LinuxVPNtoPfsense-Linux-Firewall: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 1: | Zeile 1: | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
=VPN= | =VPN= | ||
Version vom 8. Februar 2022, 09:41 Uhr
VPN
IPsec
- cat /etc/ipsec.conf
conn linux2pfsense
authby=secret
keyexchange=ikev1
left=10.66.252.40
leftsubnet=10.66.254.0/24
right=10.66.252.10
rightsubnet=10.66.253.0/24
ike=aes256-sha512-modp4096
esp=aes256-sha512-modp4096
ikelifetime=28800
keylife=3600
auto=start
- cat /etc/ipsec.conf
10.66.252.40 10.66.252.10 : PSK "sysadm"
OpenVPN
- COMMONNAME=openvpn-linux
- openssl genrsa -aes256 -out ca.key 4096
- openssl req -new -key ca.key -x509 -days 3650 -out ca.crt
- openssl genrsa -out $COMMONNAME.key 4096
- openssl req -new -key $COMMONNAME.key -out $COMMONNAME.csr
- openssl x509 -req -days 730 -in $COMMONNAME.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $COMMONNAME.crt
- cp ca.crt openvpn-linux.crt openvpn-linux.key /etc/openvpn/
Firewall
#!/bin/bash
WANIP=10.66.252.40
WANDEV=ens160
LANDEV=ens192
DMZDEV=ens224
SERVER_DMZ_1=10.66.248.100
COMPUTER_LAN_1=10.66.254.100
LAN=10.66.254.0/24
OTH=10.66.253.0/24
VPNDEV=tun0
case $1 in
start)
echo "starte firewall"
echo flushen der Regeln
iptables -F
iptables -F -t nat
echo "setzen der Default Policy"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 8472 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 500,4500,5000 -m state --state NEW -j ACCEPT
iptables -A INPUT -p esp -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $VPNDEV -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p tcp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p udp -d 8.8.8.8 --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p icmp -m state --state NEW -j ACCEPT
iptables -A FORWARD -o $WANDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $DMZDEV -p tcp -m multiport --dport 80,443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $LANDEV -p tcp -m multiport --dport 80,443 -d $COMPUTER_LAN_1 -m state --state NEW -j ACCEPT
# iptables -A FORWARD -j ACCEPT
iptables -A FORWARD -i $LANDEV -o $WANDEV -s $LAN -d $OTH -m policy --dir out --pol ipsec -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $WANDEV -o $LANDEV -s $OTH -d $LAN -m policy --dir in --pol ipsec -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o $WANDEV -s $LAN -d $OTH -j RETURN
iptables -t nat -A POSTROUTING -o $WANDEV -j SNAT --to-source $WANIP
iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 80 --to $COMPUTER_LAN_1
iptables -t nat -A PREROUTING -i $WANDEV -j DNAT -p tcp --dport 443 --to $COMPUTER_LAN_1
iptables -A INPUT -j LOG --log-prefix "--iptables-in--"
iptables -A OUTPUT -j LOG --log-prefix "--iptables-out--"
iptables -A FORWARD -j LOG --log-prefix "--iptables-for--"
;;
stop)
echo "stoppe firewall"
echo flushen der Regeln
iptables -F
iptables -F -t nat
echo "setzen der Default Policy"
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
*)
echo "usage: $0 start|stop"
;;
esac
Ip forward
- cat /proc/sys/net/ipv4/ip_forward
1