I have a reverse-proxy server (@IP 192.168.5.12) in my DMZ of my local Ipfire Firewall. I have a machine at Amazon AWS (@172.18.6.12) which is connected by an IPSEC VPN to my local Ipfire firewall.
I try to make the machine at AWS communicate with the reverse-proxy server in my DMZ (at first, only through the ping command (ICMP protocol)).
Can I set up a rule from the IPfire dashboard in “Firewall rules” or do I have to set up an iptable CUSTOM rule on the command line in “/etc/sysconfig/firewall.local” ?
I can’t build this rule to for example already allow ICMP protocol
From my Green interface…I have no problem reaching the AWS network. The problem is just to my DMZ or my Wifi network (Blue).
Should I add a static route ?
I don’t see what route I should put since the firewall knows how to route the traffic to the concerned networks (DMZ, BLUE, GREEN and AWS ipsec).
I would like to know if according to you I forgot something except the only rule of the firewall which says to allow:
SOURCE: IPsec at AWS selected
NAT: Source NAT checked to the ORANGE network interface (DMZ 192.168.5.1) of my firewall.
DESTINATION: 192.168.5.12 (my machine in the DMZ)
PROTOCOL: ICMP
…but without success…the traffic does not pass
Here is a small diagram of what I want to achieve if it can help you to see more clearly
As a reminder, the machine at AWS (172.18.6.12) can currently reach the machines in the LAN (in green).
I also want that 172.18.6.12 to be able to reach 192.168.5.12 (located in the DMZ in orange).
You try to make a private ip (192.168.5.12) reachable from the outside (AWS). That is not possible.Given that the reverse proxy (rp) on orange is only reachable via port forwarding (see here: Default rule set) you can’t route icmp messages through since the only routeable address you can ping from outside is the external ip of your ipfire appliance. So just scrap the whole icmp endeavour and concentrate on the ipsec <-> orange problem. You will need a route from the ipsec subnet into your dmz. Unfortunately I can’t help you there as I don’t use ipsec.
The machine in the DMZ (192.168.5.12 - network in ORANGE on my diagram) is used as Reverse Proxy. It is accessible from the LAN (GREEN network on my diagram) and even from outside (RED interface on ipfire) thanks to rules in the Ipfire Firewall.
So on this side…I don’t have any problem of accessibility with the DMZ from the outside to the internal services (either on the LAN or in the DMZ).
Actually, the only traffic that works through the ipsec VPN connection is the one between the LAN (in green on my diagram above) and the VPC at AWS.
My problem is that I am setting up a new service on my VPC at AWS and I don’t want to expose this service in frontend on the net.
I want the traffic to access this service to go through my reverse proxy (192.168.5.12) in my DMZ which will forward this traffic to my VPC at AWS.
Thanks for clarification. After looking through your posts I think the second fw rule from the ipsec net TO the orange net should be the right place. Though the interface seems wrong. the ipsec net isn‘t recieving its packets from ppp0 but from tun0 or the like. I don‘t know the exact name - you should look it up and adjust that rule accordingly. Any luck?
Thank you @jon Jon for this reminder.
Until now I didn’t have PREROUTING rules in custom because I use more “CUSTOM” for INPUT or FORWARD (CUSTOMINPUT or CUSTOMFORWARD). When I will find the right syntax I will put the rule in “CUSTOM”
What I need for now is to know how to allow my DMZ to talk through IPSEC with my machine at Amazon AWS
Many thanks
Hi Everybody,
I finally decided to install Bird on my Ipfire FW and do the BGP configuration for the VPN tunnel between AWS and us.
It’s the easiest way to set up the routing and it’s working well so far
I asked @ms for help and I thank him for his work