[strongSwan] IPsec drop policies 2

reterverv ercertecrterc bernd1293 at inbox.lv
Tue Jan 21 14:33:59 CET 2020 

> Mind providing me the output of "swanctl -q ; ip x p ; swanctl -P ; ip route show table all ; ip rule ; iptables-save ; swanctl -u --child dropall", please?

Hello.

Here is the output:

-------------
root at OpenWrt:~# swanctl -q ; ip x p ; swanctl -P ; ip route show table all ; ip
rule ; iptables-save ; swanctl -u --child dropall
curl SSL backend 'mbedTLS/2.16.3' not supported, https:// disabled
loaded eap secret 'eap-user'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'dropall'
loaded connection 'lan-passthrough'
loaded connection 'pp'
successfully loaded 3 connections, 0 unloaded
src 192.168.1.0/24 dst 192.168.1.0/24
        dir fwd priority 3
src 192.168.1.0/24 dst 192.168.1.0/24
        dir in priority 3
src 192.168.1.0/24 dst 192.168.1.0/24
        dir out priority 3
src 0.0.0.0/0 dst 0.0.0.0/0
        dir fwd action block priority 2
src 0.0.0.0/0 dst 0.0.0.0/0
        dir in action block priority 2
src 0.0.0.0/0 dst 0.0.0.0/0
        dir out action block priority 2
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
curl SSL backend 'mbedTLS/2.16.3' not supported, https:// disabled
dropall/dropall, DROP
  local:  0.0.0.0/0
  remote: 0.0.0.0/0
lan-passthrough/lan-passthrough, PASS
  local:  192.168.1.0/24
  remote: 192.168.1.0/24
192.168.1.0/24 dev br-lan table 220 proto static src 192.168.1.1
default via 109.91.76.1 dev eth0.2 proto static src 109.91.76.30
109.91.76.0/22 dev eth0.2 proto kernel scope link src 109.91.76.30
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 109.91.76.0 dev eth0.2 table local proto kernel scope link src 109.91.76.30
local 109.91.76.30 dev eth0.2 table local proto kernel scope host src 109.91.76.30
broadcast 109.91.79.255 dev eth0.2 table local proto kernel scope link src 109.91.76.30
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
default from 2a02:908:3000:3:148c:eb43:124d:8eed via fe80::201:5cff:fe92:9846 dev eth0.2 proto static metric 512 pref medium
default from 2a02:908:3035:c9a0::/59 via fe80::201:5cff:fe92:9846 dev eth0.2 proto static metric 512 pref medium
2a02:908:3035:c9a0::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a02:908:3035:c9a0::/59 dev lo proto static metric 2147483647 error -113 pref medium
fd9e:d1f:c529::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd9e:d1f:c529::/48 dev lo proto static metric 2147483647 error -113 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2a02:908:3000:3:148c:eb43:124d:8eed dev eth0.2 table local proto kernel metric 0 pref medium
anycast 2a02:908:3035:c9a0:: dev br-lan table local proto kernel metric 0 pref medium
local 2a02:908:3035:c9a0::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fd9e:d1f:c529:: dev br-lan table local proto kernel metric 0 pref medium
local fd9e:d1f:c529::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::da50:e6ff:fe4f:9848 dev eth0 table local proto kernel metric 0 pref medium
local fe80::da50:e6ff:fe4f:9848 dev br-lan table local proto kernel metric 0 pref medium
local fe80::da50:e6ff:fe4f:9849 dev eth0.2 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev eth0.2 table local metric 256 pref medium
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.6.2 on Tue Jan 21 13:27:14 2020
*nat
:PREROUTING ACCEPT [28:1651]
:INPUT ACCEPT [10:660]
:OUTPUT ACCEPT [28:1966]
:POSTROUTING ACCEPT [2:136]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Jan 21 13:27:14 2020
# Generated by iptables-save v1.6.2 on Tue Jan 21 13:27:14 2020
*mangle
:PREROUTING ACCEPT [389:136275]
:INPUT ACCEPT [137:11932]
:FORWARD ACCEPT [251:124302]
:OUTPUT ACCEPT [80:7294]
:POSTROUTING ACCEPT [320:131156]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Jan 21 13:27:14 2020
# Generated by iptables-save v1.6.2 on Tue Jan 21 13:27:14 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Jan 21 13:27:14 2020
curl SSL backend 'mbedTLS/2.16.3' not supported, https:// disabled
uninstall completed successfully
---------------

Best regards

Bernd

More information about the Users mailing list