| Line 61: |
Line 61: |
| | yum install openswan | | yum install openswan |
| | <headertabs /> | | <headertabs /> |
| − | ===SME Server firewall configuration===
| |
| − | Since Openswan/ipsec is all about security and private connections, the SME Server firewall rules play a crucial part of a correct configuration.
| |
| − |
| |
| − | We need a new template fragment to allow ipsec through the firewall
| |
| − | mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
| |
| − | nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/15AllowIPsec
| |
| − |
| |
| − | Add the following code :
| |
| − |
| |
| − | # IPsec ports
| |
| − | /sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
| |
| − | /sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1
| |
| − | /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
| |
| − | /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
| |
| − | /sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
| |
| − | /sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT
| |
| − | /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
| |
| − |
| |
| − | expand-template /etc/rc.d/init.d/masq
| |
| − | service masq restart
| |
| − |
| |
| − | We also need to disable redirects.
| |
| − | {{Note box | The below script will work for SME8 but NOT necessarily for SME9! Since in SME9 the NIC's have no longer fixed names like eth0 and eth1. We need to come up with an auto detect scipt. See experimental section below for an 'universal' approach for both SME8 and SME9. Feedback in the forum appreciated.}}
| |
| − |
| |
| − | I have the following code in a file called Disable_Redirects.sh and a link to it in /etc/rc.d/rc.local
| |
| − |
| |
| − | #!/bin/bash
| |
| − | # For OpenSwan
| |
| − | # Disable send redirects
| |
| − | echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
| |
| − | echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
| |
| − | echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
| |
| − | echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
| |
| − | echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
| |
| − | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects
| |
| − | # Disable accept redirects
| |
| − | echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
| |
| − | echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
| |
| − | echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
| |
| − | echo 0 > /<sub>Subscript text</sub>proc/sys/net/ipv4/conf/eth1/accept_redirects
| |
| − | echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
| |
| − | # echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects
| |
| − |
| |
| − |
| |
| − | ----
| |
| − | {{Note box|Experimental code to disable redirects for both SME8 and SME9}}
| |
| − | This is experimental. Please provide your feedback in the forums.
| |
| − |
| |
| − | To disable redirects (port forwarding) within the IPsec tnnels, we have to create a custom template that will disable these at boot time. To create the custom template execute the following commands as root (simplefied):
| |
| − | mkdir -p /etc/e-smith/templates/templates-custom/etc/sysctl.conf
| |
| − | nano -w /etc/e-smith/templates/templates-custom/etc/sysctl.conf/net.ipv4.ip_deny_redirects
| |
| − | Then copy the below contents so you can paste them into the above custom template:
| |
| − | # SME Server Openswan specifics
| |
| − | # Send redirects, No!
| |
| − | net.ipv4.conf.all.send_redirects = 0
| |
| − | net.ipv4.conf.default.send_redirects = 0
| |
| − | # Accept packets with SRR option? No!
| |
| − | net.ipv4.conf.all.accept_source_route = 0
| |
| − | # Accept Redirects? No!
| |
| − | net.ipv4.conf.all.accept_redirects = 0
| |
| − | net.ipv4.conf.all.secure_redirects = 0
| |
| − | Now we need to expand the newly created custome template:
| |
| − | expand-template /etc/sysctl.conf
| |
| − | and make them effective:
| |
| − | sysctl -p
| |
| − | Another way to disable/enable redirects on all interfaces on the fly from the console as root would be:
| |
| − | for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
| |
| − | for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
| |
| − | for f in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 0 > $f; done
| |
| − | (these last commands will work for sure on both SME8 and SME9, but that's not the sustainable SME Server way that will stick on reboots, updates and upgrades.)
| |
| − |
| |
| − | end of experimental section
| |
| − | ----
| |
| − |
| |
| | ==IPSEC server to server configuration== | | ==IPSEC server to server configuration== |
| | Openswan/IPSEC can be used to setup a secue and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router. | | Openswan/IPSEC can be used to setup a secue and permanent VPN connection between a SME Server and another (local or remote) IPSEC enabled device such as a router. |
