j ACCEPT
# iptables -A FORWARD -j ACCEPT
iptables -A FORWARD -i $LANDEV -o $WANDEV -s $LAN -d $OTH -m policy --dir out --pol ipsec -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $LANDEV -s $OTH -d $LAN -m policy --dir in --pol ipsec -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o $WANDEV -s $LAN -d $OTH -j RETURN
iptables -t nat -A POSTROUTING -o $WANDEV -j SNAT --to-source $WANIP
iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 80 --to $COMPUTER_LAN_1
iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 443 --to $COMPUTER_LAN_1
iptables -A INPUT -j LOG --log-prefix "--iptables-in--"
iptables -A OUTPUT -j LOG --log-prefix "--iptables-out--"
iptables -A FORWARD -j LOG --log-prefix "--iptables-for--"
;;
stop)
echo "stoppe firewall"
echo flushen der Regeln
iptables -F
iptables -F -t nat
echo "setzen der Default Policy"
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
*)
echo "usage: $0 start|stop"
;;
esac
Ip forward
- cat /proc/sys/net/ipv4/ip_forward
1