Looking for a how-to type battle plan for 2 physical subnets and an openvpn tunnel.

Looking for a how-to type battle plan for 2 physical subnets and an openvpn tunnel.

[Bill Ries-Knight]

ok, I have a solution issue...

We just had a server cracked (fc4, built by my predecessor)

The server acts as a firewall, VPN Server, content filtering system,
samba server for files and ssh tunnel to the network.

There are 3 nics covering 2 physical subnets , school
administration/teachers and computer lab for the sudents, each with
thier own NIC and the gateway to the internet on the third.  Openvpn
provides a tun interface with a third subnet to manage.

Software we are running is iptables for the firewall, Openvpn for the
vpn tunnel between physical sites, samba and clamav/squid/dansguardian
for content filtering and openssh for remote access.

I am using Debia Etch for the server.

Is there anyone with a reference on how to manage this one?

I can get the old firewall rules into place, but adding ipmasq munges
it all up.  Without ipmasq there is no name based browsing at all.

At various times I can get the vpn happy, but no browsing.  if I try
to bring both physical subnets into play, it munges.  I have issues
with name based internet browsing, or a few minutes later, I have
issues with the ip address based access.  Ie: I can ping out, but not
name browse..  a bit later I cannot even ping out.

I am really lost here.

Help!
Please.

-- 
-- 
Bill Ries-Knight
Stockton, CA

Respect the process, Vote.

SPAM(6.0) Re: Looking for a how-to type battle plan for 2 physical subnets and an openvpn tunnel.

[patric]

Hi,


That sounds like a simple setup with the Shorewall script
(http://www.shorewall.net/)


It might be hard compared to the more simpler firewall-scripts out
there, but it's much easier to configure when having more than 2 interfaces.

What you do with shorewall is edit the interfaces file and configure the
interfaces you have and set any options you want for them, edit the masq
file to setup the masquerading and then rules file to setup and incoming
connections and then the policy file to setup the default permissions
between the networks...


Best regards,

Patric


Ps. I hope my mail-host has resolved the issue with their mail-server
now so i don't get the SPAM() in the title  :) 


Bill Ries-Knight wrote:

> ok, I have a solution issue...
>
> We just had a server cracked (fc4, built by my predecessor)
>
> The server acts as a firewall, VPN Server, content filtering system,
> samba server for files and ssh tunnel to the network.
>
> There are 3 nics covering 2 physical subnets , school
> administration/teachers and computer lab for the sudents, each with
> thier own NIC and the gateway to the internet on the third.  Openvpn
> provides a tun interface with a third subnet to manage.
>
> Software we are running is iptables for the firewall, Openvpn for the
> vpn tunnel between physical sites, samba and clamav/squid/dansguardian
> for content filtering and openssh for remote access.
>
> I am using Debia Etch for the server.
>
> Is there anyone with a reference on how to manage this one?
>
> I can get the old firewall rules into place, but adding ipmasq munges
> it all up.  Without ipmasq there is no name based browsing at all.
>
> At various times I can get the vpn happy, but no browsing.  if I try
> to bring both physical subnets into play, it munges.  I have issues
> with name based internet browsing, or a few minutes later, I have
> issues with the ip address based access.  Ie: I can ping out, but not
> name browse..  a bit later I cannot even ping out.
>
> I am really lost here.
>
> Help!
> Please.
>

Re: Looking for a how-to type battle plan for 2 physical subnets and an openvpn tunnel.

[Jorge Davila]

My approach to this:

Internet
!
!
+-----+
!     !
!     !
eth0  tun0
!     !
!     ???
!
+--eth1 (administration/teachers)
!
!
+
eth2 (lab)

Sorry for don't put in the diagram the allowed access for the roadwarriors.

-> "Without ipmasq there is no name based browsing at all" and "VPN happy 
but no browsing"

The OpenVPN client configuration is telling to the clients use another DNS 
servers than the configured in the gateways? If the answer is true, your 
firewall rules takes in consideration that kind of traffic?

Are you speaking about local network navigation using WINS or DNS resolution 
browsing the Internet?

To figure out better the situation you must put the result of:

ip r
ip a
iptables -L -nvx

And, additionally you must ask about the OpenVPN issues in the OpenVPN 
mailing list.

May this help you,

Jorge.

On Wed, 16 May 2007 11:35:10 -0700
  "Bill Ries-Knight" <steelhoof@gmail.com> wrote:
> ok, I have a solution issue...
> 
> We just had a server cracked (fc4, built by my predecessor)
> 
> The server acts as a firewall, VPN Server, content filtering system,
> samba server for files and ssh tunnel to the network.
> 
> There are 3 nics covering 2 physical subnets , school
> administration/teachers and computer lab for the sudents, each with
> thier own NIC and the gateway to the internet on the third.  Openvpn
> provides a tun interface with a third subnet to manage.
> 
> Software we are running is iptables for the firewall, Openvpn for the
> vpn tunnel between physical sites, samba and clamav/squid/dansguardian
> for content filtering and openssh for remote access.
> 
> I am using Debia Etch for the server.
> 
> Is there anyone with a reference on how to manage this one?
> 
> I can get the old firewall rules into place, but adding ipmasq munges
> it all up.  Without ipmasq there is no name based browsing at all.
> 
> At various times I can get the vpn happy, but no browsing.  if I try
> to bring both physical subnets into play, it munges.  I have issues
> with name based internet browsing, or a few minutes later, I have
> issues with the ip address based access.  Ie: I can ping out, but not
> name browse..  a bit later I cannot even ping out.
> 
> I am really lost here.
> 
> Help!
> Please.
> 
> -- 
> -- 
> Bill Ries-Knight
> Stockton, CA
> 
> Respect the process, Vote.
> 
> 

Jorge Isaac Davila Lopez
Nicaragua Open Source
davila@nicaraguaopensource.com

Re: Looking for a how-to type battle plan for 2 physical subnets and an openvpn tunnel.

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 16 May 2007, Bill Ries-Knight wrote:

> ok, I have a solution issue...
>
> We just had a server cracked (fc4, built by my predecessor)
>
> The server acts as a firewall, VPN Server, content filtering system,
> samba server for files and ssh tunnel to the network.
>
> There are 3 nics covering 2 physical subnets , school
> administration/teachers and computer lab for the sudents, each with
> thier own NIC and the gateway to the internet on the third.  Openvpn
> provides a tun interface with a third subnet to manage.
>
> Software we are running is iptables for the firewall, Openvpn for the
> vpn tunnel between physical sites, samba and clamav/squid/dansguardian
> for content filtering and openssh for remote access.
>
> I am using Debia Etch for the server.
>
> Is there anyone with a reference on how to manage this one?
>
> I can get the old firewall rules into place, but adding ipmasq munges
> it all up.  Without ipmasq there is no name based browsing at all.
>
> At various times I can get the vpn happy, but no browsing.  if I try
> to bring both physical subnets into play, it munges.  I have issues
> with name based internet browsing, or a few minutes later, I have
> issues with the ip address based access.  Ie: I can ping out, but not
> name browse..  a bit later I cannot even ping out.
>
> I am really lost here.
>

First off, a firewall is a security device.  And should be a dedicated 
device for that purpose only.  Perhapos the open vpn might reside here, 
but all the rest, belongs on different secured systems.  Especially samba!

I'd at this point look at a project to divide all these services to their 
own secured systems, and redo the firewall, perhaps with vpn tunneling 
application as it's own dedicated system.  Anything less, and you are 
likely to be facing the same issue of trying to recover hacked/cracked 
servers in the near future again.

As for samba services, they should either be stopped at the inside 
perimiter of the network, or if really reqiured outside the network then 
only provided in a secure tunnle.  This is ancient knowledge in the 
security realm.

The point here is;  there is no quick fix for this setup.  Once a system 
is hacked as you state yours has been, you face a total remake of the 
system<s> involved.  And in this case, since the setup was dubious to 
begin with, you have a major project no at hand.

thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFGXEe6st+vzJSwZikRAkHNAJ9ZQebF8ovwk3ReSIvGvYNa9sDT3gCfReD0
c/BVC8mYqqIrqip8NiLtLIw=
=xz2P
-----END PGP SIGNATURE-----