From owilcock at eda-on.ca Mon Sep 13 15:10:14 2004 From: owilcock at eda-on.ca (Oliver Wilcock) Date: Mon, 13 Sep 2004 18:10:14 -0400 Subject: [NARC] narc, ipsec and iptables Message-ID: I've been happily using narc for more than a year. Thanks, Shane. Now I want to setup an IPSec tunnel between to private address ranges and I'm having trouble. I'm using kernel 2.6 (Fedora Core 2, specifically). The symptom is that packets disappear when narc is loaded and things work when it is not. I've tried tinkering with log level (changed to warning, which might do the opposite of what I want) and and I turned on spoof logging. NORM_LOG_LEVEL="warning" # tried with debug initially LOG_SPOOF="yes" Note that I've enabled udp 500 for racoon. And racoon -Fv shows the connection succeeding. After some google searching I found the following: iptables -A INPUT -p 50 -j ACCEPT iptables -A INPUT -p 51 -j ACCEPT which a web page suggested would make iptables accept IPSec packets. After putting the above into narc-custom.conf I finally get some log output: Sep 13 17:52:46 wallie kernel: SPOOF IN=ppp0 OUT= MAC= SRC=192.168.15.49 DST=192.168.9.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=30237 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=64000 This occurs because the machine on the remote network (192.168.15.49) is sending a diagnostic ping. I've read other places that the unencrypted packet appears to come in the interface a second time after it has been unencrypted. The spoofing filter doesn't like this for obvious reasons. Furthermore, I would rather have a more lenient policy for these packets (VPN idea), that is, consider these part of the LAN. The hint I've found on other web pages is to use fwmark. Unfortunately this is stretching the limit of my understanding. What are my options? Has someone already solved this problem? Please share. From owilcock at eda-on.ca Tue Sep 14 19:58:13 2004 From: owilcock at eda-on.ca (Oliver Wilcock) Date: Tue, 14 Sep 2004 22:58:13 -0400 Subject: [NARC] Re: narc, ipsec and iptables In-Reply-To: <20040914190003.A805486B7C@mail.knowplace.org> Message-ID: The following seems to work in narc-custom.conf. ppp0 goes to the Internet, eth0 is the LAN side. I guess it would be better to send the the traffic to the first narc rule instead of ACCEPTing it. # next two lines accept IPSec iptables -A INPUT -i ppp0 -p 50 -j ACCEPT iptables -A INPUT -i ppp0 -p 51 -j ACCEPT iptables -t mangle -A PREROUTING -i ppp0 -p esp -j MARK --set-mark 1 iptables -I FORWARD -i ppp0 -m mark --mark 1 -o eth0 -j ACCEPT iptables -I INPUT -i ppp0 -m mark --mark 1 -j ACCEPT From daanwillems at marconi.demon.nl Sat Sep 25 05:55:14 2004 From: daanwillems at marconi.demon.nl (Daan Willems) Date: Sat, 25 Sep 2004 14:55:14 +0200 Subject: [NARC] narc cluttering /var/log/syslog Message-ID: <41556AB2.5030907@marconi.demon.nl> Hello, Being new to this list; the reason I subscribed was to find out if there's a way to stop narc logging into /var/log/syslog (and /var/log/debug). I have been using narc for a couple of years now with great effort on my Debian Linux box, but this single bit simply annoys me. I know some other people are also experiencing problems with narc cluttering up their syslogs. Obviously, I did create the [kern.=debug -/var/log/firewall.log] line to /etc/syslog.conf and restarted syslog and indeed narc logs to the requested /var/log/firewall.log; but also to syslog. Fyi; my narc.conf logging related settings (basicly log everything and levels are set to debug) are posted below. Best, Daan Willems ------------------------------------- # Logging options LOG_DROPS="yes" # If this is turned off, the rest of the log options have no effect. NORM_LOG_LEVEL="debug" # Log everything to /var/log/firewall.log ONLY if you add 'kern.=debug -/var/log/firewall.log' to /etc/syslog.conf WARN_LOG_LEVEL="debug" # Change to "warning" if you want more urgent logging to show up in /var/log/warn LOG_PROBES="yes" # Uses the TCP/UDP_PROBE# below to monitor certain ports LOG_ILLEGAL="yes" # Logs packets defined by ILLEGAL_TCP_FLAGS in the advanced section below. LOG_INVALID="yes" # Logs packets that do not belong to a valid connection LOG_SPOOF="yes" # Logs packets defined by the anti-spoof options in the advanced section below. LOG_ICMP="yes" # Logs packets not accepted by ALLOW_ICMP_MESSAGE (below) LOG_SMB="yes" # Logs SMB/Windows CIFS related packets LOG_PACKET_LENGTH="yes" # Logs TCP SYN packets that have bad header length (PACKET_LENGTH) LOG_LIMIT_EXCEED="yes" # Logs TCP connections that exceed LIMIT_RATE LOG_IPLIMIT_EXCEED="yes" # Logs TCP connections that exceed IPLIMIT_MAX_ACCEPT LOG_ALL_ELSE="yes" # This logs everything that we didn't explicitly match (recommeded) BURST_MAX="5" # default is 5 LOG_RATE="1/s" # not implemented - may not be a good idea -------------------------------------