R&S GP-U gateprotect Firewall How-to

Transcription

1 gateprotect Firewall How-to Configuring NAT rules using NETMAP (T^Wæ2) Cybersecurity How-to

2 2017 Rohde & Schwarz Cybersecurity GmbH Muehldorfstr. 15, Munich, Germany Phone: +49 (0) Internet: cybersecurity.rohde-schwarz.com Printed in Germany Subject to change Data without tolerance limits is not binding. R&S is a registered trademark of Rohde & Schwarz GmbH & Co. KG. Trade names are trademarks of the owners.

3 Introduction 1 Introduction The following two examples explain how to use NAT rules to set up fakenets using the gateprotect Firewall. Fakenets are needed when two sites using identical networks are connected via VPN. You need to differentiate between two scenarios in this regard: connecting different networks and connecting identical networks. The following examples illustrate these scenarios. This how-to refers to version 9.6 and higher. For further information, refer to the gateprotect User Manual applicable to your particular software version. 3

4 Scenario 1 - Connecting Two Sites Using One Fakenet Setting Up the Fakenet 2 Scenario 1 - Connecting Two Sites Using One Fakenet 2.1 Prerequisites Site A and site B have the following networks: Site A Site B eth / /24 eth / /24 eth / /24 eth / /24 A VPN connection using IPsec Site-to-Site is created between A /24 and B /24 connecting different networks of the two sites. This causes routing conflicts at site B as it is not clear whether response packets should be routed to eth0 at site B or to eth3 at site A. This problem can be solved by setting up a fakenet at site A so that response packets at site B are clearly routed to site A. 2.2 Setting Up the Fakenet When choosing the fakenet make sure it is not already in use at one of the sites, for example: /24. Make sure that the fakenet uses the same netmask as the real network. Configuring the IPsec S2S Connection Use the Administration Client to connect to the gateprotect Firewall of site A. Set up the IPsec S2S tunnel between site A and site B. For further information, see the gateprotect User Manual. Set up the following networks in the process: Local network <fakenet> /24 Remote network <real remote network> /24 Accordingly, the fakenet is connected to the real remote network. 4

5 Scenario 1 - Connecting Two Sites Using One Fakenet Setting Up the Fakenet Configure IPsec at site B in line with site A. Creating the Mapping File Create a mapping file that solves the routing problem between the two sites: 1. Use an SSH client to log on to the firewall at site A. 2. Create a mapping file (using vim or nano, for example) at: /opt/gateprotect/etc/bootup-late.d/<filename>. Note: The filename must contain neither a full stop (.) nor a file extension. The file has the following content: #!/bin/sh iptables -t nat -I POSTROUTING -s <real LAN network> -d <real remote network> -m state --state NEW -m comment --comment 'NETMAP IPsec' -j NETMAP --to <fakenet> iptables -t nat -I PREROUTING -s <real remote network> -d <fakenet> -m state --state NEW -m comment --comment 'NETMAP IPsec' -j NETMAP --to <real local network> According to this example, assign the variables as follows: <real LAN network> /24 <real remote network> /24 <fakenet> /24 Activate the mapping rules: 1. Close the mapping file. 2. Make it an executable file. For this purpose enter the following command in the command line of the firewall: chmod u+x /opt/gateprotect/etc/bootup-late.d/<filename> 3. Activate the rules by executing the file. To do so, call it up in the command line of the firewall: /opt/gateprotect/etc/bootup-late.d/<filename> Creating Firewall Rules Create rules for the VPN connection using the Administration Client (see the gateprotect User Manual). Log on to the firewall at site A using the Administration Client. 1. Create a desktop object for the LAN network: a) Drag a group object from the toolbar to the desktop. A configuration dialog opens. b) Enter a name for the network group. c) Under "Mode", select "Network". d) Under "Connected to", select eth3. 5

6 Scenario 1 - Connecting Two Sites Using One Fakenet Setting Up the Fakenet e) Under "IP address" and "Subnet mask", enter the address of the LAN network. In this example, enter /24. f) Click "Ok" to save your settings and to close the configuration dialog. 2. Create a desktop object for the remote network: a) Drag a group object from the toolbar to the desktop. A configuration dialog opens. b) Enter a name for the network group. c) Under "Mode", select "Network". d) Under "Connected to", select any. e) Under "IP address" and "Subnet mask", enter the address of the remote network. In this example, enter /24. f) Click "Ok" to save your settings and to close the configuration dialog. 3. In the toolbar, select the connection tool (or press the space bar). First click the LAN object and then the remote network object. (Do not click the VPN object.) The rules editor opens. 4. Set up the rules you need for your requirements. 5. Optional: Set up a VPN group object to display the status of the VPN tunnel on the desktop. Figure 2-1: Network connections using one fakenet. There is nothing in particular to pay attention to regarding the firewall at site B. Use it to set up the firewall rules between the VPN object and the local network of site B. Setup of the fakenet at site A is now complete. 6

7 Scenario 1 - Connecting Two Sites Using One Fakenet Setting Up the Fakenet Site B accesses site A via the fakenet ( /24). NAT does not change the host address. 7

8 Scenario 2 - Connecting Two Sites Using Two Fakenets Setting Up the Fakenets 3 Scenario 2 - Connecting Two Sites Using Two Fakenets 3.1 Prerequisites Site A and site B have the following networks: Standort A Standort B eth / /24 eth / /24 eth / /24 eth / /24 A VPN connection using IPsec Site-to-Site is created between A /24 and B /24 connecting two identical networks of the two sites. This causes routing conflicts as it is not clear if packets are to be directed to the destination host at site A or site B. This problem can be solved by setting up fakenets at both sites so that packets of both sites can be clearly routed. 3.2 Setting Up the Fakenets When choosing the fakenets make sure they are not already in use at either of the sites, for example: /24 24 (for site A) and /24 (for site B). Make sure that the fakenets use the same netmask as the real networks. Configuring the IPsec S2S Connection Set up the IPsec S2S tunnel between site A and site B. For further information, see the gateprotect User Manual. Connect the two fakenets as local and remote networks. Creating the Mapping Files Create mapping files for the routing between the networks of the two sites. Perform the following steps on both firewalls: 1. Use an SSH client to log on to the firewall. 8

9 Scenario 2 - Connecting Two Sites Using Two Fakenets Setting Up the Fakenets 2. Create a mapping file (using vim or nano, for example) at: /opt/gateprotect/etc/bootup-late.d/<filename> Note: The filename must contain neither a full stop (.) nor a file extension. The file for site A has the following content: #!/bin/sh iptables -t nat -I POSTROUTING -s <real LAN network> -d <local fakenet B> -m state --state NEW -m comment --comment 'NETMAP IPsec' -j NETMAP --to <local fakenet A> iptables -t nat -I PREROUTING -s <local fakenet B> -d <local fakenet A> -m state --state NEW -m comment --comment 'NETMAP IPsec' -j NETMAP --to <real LAN network> According to this example, assign the variables as follows: <real LAN network> /24 <local fakenet A> /24 <local fakenet B> /24 The file for site B has the following content: #!/bin/sh iptables -t nat -I POSTROUTING -s <real LAN network> -d <local fakenet A> -m state --state NEW -m comment --comment 'NETMAP IPsec' -j NETMAP --to <local fakenet B> iptables -t nat -I PREROUTING -s <local fakenet A> -d <local fakenet B> -m state --state NEW -m comment --comment 'NETMAP IPsec' -j NETMAP --to <real LAN network> According to this example, assign the variables as follows: <real LAN network> /24 <local fakenet A> /24 <local fakenet B> /24 Activate the mapping rules on both firewalls: 1. Close the mapping files. 2. Make them executable files. For this purpose enter the following command in the command line of the respective firewall: chmod u+x /opt/gateprotect/etc/bootup-late.d/<filename> 3. Activate the rules by executing the files. To do so, call the respective file up in the command line of the corresponding firewall: /opt/gateprotect/etc/bootup-late.d/<filename> Creating Firewall Rules Create rules for the VPN connection at both sites using the Administration Client (see the gateprotect User Manual). 9

10 Scenario 2 - Connecting Two Sites Using Two Fakenets Setting Up the Fakenets To do so, create the following objects and connect them using the connection tool: 1. At site A: Object <real LAN network> connected to <local fakenet B> (as group object) <local fakenet B> (as group object) connected to <local fakenet A> optional: VPN object (to display the status of the VPN tunnel on the desktop) Figure 3-1: Network at site A. 2. At site B: Object <real LAN network> connected to <local fakenet A> (as group object) <local fakenet A> (as group object) connected to <local fakenet B> optional: VPN object (to display the status of the VPN tunnel on the desktop) 3. Set up the rules for the individual connections using the rules editor. Figure 3-2: Network at site B. The setup of the fakenets is complete at both sites. Site A accesses site B via fakenet /24. Site B accesses site A via fakenet /24. NAT does not change the host address. 10