HOWTO_Shorewall_Firewall_IPsec_VPN_and_2.6_kernel
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
Contents |
Introduction
Software versions used in this document:
- Gentoo-patched Linux kernel 2.6.12-gentoo-r6
- Shorewall 2.4.1 (beware security vulnerability: http://www.shorewall.net)
- OpenSwan 2.3.1
- IPsec-Tools 0.5.2
This document will try to explain how to get the Shorewall Firewall system working with the 2.6 Gentoo kernel and IPsec. For IPsec, OpenSwan and ipsec-tools/Racoon were used.
At the moment, Gentoo's kernel and iptables are not patched with Policy Match support. This must be done manually.
Note: If you try to use your Shorewall box in bridge mode, the 2.6.12 kernel won't work. You should try 2.6.11 instead or grab Gentoo's 2.6.9-r9.
Update: As of kernel 2.6.16, policy match support is built-in. No patching needed (tested with gentoo-sources-2.6.16-r1, iptables-1.3.5 + extensions USE flag, ipsec-tools-0.6.2-r1 on ~x86). Just follow this guide until the first emerge instruction in "Get the software" section (if necessary, add sys-kernel/gentoo-sources to /etc/portage/package.keywords), then jump to "Recompile your kernel" and finally jump down to "Test Shorewall".
Preconfigure Portage
Create (if necessary) or edit /etc/portage/package.keywords and change the following:
| File: /etc/portage/package.keywords |
net-misc/openswan net-firewall/ipsec-tools net-firewall/iptables net-firewall/shorewall sys-kernel/genkernel |
This will grab the latest test versions. As far as these packages are concerned this is usually a good idea.
Get the software
# emerge gentoo-sources iptables openswan shorewall ipsec-tools bind-tools genkernel gentoolkit
You might also want to
# emerge -a links
If it's already installed, just answer no to the question.
Next, download the following files in a temporary directory such as /tmp:
- Patch-o-matic-ng from Netfilter
# cd /tmp # links2 ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
Select the latest .tar.bz2 and press D to download and Q to quit links2. Unpack patch-o-matic-ng:
# tar –jxvf patch-o-matic-ng-<version>.tar.bz2
- Shorewall kernel 2.6 IPsec patches
# links2 http://shorewall.net/pub/shorewall/contrib/IPSEC/
Move into your kernel version dir (2.6.12) and download the 5 patches. Then move them to your Linux kernel source dir and patch:
# mv /tmp/*.diff /usr/src/linux # cd /usr/src/linux # cat *.diff | patch –p 1
Determine iptables ebuild script and remember this path (should be /usr/portage/net-firewall/iptables/iptables-<version>.ebuild but we will refer to it as /path/to/iptables.ebuild):
# equery which iptables
Let's make sure the source is available:
# ebuild /path/to/iptables.ebuild clean # ebuild /path/to/iptables.ebuild unpack
Determine iptables source directory which should be /var/tmp/portage/iptables-<version>/work/iptables-<version>. We will refer to it as /path/to/iptables.source/. Apply the policy match patch:
# export KERNEL_DIR=/usr/src/linux # export IPTABLES_DIR=/path/to/iptables.source/ # cd /tmp/patch-o-matic-ng-<version>/ # ./runme extra
Just press ENTER to all patches except policy match. When you reach policy match, press y and enter and then type q and enter to quit. Make sure you see the following files in place:
- /path/to/iptables.source/extensions/libip?t_policy.c
- /path/to/iptables.source/include/linux/netfilter_ipv?/ip?t_policy.h
If not, copy them over from:
- /tmp/patch-o-matic-ng-<version>/patchlets/policy/iptables/extensions/
- /tmp/patch-o-matic-ng-<version>/patchlets/policy/linux-2.6(your version)/include/linux/netfilter_ipv?/
Finally, you need to add policy to the PF_EXT_SLIB variable in /path/to/iptables.source/extensions/Makefile.
Recompile the kernel with ipsec and policy match
# genkernel --menuconfig all
| Linux Kernel Configuration: genkernel --menuconfig all |
you should have similar options: Device Drivers --->
Networking Support --->
Networking Options --->
<*> PF_KEY sockets
<*> IP: AH transformations
<*> IP: ESP transformations
<*> IP: IPComp transformations
<*> IP: tunnel transformations
<*> IPsec user configuration interface
Network Packet Filtering --->
IP: Netfilter Configuration --->
<*> IPsec policy match support
|
kernel modules
You could also specify pf_key, ah?, esp?, ipcomp and xfrm_user as modules (M) but then you would have to load them at boot time by including them in /etc/modules.autoload.d/kernel-<version>.
reboot
Make sure genkernel exits without errors. The new kernel image should be ready to load (usually in /boot/). Reboot the system
Recompile iptables with policy match
Netfilter's iptables also needs to be recompiled with policy match support. Let's do that and install the software as well.
# ebuild /path/to/iptables.ebuild compile # ebuild /path/to/iptables.ebuild install # ebuild /path/to/iptables.ebuild qmerge
Test Shorewall
Finally the system should be ready and Shorewall shouldn't complain about policy match when you define IPsec tunnels. Run the following test:
# shorewall show capabilities
You should see:
| Code: shorewall show capabilities |
Policy Match: Available |
Shorewall IPsec
You can now define IPsec tunnels within Shorewall's configuration files in /etc/shorewall/. For OpenSwan and Racoon configurations, you can visit the http://www.shorewall.net website.
Related Links
- Shorewall Firewall home page
- Shorewall IPsec documentation for 2.6 kernel
- Netfilter home page
- Another wiki page on IPsec using OpenSwan
- OpenSwan home page
- IPsec Tools home page
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and real estate agent tools.