Ipfire DMZ network and VPN IPSEC

Hi everybody,

I have a problem to set up a rule on my firewall.

I have a reverse-proxy server (@IP 192.168.5.12) in my DMZ of my local Ipfire Firewall. I have a machine at Amazon AWS (@172.18.6.12) which is connected by an IPSEC VPN to my local Ipfire firewall.
I try to make the machine at AWS communicate with the reverse-proxy server in my DMZ (at first, only through the ping command (ICMP protocol)).

Can I set up a rule from the IPfire dashboard in “Firewall rules” or do I have to set up an iptable CUSTOM rule on the command line in “/etc/sysconfig/firewall.local” ?
I can’t build this rule to for example already allow ICMP protocol :frowning:

Can you help me please ?
It seems that the problem I am experiencing is similar to the one posted by another user:
https://community.ipfire.org/t/how-to-make-this-working-through-ipsec/8988/14
Thanks

From my Green interface…I have no problem reaching the AWS network. The problem is just to my DMZ or my Wifi network (Blue).

Should I add a static route ?
I don’t see what route I should put since the firewall knows how to route the traffic to the concerned networks (DMZ, BLUE, GREEN and AWS ipsec).

I would like to know if according to you I forgot something except the only rule of the firewall which says to allow:

SOURCE: IPsec at AWS selected
NAT: Source NAT checked to the ORANGE network interface (DMZ 192.168.5.1) of my firewall.
DESTINATION: 192.168.5.12 (my machine in the DMZ)
PROTOCOL: ICMP

Any idea ?

Hi,

I tried to implement the following iptables rules:

iptables -A IPSECFORWARD --in-interface orange0 --source 192.168.5.12 --out-interface ppp0 --destination 172.18.6.0/24 --jump ACCEPT
iptables -A IPSECFORWARD --in-interface ppp0 --source 172.18.6.0/24 --out-interface orange0 --destination 192.168.5.12 --jump ACCEPT
iptables -A IPSECFORWARD --match policy --dir out --pol ipsec --mode tunnel --tunnel-dst 0.0.0.0/0 --tunnel-src 2.67.23.75 --in-interface orange0 --source 192.168.5.12 --out-interface ppp0 --destination 172.18.6.0/24 --jump ACCEPT
iptables -A IPSECFORWARD --match policy --dir in --pol ipsec --mode tunnel --tunnel-dst 2.67.23.75 --tunnel-src 0.0.0.0/0 --in-interface ppp0 --source 172.18.7.0/24 --out-interface orange0 --destination 192.168.5.12 --jump ACCEPT

…but without success…the traffic does not pass :frowning:
Here is a small diagram of what I want to achieve if it can help you to see more clearly

Exemple_for-iptable-rules

As a reminder, the machine at AWS (172.18.6.12) can currently reach the machines in the LAN (in green).
I also want that 172.18.6.12 to be able to reach 192.168.5.12 (located in the DMZ in orange).

Thanks

Hi everybody,
Please help…no one has any idea how to do this ?
Thanks

You try to make a private ip (192.168.5.12) reachable from the outside (AWS). That is not possible.Given that the reverse proxy (rp) on orange is only reachable via port forwarding (see here: Default rule set) you can’t route icmp messages through since the only routeable address you can ping from outside is the external ip of your ipfire appliance. So just scrap the whole icmp endeavour and concentrate on the ipsec <-> orange problem. You will need a route from the ipsec subnet into your dmz. Unfortunately I can’t help you there as I don’t use ipsec. :frowning:

Hi @dal8moc
Thank you for your answer :wink:

The machine in the DMZ (192.168.5.12 - network in ORANGE on my diagram) is used as Reverse Proxy. It is accessible from the LAN (GREEN network on my diagram) and even from outside (RED interface on ipfire) thanks to rules in the Ipfire Firewall.
So on this side…I don’t have any problem of accessibility with the DMZ from the outside to the internal services (either on the LAN or in the DMZ).
Actually, the only traffic that works through the ipsec VPN connection is the one between the LAN (in green on my diagram above) and the VPC at AWS.

My problem is that I am setting up a new service on my VPC at AWS and I don’t want to expose this service in frontend on the net.
I want the traffic to access this service to go through my reverse proxy (192.168.5.12) in my DMZ which will forward this traffic to my VPC at AWS.

Many thanks

Thanks for clarification. After looking through your posts I think the second fw rule from the ipsec net TO the orange net should be the right place. Though the interface seems wrong. the ipsec net isn‘t recieving its packets from ppp0 but from tun0 or the like. I don‘t know the exact name - you should look it up and adjust that rule accordingly. Any luck?

Hi everybody,

I thought I had found the solution with a PREROUTING rule but obviously not :frowning:
My DMZ still doesn’t communicate through my IPSEC tunel to Amazon AWS !

I can get my LAN to communicate to the IPSEC tunnel but not my DMZ…does anyone have a solution with an iptables rule ?

Many thanks

if you have a custom rule in firewall.local, maybe it should be CUSTOMPREROUTING

https://wiki.ipfire.org/configuration/firewall/firewall-local#for-nat-table

Thank you @jon Jon for this reminder.
Until now I didn’t have PREROUTING rules in custom because I use more “CUSTOM” for INPUT or FORWARD (CUSTOMINPUT or CUSTOMFORWARD). When I will find the right syntax I will put the rule in “CUSTOM” :wink:
What I need for now is to know how to allow my DMZ to talk through IPSEC with my machine at Amazon AWS :wink:
Many thanks