OpenWrt Forum Archive

Post #1

centyx

5 Jul 2007, 22:33

Hi,

I have downloaded and installed the openwrt-wrt54gs-2.6-squashfs image from downloads.openwrt.org.

This is working great so far, although I am having a little trouble with the default firewall rules and an IPSEC vpn to the office.

The ipsec tunnel is established and the two remote networks can communicate after executing
/etc/init.d/firewall stop

I have tried adding numerous combinations of rules to /etc/firewall.user, all of which I will not post here. My last ( futile ) attempt was this:

### VPN
iptables -A INPUT -s x.x.x.x -j ACCEPT
iptables -A OUTPUT -d x.x.x.x -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 172.16.1.0/24 -j ACCEPT
iptables -A FORWARD -s 172.16.1.0/24 -d 192.168.0.0/24 -j ACCEPT

The rules are being executed, as I can see them in the output of iptables -L -n, and the INPUT rule is effective as I can connect to all open ports on my router from the VPN gateway ( x.x.x.x ). I have come to the conclusion that I am missing something obvious.

Shorewall has made me lazy... but that's another subject.

I will keep banging away at this after I get home, however any suggestions would be greatly appreciated.

[EDIT] I am using openwrt as the ipsec gateway, connecting as follows

192.168.0.0/24 <----> ( office router ) ---- internet ---- ( openwrt ) <----> 172.16.1.0/24

[EDIT] OpenWRT's internet connection is established via PPPOE, so the real WAN interface is ppp0.

(Last edited by centyx on 6 Jul 2007, 11:29)

Post #2

centyx

6 Jul 2007, 22:30

Still haven't figured this out.

The tunnel is still established, and oddly enough, I can actually ping my home lan (172.x ) from the office lan ( 192.x ) successfully, but not vice versa ( the outgoing packets never leave openwrt ).

Here are the current rules I've added to /etc/firewall.user and some that I've tried that didn't seem to make a difference:

# allow all from remote gateway for now
iptables -I INPUT -s x.x.x.x -j ACCEPT
iptables -I OUTPUT -d x.x.x.x -j ACCEPT
# allow to/from office lan
iptables -I FORWARD -i ppp0 -s 192.168.0.0/24 -j ACCEPT
iptables -I FORWARD -o ppp0 -d 192.168.0.0/24 -j ACCEPT

# these rules haven't seemed to help
#iptables -I FORWARD -s 65.82.203.10 -j ACCEPT
#iptables -I FORWARD -d 65.82.203.10 -j ACCEPT
#iptables -I FORWARD -i ppp0 -o $LAN -j ACCEPT
#iptables -I FORWARD -i $LAN -o ppp0 -j ACCEPT
#iptables -I FORWARD -i ppp0 -d 192.168.0.0/24 -j ACCEPT
#iptables -I FORWARD -o ppp0 -s 192.168.0.0/24 -j ACCEPT
#iptables -I FORWARD -i ppp0 -s 65.82.203.10 -j ACCEPT
#iptables -I FORWARD -o ppp0 -d 65.82.203.10 -j ACCEPT
#iptables -I FORWARD -i $LAN -d 192.168.0.0/24 -j ACCEPT
#iptables -I FORWARD -o $LAN -d 192.168.0.0/24 -j ACCEPT
#iptables -I FORWARD -o ppp0 -s $WANIP -j ACCEPT
#iptables -I FORWARD -i ppp0 -d 172.16.1.0/24 -j ACCEPT
#iptables -I FORWARD -o ppp0 -s 172.16.1.0/24 -j ACCEPT
#iptables -I FORWARD -i ppp0 -s 172.16.1.0/24 -j ACCEPT
#iptables -I FORWARD -o ppp0 -d 172.16.1.0/24 -j ACCEPT
#iptables -I OUTPUT -o ppp0 -d 192.168.0.0/24 -j ACCEPT
#iptables -I OUTPUT -o $LAN -d 192.168.0.0/24 -j ACCEPT

(Last edited by centyx on 6 Jul 2007, 22:33)

Post #3

centyx

10 Jul 2007, 22:12

I finally followed the prompting to start commenting out things in /etc/init.d/firewall. After trying commenting out a couple things, I was led to the Masquerading section.

It occurred to me that the traffic from my local network to the remote network was being masqueraded, so I commented out the default masquerading line in /etc/init.d/firewall and added this in /etc/firewall.user:

[ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -s 172.16.1.0/24 -d ! 192.168.0.0/24 -j MASQUERADE

Now the two networks can communicate without any problem.

One thing I miss about Free S/WAN is that it used its own interface, ipsecX, for ipsec communication. That made things a lot easier.

So finally, here are all the rules I added to /etc/firewall.user

### WAN IP
WANIP=`cat /etc/ppp/current_ip`

### MASQ
[ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -s 172.16.1.0/24 -d ! 192.168.0.0/24 -j MASQUERADE

### VPN
OFFICE_GW="x.x.x.x"
OFFICE_NET="192.168.0.0/24"
# IKE negotiation
iptables -I INPUT -p udp -s $OFFICE_GW --sport 500 -d $WANIP --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp -s $WANIP --sport 500 -d $OFFICE_GW --dport 500 -j ACCEPT
# ESP authentication and encryption
iptables -I INPUT -p 50 -s $OFFICE_GW -d $WANIP -j ACCEPT
iptables -I OUTPUT -p 50 -s $WANIP -d $OFFICE_GW -j ACCEPT
# allow to/from remote lan
iptables -A FORWARD -i ppp0 -s $OFFICE_NET -j ACCEPT
iptables -A FORWARD -o ppp0 -d $OFFICE_NET -j ACCEPT

Post #4

centyx

10 Jul 2007, 22:20

In my previous experience with Linux IPSEC setup using ipsec-tools and racoon, the firewall rules were managed using shorewall. It will be interesting to see how shorewall handles this.

Not only does shorewall take an exceedingly long time to load on my wrt54gs, but the ipt_policy module is also missing, which shorewall requires for its IPSEC capabilities.

I will delve deeper into the shorewall way of handling IPSEC traffic in such a situation later, but for now I'm just glad this is finally working.