Archive for the ‘NAD810’ Category

VPN with OpenSwan on Fedora 10 x64

April 12, 2009

The intention of this document is guide you step by step to install openswan on the Fedora Core 10.

=Hardware=

Toshiba Laptop Core 2 Duo with 4 GB of ddr2 667.

=Operational System=

Fedora Core 10 x64
*Default configurations
*Updated

=Installation Process=

To install Openswan in both computers, follow the steps bellow:

==Packages to Install==
*openswan
*ipsec-tools
*curl

#yum -y install openswan ipsec-tools curl

==Generate the keys==

To generate the keys, type the command:
#ipsec newhostkey –output /etc/ipsec.d/keys.secrets –bits 2048 –hostname play2.milton.ca

Remember to do the same procedure in both computers with the proper information.

After that edit the key file and copy the part with the public key and past in the /etc/ipsec.conf, also go to computer B, take its public key and past it in the configuration file.

”’Both computers must have the same configuration file”’

The configuration file of openswan is:

==/etc/ipsec.conf==

# /etc/ipsec.conf – Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
protostack=netkey
# Debug-logging controls: “none” for none, “all” for lots.
klipsdebug=all
#plutodebug=”control parsing”
plutodebug=all
nat_traversal=no
uniqueids=yes
interfaces=”ipsec0=eth0″ # interface that connects the computers

# VPN connections
conn play2
type=tunnel
# Left security gateway, subnet behind it, next hop toward right.
left=200.199.1.1 # output ip of computer A
leftsubnet=192.168.0.0/24 # subnet computer A
# RSA 2048 bits
leftrsasigkey=0sAQNj2pqKQARhiLkYakKhMJoovBacqR+6xh//2Bw2ZsgbOzl+wE5JOlFfTdD8Q+hWnyuULTl9c8O5fkrBcdDGWggF
leftnexthop=200.199.1.1 # gateway of computer A
leftsourceip=192.168.0.1 # internal ip of computer A
rightnexthop=200.199.1.2 # gateway of computer B
# Right security gateway, subnet behind it, next hop toward left.
right=200.199.1.2 # output ip of computer B
rightsubnet=172.16.1.0/24 # subnet of computer B
rightsourceip=172.16.1.1 # internal ip of computer B
# RSA 2048 bits
rightrsasigkey=0zAQOJBXgYPyV3nJ9vxExcYfQd6PfWsVA6ubzZSUDYKdp/TGyvDRcDD43FwqPcKAD+0SAOc/w8b1QdWPY5gBoS0MdB
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
authby=rsasig
auto=add # former argumet = start

include /etc/ipsec.d/*.conf

=Configuring Additional Steps on the OS=

Create the following shell script in the folder /etc/rc.d/ and named it ”’vpn.sh”’

==/etc/rc.d/vpn.sh==

#!/bin/bash
#Thanks Nestor for the script

echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done

==Add a line in /etc/rc.d/rc.local==
/etc/rc.d/vpn.sh

*Give the proper permissions in the file: #chmod +x /etc/rc.d/vpn.sh

==Initializing openswan==
#service ipsec start

==Verifying the Status==

#service ipsec status

or

#ipsec verify

==Activate the service on boot time==
#chkconfig –level 3 ipsec on

=Final Steps=

==Conectivity Test==

From computer A, try to ping computer B

If it was successfully you vpn is working fine.

Now Let’s stop the vpn
# service ipsec stop

From computer A, try to ping computer B again.

At this moment you are not supposed to ping computer B.

Then start ipsec and try ping from both computers.

To make sure everything is working properly, reboot the computer and repeat all tests.

The ”’tcpdump tool”’ could capture some traffic, just to make sure the traffic is encrypted.

=Logs=
The Logs for the OpenSwan can be accessed at:
/var/log/secure
and
/var/log/messages

=Final Consideration=

Sometimes the files are not  blog friendly, then I have another version of this tutorial available in a wiki format:

http://zenit.senecac.on.ca/wiki/index.php/Milton-vpn-openswan

logo_fedoralogo1

openswanlogo

Iptables Lab

February 2, 2009

My host is running Fedora Core 10, I used Virtual Box to create 3 virtual machines with Fedora 9. I’ve found a very nice link at:
http://www.virtualbox.org/wiki/Advanced_Networking_Linux

Then I create the following network topology:

firewall

Then I modified the firewall script Professor Raymond gave us, to allow access from the virtual machines to the Internet.

#!/bin/sh
#
#############################################################################
#
# File: iptables.sh
#
# Purpose: To build a basic iptables policy with default log and drop rules.
#          This script was written for the book “Linux Firewalls: Attack
#          Detection and Response” published by No Starch Press.
#
# Copyright (C) 2006-2007 Michael Rash (mbr@cipherdyne.org)
#
# License (GNU Public License):
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
#   USA
#
#
#############################################################################
#
# $Id: iptables.sh 1406 2008-04-14 01:48:04Z mbr $
#

IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET=192.168.100.0/24

### flush existing rules and set chain policy setting to DROP
echo “[+] Flushing existing iptables rules…”
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

### load connection-tracking modules
#
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

###### INPUT chain ######
#
echo “[+] Setting up INPUT chain…”

### state tracking rules
$IPTABLES -A INPUT -m state –state INVALID -j LOG –log-prefix “DROP INVALID ” –log-ip-options –log-tcp-options
$IPTABLES -A INPUT -m state –state INVALID -j DROP
$IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules
$IPTABLES -A INPUT -i wlan0 -s ! $INT_NET -j LOG –log-prefix “SPOOFED PKT ”
$IPTABLES -A INPUT -i wlan0 -s ! $INT_NET -j DROP

### ACCEPT rules
$IPTABLES -A INPUT -i wlan0 -p tcp -s $INT_NET –dport 22 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp –icmp-type echo-request -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG –log-prefix “DROP ” –log-ip-options –log-tcp-options

###### OUTPUT chain ######
#
echo “[+] Setting up OUTPUT chain…”

### state tracking rules
$IPTABLES -A OUTPUT -m state –state INVALID -j LOG –log-prefix “DROP INVALID ” –log-ip-options –log-tcp-options
$IPTABLES -A OUTPUT -m state –state INVALID -j DROP
$IPTABLES -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp –dport 21 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 22 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 25 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 43 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 80 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 443 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 4321 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 53 -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule
$IPTABLES -A OUTPUT -o ! lo -j LOG –log-prefix “DROP ” –log-ip-options –log-tcp-options

###### FORWARD chain ######
#
echo “[+] Setting up FORWARD chain…”

### state tracking rules
$IPTABLES -A FORWARD -m state –state INVALID -j LOG –log-prefix “DROP INVALID ” –log-ip-options –log-tcp-options
$IPTABLES -A FORWARD -m state –state INVALID -j DROP
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules
$IPTABLES -A FORWARD -i wlan0 -s ! $INT_NET -j LOG –log-prefix “SPOOFED PKT ”
$IPTABLES -A FORWARD -i wlan0 -s ! $INT_NET -j DROP

### ACCEPT rules
$IPTABLES -A FORWARD -p tcp -i wlan0 -s $INT_NET –dport 21 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i wlan0 -s $INT_NET –dport 22 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i wlan0 -s $INT_NET –dport 25 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i wlan0 -s $INT_NET –dport 43 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp –dport 80  –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp –dport 443 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i wlan0 -s $INT_NET –dport 4321 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp –dport 22 -m state –state NEW -j ACCEPT # Enable ssh to outside
$IPTABLES -A FORWARD -p tcp –dport 53 -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp –dport 53 -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp –icmp-type echo-request -j ACCEPT

### default LOG rule
$IPTABLES -A FORWARD -i ! lo -j LOG –log-prefix “DROP ” –log-ip-options –log-tcp-options

###### NAT rules ######
#
echo “[+] Setting up NAT rules…”
#$IPTABLES -t nat -A PREROUTING -p tcp –dport 80 -i eth0 -j DNAT –to 192.168.10.3:80
#$IPTABLES -t nat -A PREROUTING -p tcp –dport 443 -i eth0 -j DNAT –to 192.168.10.3:443
#$IPTABLES -t nat -A PREROUTING -p udp –dport 53 -i eth0 -j DNAT –to 192.168.10.4:53
#$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth0 -j MASQUERADE

$IPTABLES -t nat -A PREROUTING -p udp –dport 53 -i br0 -j DNAT –to 192.168.0.1:53 # Set up access to the dns server
$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o wlan0 -j MASQUERADE

###### forwarding ######
#
echo “[+] Enabling IP forwarding…”
echo 1 > /proc/sys/net/ipv4/ip_forward

exit
### EOF ###