Práctica 5 - Documentación
Transcripción
Práctica 5 - Documentación
Práctica 5 Firewall y OpenVPN Alexandre Ramilo Conde Pablo Prol Sobrado Shorewall Se busca configurar las siguientes reglas: 1. Enmascaramiento (SNAT) de la red interna (10.10.10.0/24) y de la DMZ (10.20.20.0/24) 2. Redireccionamiento (DNAT) de los servicios públicos que ofrecerá la red hacia la máquina dentro (10.20.20.22) de la DMZ a. peticiones WEB (http y https) b. tráfico de correo saliente (smtp) y entrante (pop3) 3. Control de tráfico con política ''denegar por defecto'' (DROP) a. desde la red externa sólo se permiten las conexiones hacia la DMZ contempladas en las redirecciones del punto anterior (http, https, smtp, pop3) b. desde la red interna hacia la red externa sólo se permite tráfico de tipo WEB y SSH c. desde la red interna hacia la DMZ sólo se permite tráfico WEB (http, https), email (smtp, pop3) y SSH d. desde la máquina dmz (10.20.20.22) se permiten conexiones MySQL hacia la máquina dentro (10.10.10.11) de la red interna e. se permite la salida a la red externa de las consultas DNS originadas en la red interna f. firewall sólo admite conexiones SSH desde la red interna 4. Registro (log) de intentos de acceso no contemplados desde red externa a firewall3 (193.147.87.47) y a equipos internos con la etiqueta Acceso no autorizado Configuramos shorewall según las instrucciones de la práctica, y chequeamos la configuración de iptables que se ha generado, obteniendo: Chain INPUT (policy DROP) target prot opt source dynamic all -- anywhere net2fw all -- anywhere loc2fw all -- anywhere dmz2fw all -- anywhere ACCEPT all -- anywhere ACCEPT all -- anywhere Reject all -- anywhere LOG all -- anywhere `Shorewall:INPUT:REJECT:' reject all -- anywhere destination anywhere anywhere anywhere anywhere anywhere anywhere anywhere anywhere LOG level info prefix anywhere [goto] Chain FORWARD (policy DROP) target prot opt source destination dynamic all -- anywhere anywhere ctstate INVALID,NEW ctstate RELATED,ESTABLISHED ctstate INVALID,NEW TCPMSS tcp -- anywhere anywhere PMTU net_frwd all -- anywhere anywhere loc_frwd all -- anywhere anywhere dmz_frwd all -- anywhere anywhere ACCEPT all -- anywhere anywhere Reject all -- anywhere anywhere LOG all -- anywhere anywhere `Shorewall:FORWARD:REJECT:' reject all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination fw2net all -- anywhere anywhere fw2loc all -- anywhere anywhere fw2dmz all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Reject all -- anywhere anywhere LOG all -- anywhere anywhere `Shorewall:OUTPUT:REJECT:' reject all -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to ctstate RELATED,ESTABLISHED LOG level info prefix [goto] ctstate RELATED,ESTABLISHED LOG level info prefix [goto] Chain Drop (4 references) target prot opt source destination all -- anywhere anywhere reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */ dropBcast all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */ ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */ dropInvalid all -- anywhere anywhere DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */ DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */ DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */ DROP tcp -- anywhere anywhere multiport dports loc-srv,netbiosssn,microsoft-ds /* SMB */ DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */ dropNotSyn tcp -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */ Chain Reject (11 references) target prot opt source destination all -- anywhere anywhere reject tcp -- anywhere anywhere dropBcast all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ICMP types */ ACCEPT icmp -- anywhere anywhere */ dropInvalid all -- anywhere anywhere reject udp -- anywhere anywhere */ reject udp -- anywhere anywhere reject udp -- anywhere anywhere reject tcp -- anywhere anywhere ds /* SMB */ DROP udp -- anywhere anywhere dropNotSyn tcp -- anywhere anywhere DROP udp -- anywhere anywhere tcp dpt:auth /* Auth */ icmp fragmentation-needed /* Needed icmp time-exceeded /* Needed ICMP types multiport dports loc-srv,microsoft-ds /* SMB udp dpts:netbios-ns:netbios-ssn /* SMB */ udp spt:netbios-ns dpts:1024:65535 /* SMB */ multiport dports loc-srv,netbios-ssn,microsoftudp dpt:1900 /* UPnP */ udp spt:domain /* Late DNS Replies */ Chain dmz2fw (1 references) target prot opt source destination smurfs all -- anywhere anywhere ctstate INVALID,NEW tcpflags tcp -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request /* Ping */ Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:dmz2fw:REJECT:' reject all -- anywhere anywhere [goto] Chain dmz2loc (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request /* Ping */ ACCEPT tcp -- dmz.ssi.net dentro.ssi.net tcp dpt:mysql Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:dmz2loc:REJECT:' reject all -- anywhere anywhere [goto] Chain dmz2net (1 references) target prot opt source ACCEPT all -- anywhere destination anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp echo-request /* Ping */ Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:dmz2net:REJECT:' reject all -- anywhere anywhere [goto] Chain dmz_frwd (1 references) target prot opt source smurfs all -- anywhere tcpflags tcp -- anywhere dmz2net all -- anywhere dmz2loc all -- anywhere destination anywhere anywhere anywhere anywhere Chain dropBcast (2 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere 224.0.0.0/4 Chain dropInvalid (2 references) target prot opt source destination DROP all -- anywhere anywhere Chain dropNotSyn (2 references) target prot opt source destination DROP tcp -- anywhere anywhere Chain dynamic (2 references) target prot opt source ctstate INVALID,NEW ADDRTYPE match dst-type BROADCAST ctstate INVALID tcp flags:!FIN,SYN,RST,ACK/SYN destination Chain fw2dmz (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:fw2dmz:REJECT:' reject all -- anywhere anywhere [goto] Chain fw2loc (1 references) target prot opt source ACCEPT all -- anywhere ACCEPT icmp -- anywhere Reject all -- anywhere destination anywhere anywhere anywhere ctstate RELATED,ESTABLISHED LOG all -- anywhere `Shorewall:fw2loc:REJECT:' reject all -- anywhere Chain fw2net (1 references) target prot opt source ACCEPT udp -- anywhere ACCEPT all -- anywhere ACCEPT udp -- anywhere ACCEPT tcp -- anywhere ACCEPT icmp -- anywhere Reject all -- anywhere LOG all -- anywhere `Shorewall:fw2net:REJECT:' reject all -- anywhere anywhere LOG level info prefix anywhere [goto] destination anywhere udp dpts:bootps:bootpc anywhere ctstate RELATED,ESTABLISHED anywhere udp dpt:domain /* DNS */ anywhere tcp dpt:domain /* DNS */ anywhere anywhere anywhere LOG level info prefix anywhere [goto] Chain loc2dmz (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* SSH */ ACCEPT icmp -- anywhere anywhere icmp echo-request /* Ping */ ACCEPT tcp -- anywhere dmz.ssi.net multiport dports www,https ACCEPT tcp -- anywhere dmz.ssi.net multiport dports smtp,pop3 Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:loc2dmz:REJECT:' reject all -- anywhere anywhere [goto] Chain loc2fw (1 references) target prot opt source smurfs all -- anywhere tcpflags tcp -- anywhere ACCEPT all -- anywhere ACCEPT tcp -- anywhere ACCEPT icmp -- anywhere Reject all -- anywhere LOG all -- anywhere `Shorewall:loc2fw:REJECT:' reject all -- anywhere Chain loc2net (1 references) target prot opt source ACCEPT all -- anywhere ACCEPT tcp -- anywhere destination anywhere ctstate INVALID,NEW anywhere anywhere ctstate RELATED,ESTABLISHED anywhere tcp dpt:ssh /* SSH */ anywhere icmp echo-request /* Ping */ anywhere anywhere LOG level info prefix anywhere destination anywhere anywhere [goto] ctstate RELATED,ESTABLISHED multiport dports www,https ACCEPT udp -- anywhere ACCEPT tcp -- anywhere Drop all -- anywhere DROP all -- anywhere anywhere anywhere anywhere anywhere Chain loc_frwd (1 references) target prot opt source smurfs all -- anywhere tcpflags tcp -- anywhere loc2net all -- anywhere loc2dmz all -- anywhere destination anywhere anywhere anywhere anywhere Chain logdrop (0 references) target prot opt source DROP all -- anywhere destination anywhere Chain logflags (5 references) target prot opt source destination LOG all -- anywhere anywhere `Shorewall:logflags:DROP:' DROP all -- anywhere anywhere udp dpt:domain /* DNS */ tcp dpt:domain /* DNS */ ctstate INVALID,NEW LOG level info ip-options prefix Chain logreject (0 references) target prot opt source destination reject all -- anywhere anywhere Chain net2dmz (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp -- anywhere dmz.ssi.net multiport dports www,https ACCEPT tcp -- anywhere dmz.ssi.net multiport dports smtp,pop3 Drop all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2dmz:DROP:' DROP all -- anywhere anywhere Chain net2fw (1 references) target prot opt source smurfs all -- anywhere ACCEPT udp -- anywhere tcpflags tcp -- anywhere ACCEPT all -- anywhere DROP icmp -- anywhere Drop all -- anywhere destination anywhere anywhere anywhere anywhere anywhere anywhere ctstate INVALID,NEW udp dpts:bootps:bootpc ctstate RELATED,ESTABLISHED icmp echo-request /* Ping */ LOG DROP all -- anywhere all -- anywhere Chain net2loc (1 references) target prot opt source ACCEPT all -- anywhere Drop all -- anywhere LOG all -- anywhere `Shorewall:net2loc:DROP:' DROP all -- anywhere anywhere anywhere destination anywhere anywhere anywhere ctstate RELATED,ESTABLISHED LOG level info prefix anywhere Chain net_frwd (1 references) target prot opt source destination smurfs all -- anywhere anywhere tcpflags tcp -- anywhere anywhere net2loc all -- anywhere anywhere net2dmz all -- anywhere anywhere Chain reject (18 references) target prot opt source DROP all -- anywhere DROP all -- 224.0.0.0/4 DROP igmp -- anywhere REJECT tcp -- anywhere REJECT udp -- anywhere REJECT icmp -- anywhere REJECT all -- anywhere LOG level info prefix `Shorewall:net2fw:DROP:' destination anywhere anywhere anywhere anywhere anywhere anywhere anywhere ctstate INVALID,NEW ADDRTYPE match src-type BROADCAST reject-with tcp-reset reject-with icmp-port-unreachable reject-with icmp-host-unreachable reject-with icmp-host-prohibited Chain shorewall (0 references) target prot opt source destination Chain smurflog (2 references) target prot opt source destination LOG all -- anywhere anywhere DROP all -- anywhere anywhere Chain smurfs (6 references) target prot opt source RETURN all -- default smurflog all -- anywhere BROADCAST smurflog all -- 224.0.0.0/4 Chain tcpflags (6 references) destination anywhere anywhere anywhere LOG level info prefix `Shorewall:smurfs:DROP:' [goto] ADDRTYPE match src-type [goto] target prot opt source logflags tcp -- anywhere FIN,PSH,URG logflags tcp -- anywhere NONE logflags tcp -- anywhere logflags tcp -- anywhere logflags tcp -- anywhere destination anywhere [goto] tcp flags:FIN,SYN,RST,PSH,ACK,URG/ anywhere [goto] tcp flags:FIN,SYN,RST,PSH,ACK,URG/ anywhere anywhere anywhere [goto] tcp flags:SYN,RST/SYN,RST [goto] tcp flags:FIN,SYN/FIN,SYN [goto] tcp spt:0 flags:FIN,SYN,RST,ACK/SYN También comprobamos NAT, que nos devuelve: Chain PREROUTING (policy ACCEPT) target prot opt source destination dnat all -- anywhere anywhere Chain POSTROUTING (policy ACCEPT) target prot opt source destination eth2_masq all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain dnat (1 references) target prot opt source net_dnat all -- anywhere destination anywhere Chain eth2_masq (1 references) target prot opt source destination MASQUERADE all -- 10.10.10.0/24 anywhere MASQUERADE all -- 10.20.20.0/24 anywhere Chain net_dnat (1 references) target prot opt source DNAT tcp -- anywhere DNAT tcp -- anywhere destination anywhere anywhere multiport dports www,https to:10.20.20.22 multiport dports smtp,pop3 to:10.20.20.22 OpenVPN (Enlace) Mediante certificados digitales, configuramos el enlace VP entre el servidor interno y los clientes que se quieran unir a la red desde la red externa (Desde internet). Se necesita: ● Para el servidor: certificado digital de la Autoridad Certificadora (CA) reconocida por ambos participantes: cacert.crt ○ clave privada del servidor: firewall3.key ○ certificado digital del servidos: firewall3.crt (emitido por la CA) ○ parámetros para intercambio de clave Diffie-Hellam: dh1024.pem Para cada uno de los clientes que se conecten con OpenVPN: ○ certificado digital de la Autoridad Certificadora reconocida por ambos participantes: cacert.crt ○ clave privada del servidor: fuera.key ○ certificado digital del servidor: fuera.crt (emitido por la CA) ○ ● En el sevidor, nos dispondremos a generar la autoridad certificadora, que una vez preconfigurada, podremos empezar a crear con el script “/etc/openvpn/easy-rsa/# ./build_ca”. Aunque se ha usado este procedimiento, se podría también utilizar TinyCA que ofrece un interfaz gráfico sobre openSSL para la gestión de autoridades de certificación y la generación de certificados digitales. Una vez realizado, copiamos los certificados a los directorios dentro del servidor y al cliente que quiera establecer el túnerl OpenVPN, y creamos y configuramos los archivos de configuración del cliente y del servidor, activamos el ip_forwarding en el servidor. Podremos ya activar el túnel OpenVPN para que se establezca la conexión. OpenVPN (Shorewall) Para que shorewall reconozca la OpenVPN, creamos una nueva zona en el fichero zones, asociando la interfaz virtual tun a dicha zona. Configuramos las políticas y reglas de shorwall para esta zona de manera similar a lo que se ha hecho con la red interna (Es decir, que tengan las mismas reglas y políticas).