[strongSwan] StrongSWAN and AVM Fritzbox - Help!

Rene Bartsch ml at bartschnet.de
Sat Feb 12 21:30:49 CET 2011 

On Sat, 12 Feb 2011 21:10:41 +0100, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> On 02/12/2011 08:58 PM, Rene Bartsch wrote:
>> Hello Andreas,
>>
>> I've added the rules
>>
>> iptables -t filter -A INPUT   -d<public IP>  -p esp                    
>> -m
>> comment --comment "ACCEPT IPSec ESP"   -j ACCEPT
>> iptables -t filter -A INPUT   -d<public IP>  -p udp -m udp --dport 500 
>> -m
>> comment --comment "ACCEPT IPSec IKE"   -j ACCEPT
>> iptables -t filter -A INPUT   -d<public IP>  -p udp -m udp --dport 4500
>> -m
>> comment --comment "ACCEPT IPSec NAT-T" -j ACCEPT
>>
> You also need corresponding OUTPUT rules

Default policy for OUTPUT is "ACCEPT". I usually allow any outgoing
connections,
drop any incoming connections and allow only necessary incoming
connections.

>> and StrongSWAN added the rules
>>
>> Chain FORWARD (policy DROP)
>> target     prot opt source               destination
>> ACCEPT     all  --  192.168.177.0/24     192.168.176.0/24    policy
match
>> dir in pol ipsec reqid 16385 proto esp
>> ACCEPT     all  --  192.168.176.0/24     192.168.177.0/24    policy
match
>> dir out pol ipsec reqid 16385 proto esp
>>
> These rules are inserted automatically by the _updown script. Make sure
> that IP forwarding is enabled (echo "1" >
/proc/sys/net/ipv4/ip_forward).

It is via sysctl.conf

And it's more weird that "nmap -PN -p 500 <public ip>" shows the port in
"filtered"
state from a host on the fritzbox and "closed" state on the StrongSWAN box
itself.


My IPTables rules:

*filter
:INPUT   DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT  ACCEPT [86:9176]

-A INPUT   -i lo                                                          
     -m comment --comment "ACCEPT loopback device"              -j ACCEPT
-A INPUT   -i dummy0                                                      
     -m comment --comment "ACCEPT dummy0 device"                -j ACCEPT
-A INPUT   -m state --state RELATED,ESTABLISHED                           
     -m comment --comment "ACCEPT existing connections"         -j ACCEPT

-A INPUT   -p icmp -m icmp --icmp-type echo-reply                         
     -m comment --comment "ACCEPT ICMP echo-reply"              -j ACCEPT
-A INPUT   -p icmp -m icmp --icmp-type echo-request                       
     -m comment --comment "ACCEPT ICMP echo-request"            -j ACCEPT
-A INPUT   -p icmp -m icmp --icmp-type time-exceeded                      
     -m comment --comment "ACCEPT ICMP time-exceeded"           -j ACCEPT
-A INPUT   -p icmp -m icmp --icmp-type source-quench                      
     -m comment --comment "ACCEPT ICMP source-quench"           -j ACCEPT
-A INPUT   -p icmp -m icmp --icmp-type port-unreachable                   
     -m comment --comment "ACCEPT ICMP port-unreachable"        -j ACCEPT
-A INPUT   -p icmp -m icmp --icmp-type parameter-problem                  
     -m comment --comment "ACCEPT ICMP parameter-problem"       -j ACCEPT
-A INPUT   -p icmp -m icmp --icmp-type fragmentation-needed               
     -m comment --comment "ACCEPT ICMP fragmentation-needed"    -j ACCEPT
-A INPUT   -p icmp -m icmp --icmp-type destination-unreachable            
     -m comment --comment "ACCEPT ICMP destination-unreachable" -j ACCEPT

-A INPUT   -d xxx.xxx.xxx.102 -p esp                                      
     -m comment --comment "ACCEPT IPSec ESP"                    -j ACCEPT
-A INPUT   -d xxx.xxx.xxx.102 -p udp -m udp --dport 500                   
     -m comment --comment "ACCEPT IPSec IKE"                    -j ACCEPT
-A INPUT   -d xxx.xxx.xxx.102 -p udp -m udp --dport 4500                  
     -m comment --comment "ACCEPT IPSec NAT-T"                  -j ACCEPT

-A INPUT   -m state --state NEW -m recent --set --name DEFAULT --rsource  
     -m comment --comment "Store connection requests" 
-A INPUT   -d xxx.xxx.xxx.102 -p tcp -m tcp --dport 22   -m state --state
NEW    -m recent --update --seconds 240 --hitcount 10 --name DEFAULT
--rsource -m comment --comment "DROP SSH Brute-Force-Attacks" -j DROP
-A INPUT   -d xxx.xxx.xxx.102 -p tcp -m tcp --dport 22   -m state --state
NEW    -m comment --comment "ACCEPT SSH connections"              -j ACCEPT
-A INPUT   -d xxx.xxx.xxx.20  -p tcp -m tcp --dport 21   -m state --state
NEW    -m comment --comment "ACCEPT FTP connections"              -j ACCEPT
-A INPUT                      -p tcp -m tcp --dport 25   -m state --state
NEW    -m comment --comment "ACCEPT SMTP connections"             -j ACCEPT
-A INPUT   -d xxx.xxx.xxx.20  -p udp -m udp --dport 53   -m state --state
NEW    -m comment --comment "ACCEPT DNS UDP connections"          -j ACCEPT
-A INPUT   -d xxx.xxx.xxx.20  -p tcp -m tcp --dport 53   -m state --state
NEW    -m comment --comment "ACCEPT DNS TCP connections"          -j ACCEPT
-A INPUT   -d xxx.xxx.xxx.20  -p tcp -m tcp --dport 80   -m state --state
NEW    -m comment --comment "ACCEPT HTTP connections"             -j ACCEPT
-A INPUT   -d xxx.xxx.xxx.20  -p tcp -m tcp --dport 443  -m state --state
NEW    -m comment --comment "ACCEPT HTTPS connections"            -j ACCEPT

COMMIT


Regards,

Renne

More information about the Users mailing list