adding ipv6 tunnel to strongswan and matching firewall rules

2018-09-17 21:28:02 +02:00 · 2018-09-17 21:28:02 +02:00 · 37c69ab507
parent 05cb6ef35f
commit 37c69ab507
3 changed files with 29 additions and 17 deletions
--- a/debian/control
+++ b/debian/control
@ -9,7 +9,7 @@ Vcs-Git: https://git.wit.com/netops/wit-network-config
 Package: wit-network-config
 Architecture: all
-Depends: systemd, sed, tcpdump, mtr-tiny, iproute2, ifupdown, ipmitool, iptables, lldpd, strongswan, telnet, netcat, fping, curl, wget, ifstat, rsyslog, ncurses-term, net-tools, bridge-utils, vlan, gnupg, sudo, isc-dhcp-client, bind9-host, dnsutils, frr (>= 5.0.1-wit), frr (<< 5.0.2-wit)
+Depends: systemd, sed, tcpdump, mtr-tiny, iproute2, ifupdown, ipmitool, iptables, lldpd, strongswan, telnet, netcat, fping, curl, wget, ifstat, rsyslog, ncurses-term, net-tools, bridge-utils, vlan, gnupg, sudo, isc-dhcp-client, bind9-host, dnsutils, libstrongswan-extra-plugins, frr (>= 5.0.1-wit), frr (<< 5.0.2-wit)
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}, dhcpcd5
 Description: configure network for a standard wit compute and/or data node
--- a/files/firewall
+++ b/files/firewall
@ -47,16 +47,20 @@ case $1 in
     #### IPv6
        ip6tables -P INPUT ACCEPT
        ip6tables -F INPUT
-        ip6tables -A INPUT                               -p ipv6-icmp        -j ACCEPT   # ping
+       #unencrypted traffic
-        ip6tables -A INPUT -s 2604:bbc0:0:113::1         -p udp  --sport  53 -j ACCEPT   # dns
+        ip6tables -A INPUT                               -p esp                                                 -j ACCEPT   # ipsec
-        ip6tables -A INPUT -s 2001:67c:1560:8003::c7     -p udp  --sport 123 -j ACCEPT   # ntp
+        ip6tables -A INPUT                               -p udp  --dport   500 --sport  500                     -j ACCEPT   # ipsec
-        ip6tables -A INPUT -s 2001:67c:1560:8003::c8     -p udp  --sport 123 -j ACCEPT   # ntp
+        ip6tables -A INPUT                               -p udp  --dport  4500 --sport 4500                     -j ACCEPT   # ipsec
-	ip6tables -A INPUT -s fe80::/10                  -p tcp  --sport 179 -j ACCEPT   # bgp (allow init as well as responding)
+        ip6tables -A INPUT                               -p ipv6-icmp                                           -j ACCEPT   # ping
-	ip6tables -A INPUT -s fe80::/10                  -p tcp  --dport 179 -j ACCEPT   # bgp (allow init as well as responding)
+        ip6tables -A INPUT -s 2604:bbc0:0:113::1         -p udp  --sport    53                                  -j ACCEPT   # dns
        ip6tables -A INPUT -s 2001:67c:1560:8003::c7     -p udp  --sport   123                                  -j ACCEPT   # ntp
        ip6tables -A INPUT -s 2001:67c:1560:8003::c8     -p udp  --sport   123                                  -j ACCEPT   # ntp
 	ip6tables -A INPUT -s fe80::/10                  -p tcp  --sport   179                                  -j ACCEPT   # bgp (allow init as well as responding)
 	ip6tables -A INPUT -s fe80::/10                  -p tcp  --dport   179                                  -j ACCEPT   # bgp (allow init as well as responding)
       ### mgmt
-	ip6tables -A INPUT -i mgmt1 -s fe80::/10         -p udp  --dport 546 -j ACCEPT   # allow dhcp replys, unlcear why this needs the physical interface instead of the vrf
+	ip6tables -A INPUT -i mgmt1 -s fe80::/10         -p udp  --dport   546                                  -j ACCEPT   # allow dhcp replys, unlcear why this needs the physical interface instead of the vrf
-        ip6tables -A INPUT -i mgmt                       -p tcp  --dport  22 -j ACCEPT   # allow ssh from mgmt
+        ip6tables -A INPUT -i mgmt                       -p tcp  --dport    22                                  -j ACCEPT   # allow ssh from mgmt
-        ip6tables -A INPUT -i mgmt   -m state --state ESTABLISHED,RELATED    -j ACCEPT   # allow stateful connections over mgmt
+        ip6tables -A INPUT -i mgmt   -m state --state ESTABLISHED,RELATED                                       -j ACCEPT   # allow stateful connections over mgmt
       ### DROP the rest
        ip6tables -P INPUT DROP
--- a/files/ipsec.conf.wit
+++ b/files/ipsec.conf.wit
@ -19,14 +19,22 @@ conn %default
    keyexchange=ikev1
    ike=aes128-sha1-modp2048!
    esp=aes128-sha1-modp2048!
 conn loopbacks
    auto=route
    leftsubnet=10.1.0.0/16
    rightsubnet=10.1.0.0/16
    right=%any
    leftcert=FQHOSTNAME.crt
    leftid="C=US, O=Wit, CN=FQHOSTNAME"
    rightid="C=US, O=Wit, CN=*"
    auto=route
 conn loopback4
    leftsourceip=%config4
    leftsubnet=10.1.0.0/16
    rightsubnet=10.1.0.0/16
    right=%any4
 conn loopback6
    leftsourceip=%config6
    leftsubnet=2604:bbc0:0:100::/56
    rightsubnet=2604:bbc0:0:100::/56
    right=%any6