[Firewall] Fix in 50ipsec-vpn.plugin
Philip A. Prindeville
philipp_subx at redfish-solutions.com
Sat Jan 10 10:48:14 CET 2009
Philip A. Prindeville wrote:
> Please include this patch.
> Currently $IPSEC_VPN_NETS is a list of networks that aren't local but
> for whom we have connections (i.e. something apart from $INTERNAL_NET).
> This was not how we were using it. The loop:
> for vnet1 in $IPSEC_VPN_NETS; do
> $IPTABLES -A INPUT -i $eif -d $vnet1 -m mark --mark 1 -j ACCEPT
> for vnet2 in $IPSEC_VPN_NETS; do
> # Avoid the problem of LAN packets being NAT'ed/masqueraded:
> $IPTABLES -t nat -A POSTROUTING -o $eif -s $vnet1 -d $vnet2 -j
> would presuppose that $IPSEC_VPN_NETS included both local and remote
> nets, since it was using them in the "-s" argument on outbound packets
> (i.e. -o $eif).
> This was wrong. There were two solutions to this logic.
> One is that the source address should come from $INTERNAL_NET.... but
> you might not want to export all of your subnets to all other VPN peers.
In case it wasn't clear, the rewrite would have been:
for vnet1 in $IPSEC_VPN_NETS; do
$IPTABLES -A INPUT -i $eif -d $vnet1 -m mark --mark 1 -j ACCEPT
for vnet1 in $INTERNAL_NET; do
for vnet2 in $IPSEC_VPN_NETS; do
# Avoid the problem of LAN packets being NAT'ed/masqueraded:
$IPTABLES -t nat -A POSTROUTING -o $eif -s $vnet1 -d $vnet2 -j ACCEPT
> The other solution was to replace IPSEC_VPN_NETS with
> IPSEC_VPN_ASSOCS, which is a tuple of sets of subnets (local,remote)
> which exchange packets.
> means that local networks 192.168.1.0/24 and 192.168.2.0/24 are
> routable to 172.16.0.0/16, 172.17.0.0/16, and 172.18.0.0/16, but that
> network 192.168.2.0/24 only is advertised to 10.0.0.0/8 (i.e.
> 192.168.1.0/24 is absent).
More information about the Firewall