StrongSwan 6.0.x - strongSwan is an OpenSource IPsec-based VPN solution. https://github.com/strongswan/strongswan/ https://github.com/strongswan/strongswan/tags https://github.com/strongswan/strongswan/discussions https://www.strongswan.org/ https://docs.strongswan.org/ https://wiki.strongswan.org/ # ------------------------------------------------ root@machin:~ # wget -4 https://github.com/strongswan/strongswan/releases/download/6.0.1/strongswan-6.0.1.tar.bz2 root@machin:~ # tar xjf strongswan-6.0.1.tar.bz2 root@machin:~ # cd strongswan-6.0.1 root@machin:~/strongswan-6.0.1 # ./configure --prefix=/usr --sysconfdir=/etc --with-systemdsystemunitdir=/lib/systemd/system --disable-ikev1 --enable-attr --enable-silent-rules --enable-charon --enable-ikev2 --enable-vici --enable-swanctl --enable-nonce --enable-random --enable-drbg --enable-openssl --enable-ml --enable-pem --enable-x509 --enable-certexpire --enable-constraints --enable-whitelist --enable-revocation --enable-pki --enable-pubkey --enable-socket-default --enable-kernel-netlink --enable-resolve --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-dynamic --enable-eap-tls --enable-eap-ttls --enable-eap-radius --enable-eap-peap --enable-xauth-eap --enable-dhcp --enable-addrblock --enable-eap-tnc --enable-unity --enable-updown --enable-radattr --enable-ha strongSwan will be built with the following plugins ----------------------------------------------------- libstrongswan: random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pgp dnskey sshkey pem openssl pkcs8 xcbc cmac kdf ml drbg libcharon: attr kernel-netlink resolve socket-default vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap dhcp ha whitelist certexpire radattr addrblock unity counters libtnccs: tnc-tnccs libtpmtss: root@machin:~/strongswan-6.0.1 # make && make install root@machin:~/strongswan-6.0.1 # cat /root/strongSwan-v6.sh #!/bin/bash ### BEGIN INIT INFO # Provides: charon # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start daemon at boot time # Description: Enable service provided by daemon. ### END INIT INFO #####-------------------------- VARIABLES ----------------------------###### # Author : O.Romain.Jaillet-ramey (orj at lab3w dot fr) # Date : 2025/03/15 # Desc : My script strongSwan 6.x.x for status|start|stop|restart #####-------------------------- START / STOP ----------------------------###### case "$1" in start|restart) $0 stop echo "$0 Starting" /usr/libexec/ipsec/charon 1>>/var/log/syslog 2>/dev/null 2>&1 & ;; stop) echo "$0 Stop" /usr/sbin/ip -6 route flush table 220 /usr/sbin/ip -4 route flush table 220 /usr/sbin/ip -6 xfrm policy flush /usr/sbin/ip -4 xfrm policy flush /usr/sbin/ip -6 xfrm state flush /usr/sbin/ip -4 xfrm state flush pkill charon ;; status) echo "$0 Status" echo "# -------------------------" echo "# Security Association" echo "# -------" echo "" swanctl --list-sas echo "" echo "# -------" echo "" echo "# -------------------------" echo "# Route show" echo "# -------" echo "" /usr/sbin/ip -6 route show table 220 /usr/sbin/ip -4 route show table 220 echo "" echo "# -------" echo "" echo "# -------------------------" echo "# XFRM Policy" echo "# -------" echo "" /usr/sbin/ip -6 xfrm policy /usr/sbin/ip -4 xfrm policy echo "" echo "# -------" echo "" echo "# -------------------------" echo "# XFRM State" echo "# -------" echo "" /usr/sbin/ip -6 xfrm state /usr/sbin/ip -4 xfrm state echo "" echo "# -------" echo "" ;; *) echo "usage : $0 (status|start|stop|restart)" ;; esac #####-------------------------- START / STOP ----------------------------###### root@machin:~/strongswan-6.0.1 # chmod u+x /root/strongSwan-v6.sh root@machin:~/strongswan-6.0.1 # ls -l /root/strongSwan-v6.sh -rwxr--r-- 1 root root 1303 26 févr. 17:21 /root/strongSwan-v6.sh root@machin:~/strongswan-6.0.1 # /root/strongSwan-v6.sh restart /root/strongSwan-v6.sh Stop /root/strongSwan-v6.sh Starting root@machin:~/strongswan-6.0.1 swanctl --version strongSwan swanctl 6.0.1 root@machin:/etc/swanctl # swanctl --list-algs encryption: AES_CBC[openssl] AES_CTR[openssl] AES_ECB[openssl] AES_CFB[openssl] CAMELLIA_CBC[openssl] CAMELLIA_CTR[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] 3DES_CBC[openssl] DES_CBC[openssl] DES_ECB[openssl] NULL[openssl] integrity: HMAC_MD5_96[openssl] HMAC_MD5_128[openssl] HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl] HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl] HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc] AES_XCBC_96[xcbc] AES_CMAC_96[cmac] aead: AES_GCM_16[openssl] AES_GCM_12[openssl] AES_GCM_8[openssl] AES_CCM_16[openssl] AES_CCM_12[openssl] AES_CCM_8[openssl] CHACHA20_POLY1305[openssl] hasher: HASH_SHA1[openssl] HASH_MD5[openssl] HASH_MD4[openssl] HASH_SHA2_224[openssl] HASH_SHA2_256[openssl] HASH_SHA2_384[openssl] HASH_SHA2_512[openssl] HASH_SHA3_224[openssl] HASH_SHA3_256[openssl] HASH_SHA3_384[openssl] HASH_SHA3_512[openssl] HASH_IDENTITY[openssl] prf: PRF_KEYED_SHA1[openssl] PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl] PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_AES128_XCBC[xcbc] PRF_CAMELLIA128_XCBC[xcbc] PRF_AES128_CMAC[cmac] xof: XOF_SHAKE128[openssl] XOF_SHAKE256[openssl] kdf: KDF_PRF[kdf] KDF_PRF_PLUS[kdf] drbg: DRBG_CTR_AES128[drbg] DRBG_CTR_AES192[drbg] DRBG_CTR_AES256[drbg] DRBG_HMAC_SHA1[drbg] DRBG_HMAC_SHA256[drbg] DRBG_HMAC_SHA384[drbg] DRBG_HMAC_SHA512[drbg] ke: MODP_3072[openssl] MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl] ECP_224_BP[openssl] CURVE_25519[openssl] CURVE_448[openssl] ML_KEM_512[ml] ML_KEM_768[ml] ML_KEM_1024[ml] rng: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random] nonce-gen: NONCE_GEN[nonce] root@machin:/etc/swanctl # swanctl --load-conns loaded connection 'ca-fr' loaded connection 'ca-uk' loaded connection 'ca-de' loaded connection 'ikev2-pubkey' loaded connection 'ikev2-eap' loaded connection 'ikev2-eap-mschapv2' loaded connection 'ikev2-eap-tls-symmetric' loaded connection 'ikev2-eap-tls-asymmetric' successfully loaded 8 connections, 0 unloaded root@machin:/etc/swanctl # swanctl --load-all loaded certificate from '/etc/swanctl/x509/srv.fr.lab3w.com-Cert-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem' loaded certificate from '/etc/swanctl/x509/gate.fr.lab3w.com-Cert-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem' loaded certificate from '/etc/swanctl/x509/srv.ca.lab3w.com-Cert-rsa_3072-sign_ca-rsa_3072.pem' loaded certificate from '/etc/swanctl/x509/vps.de.ipv10.net-Cert-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem' loaded certificate from '/etc/swanctl/x509/orj-Cert-rsa_3072-sign_ca-rsa_3072.pem' loaded certificate from '/etc/swanctl/x509/vps.uk.ipv10.net-Cert-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem' loaded certificate from '/etc/swanctl/x509/srv.ca.lab3w.com-Cert-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem' loaded certificate from '/etc/swanctl/x509ca/LAB3W_ZW3B-caCert-rsa_3072.der' loaded certificate from '/etc/swanctl/x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem' loaded certificate from '/etc/swanctl/pubkey/gate.fr.lab3w.com-PubKey-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem' loaded certificate from '/etc/swanctl/pubkey/vps.de.ipv10.net-PubKey-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem' loaded certificate from '/etc/swanctl/pubkey/srv.ca.lab3w.com-PubKey-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem' loaded certificate from '/etc/swanctl/pubkey/vps.uk.ipv10.net-PubKey-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem' loaded certificate from '/etc/swanctl/pubkey/srv.ca.lab3w.com-Pub-ed448.pem' loaded ED448 key from '/etc/swanctl/private/gate.fr.lab3w.com-Key-ed448.pem' loaded RSA key from '/etc/swanctl/private/orj-Key-rsa_3072.pem' loaded ED448 key from '/etc/swanctl/private/srv.ca.lab3w.com-Key-ed448.pem' loaded ED448 key from '/etc/swanctl/private/vps.uk.ipv10.net-Key-ed448.pem' loaded ED448 key from '/etc/swanctl/private/vps.de.ipv10.net-Key-ed448.pem' loaded RSA key from '/etc/swanctl/private/LAB3W_ZW3B-caKey-rsa_3072.pem' loaded ED448 key from '/etc/swanctl/private/srv.fr.lab3w.com-Key-ed448.pem' loaded RSA key from '/etc/swanctl/private/srv.ca.lab3w.com-Key-rsa_3072.pem' loaded ike secret 'ike-0' loaded eap secret 'eap-0' loaded eap secret 'eap-1' loaded authority 'ZW3BCyberRootCA_rsa_3072' successfully loaded 1 authorities, 0 unloaded loaded pool 'rw_pool' loaded pool 'rw_pool-v6' loaded pool 'v6-lab3w_2home' loaded pool 'v6_vps-uk' loaded pool 'v6_vps-de' successfully loaded 5 pools, 0 unloaded loaded connection 'ca-fr' loaded connection 'ca-uk' loaded connection 'ca-de' loaded connection 'ikev2-pubkey' loaded connection 'ikev2-eap' loaded connection 'ikev2-eap-mschapv2' loaded connection 'ikev2-eap-tls-symmetric' loaded connection 'ikev2-eap-tls-asymmetric' successfully loaded 8 connections, 0 unloaded # ------------------------------------------------------------------ # Example PKI Command / OpenSSL : # ------------------------------------------------ # Creating keys for the client "vps.de.ipv10.net" root@machin:/etc/swanctl # pki --gen --type ed448 --outform pem > private/vps.de.ipv10.net-Key-ed448.pem # --------- # Creation of the request to be signed root@machin:/etc/swanctl # pki --req --type priv --in private/vps.de.ipv10.net-Key-ed448.pem --dn "C=FR, O=LAB3W, CN=vps.de.ipv10.net" --san vps.de.lab3w.com --san vps.de.zw3b.net --outform pem > tmp/vps.de.ipv10.net-Req-XXX.pem # --------- # Creating client certificates root@machin:/etc/swanctl # pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey private/LAB3W_ZW3B-caKey-rsa_3072.pem --type pkcs10 --in tmp/vps.de.ipv10.net-Req-XXX.pem --serial 01 --lifetime 1826 --outform pem > x509/vps.de.ipv10.net-Cert-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem # --------- # create pubkey -- since the certificat root@machin:/etc/swanctl # openssl x509 -in x509/vps.de.ipv10.net-Cert-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem -noout -pubkey -out pubkey/vps.de.ipv10.net-PubKey-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem # create pubkey -- since the private key root@machin:/etc/swanctl # pki --pub --in private/vps.de.ipv10.net-Key-ed448.pem --type priv --outform pem > pubkey/vps.de.ipv10.net-PubKey-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem # ----------------------------------------------------- # Client 1 (windows) - OK in Android 12 # --- root@machin:/etc/swanctl # pki --gen --type rsa --size 3072 --outform pem > private/orj-Key-rsa_3072.pem root@machin:/etc/swanctl # pki --req --type priv --in private/orj-Key-rsa_3072.pem \ --dn "C=FR, O=LAB3W, CN=orj@lab3w.fr" \ --san orj@lab3w.fr --san orj@lab3w.com --outform pem > tmp/orj-Req.pem root@machin:/etc/swanctl # pki --issue --cacert x509ca/LAB3W_ZW3B-caCert-rsa_3072.pem --cakey private/LAB3W_ZW3B-caKey-rsa_3072.pem \ --type pkcs10 --in tmp/orj-Req.pem --serial 01 --lifetime 1826 \ --outform pem > x509/orj-Cert-rsa_3072-sign_ca-rsa_3072.pem root@machin:/etc/swanctl # openssl pkcs12 -export -inkey private/orj-Key-rsa3072.pem \ -in x509/orjCert-rsa_3072-sign_ca-rsa_3072.pem -name "O.Romain.Jaillet-ramey" \ -certfile x509ca/caCert-rsa_3072.pem -caname "ZW3B Cyber Root CA" \ -out pkcs12/orj-Cert-rsa_3072-sign_ca-rsa_3072.p12 # ----------------------------------------------------- # Read Certificat root@machin:/etc/swanctl # openssl x509 --text --in x509/vps.de.ipv10.net-Cert-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = FR, O = LAB3W, CN = ZW3B Cyber Root CA : rsa_3072 Validity Not Before: Mar 5 20:40:17 2025 GMT Not After : Mar 5 20:40:17 2030 GMT Subject: C = FR, O = LAB3W, CN = vps.de.ipv10.net Subject Public Key Info: Public Key Algorithm: ED448 ED448 Public-Key: pub: a4:28:97:d3:f6:b1:81:ca:0b:6e:4e:60:86:64:9e: 50:d5:40:95:b1:e6:f9:e0:a4:fe:db:be:80:4c:fb: 45:80:72:15:2f:40:ca:be:0c:0a:5d:17:af:d5:41: a0:e7:60:35:12:fb:66:30:d3:53:f6:80 X509v3 extensions: X509v3 Authority Key Identifier: keyid:95:66:E0:E9:97:2D:7B:CB:EE:3D:7B:E3:95:5F:10:19:BC:6E:71:D5 X509v3 Subject Alternative Name: DNS:vps.de.lab3w.com, DNS:vps.de.zw3b.net Signature Algorithm: sha256WithRSAEncryption d1:8a:3e:48:b6:e1:0c:b5:01:1d:c3:ee:ba:84:ce:96:43:da: 55:2d:9b:57:eb:c6:37:f1:78:f0:86:11:e3:a0:39:63:0c:78: e0:10:e2:e9:69:d0:42:bf:f9:e3:5c:8f:3e:02:2b:89:a8:dc: 8c:ce:55:b5:9f:10:2c:17:b2:21:a0:46:61:67:33:b5:15:aa: bb:fb:03:fe:09:8f:d7:18:7c:61:33:07:7f:01:5c:62:c0:d7: c0:a8:2d:cb:bf:0f:69:bf:e6:72:5f:cc:94:99:a8:a1:a7:48: 36:be:21:69:06:5b:24:33:9d:43:af:36:c4:a9:15:4c:a6:c3: 85:de:e4:ce:35:87:47:90:e1:72:70:74:55:c9:da:75:3d:6b: db:48:3c:b9:43:9d:dd:43:3f:1a:5f:46:b1:26:fa:2f:1c:09: 1b:9e:eb:c6:2a:90:c0:6d:9c:f5:3b:9f:34:7c:fb:ca:23:4a: b4:e3:cd:45:85:cd:58:63:9a:4c:e7:77:b9:b5:d8:a4:74:29: a4:d5:75:df:96:c3:71:50:fc:8d:bf:9c:6e:af:ff:e4:88:73: 7e:7e:bd:7c:fa:80:07:6c:da:73:dc:bc:15:3f:33:f2:5b:6a: 3c:d0:0d:2d:16:8a:c7:df:66:39:bb:ce:ec:bf:52:28:76:4e: fc:13:ab:e0:af:3a:6d:51:ea:6b:22:b0:53:f4:51:8b:b2:b3: 78:9e:3d:91:d1:47:f2:2b:02:2d:a5:16:1a:e5:84:65:44:a5: f4:0c:c4:78:58:bc:60:c5:76:da:a2:5d:d1:73:03:d8:23:8d: 6a:59:bc:a6:8b:3a:5c:e9:0e:6c:0c:3b:17:6a:38:87:b3:f0: 0c:10:b5:eb:df:10:db:44:d9:8a:4e:12:55:a9:f3:4e:61:55: 57:55:8e:3e:35:92:f4:59:37:a8:39:00:e5:c9:fe:7f:c2:00: d3:78:48:aa:5b:c1:15:23:39:f6:51:24:28:f5:dc:0b:61:16: cf:ad:8a:36:23:0f -----BEGIN CERTIFICATE----- MIIC6DCCAVCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJGUjEO MAwGA1UEChMFTEFCM1cxJjAkBgNVBAMMHVpXM0IgQ3liZXIgUm9vdCBDQSA6IHJz YV8zMDcyMB4XDTI1MDMwNTIwNDAxN1oXDTMwMDMwNTIwNDAxN1owODELMAkGA1UE BhMCRlIxDjAMBgNVBAoTBUxBQjNXMRkwFwYDVQQDExB2cHMuZGUuaXB2MTAubmV0 MEMwBQYDK2VxAzoApCiX0/axgcoLbk5ghmSeUNVAlbHm+eCk/tu+gEz7RYByFS9A yr4MCl0Xr9VBoOdgNRL7ZjDTU/aAo1EwTzAfBgNVHSMEGDAWgBSVZuDply17y+49 e+OVXxAZvG5x1TAsBgNVHREEJTAjghB2cHMuZGUubGFiM3cuY29tgg92cHMuZGUu enczYi5uZXQwDQYJKoZIhvcNAQELBQADggGBANGKPki24Qy1AR3D7rqEzpZD2lUt m1frxjfxePCGEeOgOWMMeOAQ4ulp0EK/+eNcjz4CK4mo3IzOVbWfECwXsiGgRmFn M7UVqrv7A/4Jj9cYfGEzB38BXGLAADCoLcu/D2m/5nJfzJSZqKGnSDa+IWkGWyQz nUOvNsSpFUymw4Xe5M41h0eQ4XJwdFXJ2nU9a9tIPLlDnd1DPxpfRrEm+i8cCRue 68YqkMBtnPU7nzR8+8ojSrTjzUWFzVhjmkznd7m12KR0KaTVdd+Ww3FQ/I2/nG6v /+SIc35+vXz6gAds2nPcvBU/M/JbajzQDS0WisffZjm7zuy/Uih2TvwTq+CvOm1R 6msisFP0UYuys3iePZHRR/IrAi2lFhrlhGVEpfQMxHhYvGDFdtqiXdFzA9gjjWpZ vKaLOlzpDmwMOxdqOIez8AwQtevfENtE2YpOElWp805hVVdVjj41kvRZN6g5AOXJ /n/CANN4SKpbwRUjOfZRJCj13AthFs+tijYjDw== -----END CERTIFICATE----- root@machin:/etc/swanctl # pki --print --type x509 --in x509/vps.de.ipv10.net-Cert-ed448-signed-by-LAB3W_ZW3B-caCert-rsa_3072.pem subject: "C=FR, O=LAB3W, CN=vps.de.ipv10.net" issuer: "C=FR, O=LAB3W, CN=ZW3B Cyber Root CA : rsa_3072" validity: not before Mar 05 21:40:17 2025, ok not after Mar 05 21:40:17 2030, ok (expires in 1813 days) serial: 01 altNames: vps.de.lab3w.com, vps.de.zw3b.net flags: authkeyId: 95:66:e0:e9:97:2d:7b:cb:ee:3d:7b:e3:95:5f:10:19:bc:6e:71:d5 subjkeyId: 68:74:88:06:9c:cb:b0:07:8f:0e:d7:bf:b3:af:61:ef:91:59:e7:58 pubkey: ED448 456 bits keyid: 7e:9c:cf:d3:0c:6c:e9:70:04:77:f2:e0:8b:e9:be:54:75:cd:42:20 subjkey: 68:74:88:06:9c:cb:b0:07:8f:0e:d7:bf:b3:af:61:ef:91:59:e7:58 # -------------------------------- # Others example # create pubkey openssl x509 -in x509/vps_uk-Cert-ed25519-sign_ca-ed25519.pem -noout -pubkey -out pubkey/vps_uk-PubKey-ed25519.pem # create PEM to DER (binaire) openssl x509 -in x509/vps_uk-Cert-ed25519-sign_ca-ed25519.pem -out x509/vps_uk-Cert-ed25519-sign_ca-ed25519.der -outform DER # voir openssl x509 -in x509/vps_uk-Cert-ed25519-sign_ca-ed25519.der -noout -text -inform der openssl x509 -in x509/vps_uk-Cert-ed25519-sign_ca-ed25519.pem -noout -text -inform pem # -------------------------------- # NETFILTER FIREWALL IPV4 (iptables) # CF : https://howto.zw3b.fr/linux/reseaux/configurer-un-poste-linux-pour-naviguer-sur-internet NET_IF=ens3 function vpn_ipsec() { UDP="500 4500" # IPSEC TCP="50 51" # ESP for port in $UDP do iptables -A INPUT -i $NET_IF -p udp --dport $port -j ACCEPT iptables -A OUTPUT -o $NET_IF -p udp --sport $port -j ACCEPT done iptables -A INPUT -i $NET_IF -p 50 -m esp -j ACCEPT for port in $TCP do # IPSEC : ESP iptables -A INPUT -i $NET_IF -p tcp --dport $port -j ACCEPT iptables -A OUTPUT -o $NET_IF -p tcp --sport $port -j ACCEPT done echo " "+ VPN IPSEC : [OK] } # -------------------------------- # NETFILTER FIREWALL IPV4 LOCAL CLOSE (iptables) LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" function spoofing() { ## SPOOFING iptables -A INPUT -i $NET_IF -s $CLASS_A -j DROP iptables -A INPUT -i $NET_IF -s $CLASS_B -j DROP # iptables -A INPUT -i $NET_IF -s $CLASS_C -j DROP iptables -A INPUT -i $NET_IF -s $CLASS_D_MULTICAST -j DROP iptables -A INPUT -i $NET_IF -s $CLASS_E_RESERVED_NET -j DROP iptables -A INPUT -i $NET_IF -s $LOOPBACK -j DROP echo " "+ Spoofing Attack : [OK] } # -------------------------------- # NETFILTER FIREWALL IPV6 (ip6tables) # CF : https://howto.zw3b.fr/linux/securite/comment-faire-un-reseau-ipv6-firewall-icmpv6 NET_IF=ens3 function vpn_ipsec() { UDP="500 4500" # IPSEC TCP="50 51" # ESP for port in $UDP do ip6tables -A INPUT -i $NET_IF -p udp --dport $port -j ACCEPT ip6tables -A OUTPUT -o $NET_IF -p udp --sport $port -j ACCEPT done ip6tables -A INPUT -i $NET_IF -p 50 -m esp -j ACCEPT for port in $TCP do # IPSEC : ESP ip6tables -A INPUT -i $NET_IF -p tcp --dport $port -j ACCEPT ip6tables -A OUTPUT -o $NET_IF -p tcp --sport $port -j ACCEPT done echo " "+ VPN IPSEC : [OK] } # -------------------------------- # NETFILTER FIREWALL IPV6 LOCAL/LINK/MULTICAST/SLAN OPEN (ip6tables) ##### # we set the rules for IPv6 addresses ##### function ipv6_link_local() { echo " |"; echo " + IPv6 - Addrs Link-Local Unicast -----------------------"; # Allow Link-Local addresses # network range : fe80:0000:0000:0000:0000:0000:0000:0000-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff # http://www.gestioip.net/cgi-bin/subnet_calculator.cgi echo " |\\"; ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A FORWARD -s fe80::/10 -d fe80::/10 -j ACCEPT ip6tables -A FORWARD -d fe80::/10 -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -d fe80::/10 -j ACCEPT echo " | +--> "fe80::/10 : ACCEPT; echo " | |"; echo " | "+ IPv6 - Addrs Link-Local : [OK] } function ipv6_multicast() { echo " |"; echo " + IPv6 - Addrs Multicast -----------------------"; # Allow multicast # network range : ff00:0000:0000:0000:0000:0000:0000:0000-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff # http://www.gestioip.net/cgi-bin/subnet_calculator.cgi echo " |\\"; ip6tables -A INPUT -d ff00::/8 -j ACCEPT ip6tables -A FORWARD -s ff00::/8 -d ff00::/8 -j ACCEPT ip6tables -A FORWARD -d ff00::/8 -s ff00::/8 -j ACCEPT ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT echo " | +--> "ff00::/8 : ACCEPT; echo " | |"; echo " |" + IPv6 - Addrs Multicast : [OK] } function ipv6_ula() { echo " |"; echo " + IPv6 - Addrs Unique Locale Area -----------------------"; # Allow Link-Local addresses # network range : fc00:0000:0000:0000:0000:0000:0000:0000-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff # http://www.gestioip.net/cgi-bin/subnet_calculator.cgi echo " |\\"; ip6tables -A INPUT -s fc00::/7 -j ACCEPT ip6tables -A FORWARD -s fc00::/7 -d fc00::/7 -j ACCEPT ip6tables -A FORWARD -d fc00::/7 -s fc00::/7 -j ACCEPT ip6tables -A OUTPUT -d fc00::/7 -j ACCEPT echo " | +--> "fc00::/7 : ACCEPT; echo " | |"; echo " |" + IPv6 - Addrs Unique Locale Area : [OK] } ##### # we set the rules for secure IPv6 addresses (VPN/strongSwan) ##### function ipv6_strongswan() { # Default ------------------ echo " |"; echo " + IPv6 - Addrs Site-Local Secure Area Network -------------------------"; # Allow Secure Area Network addresses # network range : fec0:0000:0000:0000:0000:0000:0000:0000-feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff # http://www.gestioip.net/cgi-bin/subnet_calculator.cgi echo " |\\"; ip6tables -A INPUT -s fec0::/10 -j ACCEPT ip6tables -A FORWARD -s fec0::/10 -d fec0::/10 -j ACCEPT ip6tables -A FORWARD -d fec0::/10 -s fec0::/10 -j ACCEPT ip6tables -A OUTPUT -d fec0::/10 -j ACCEPT echo " | +--> "fec0::/10 : ACCEPT; echo " | |"; echo " | "+ IPv6 - Addrs Secure Area Network : [OK] # Add ------------------ echo " |"; # Allow Forwarding SLAN (fec0::/10) <> ULA (fc00::/7) # network range : fc00:0000:0000:0000:0000:0000:0000:0000-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff # http://www.gestioip.net/cgi-bin/subnet_calculator.cgi echo " + IPv6 - Forwarding Addrs SWAN 2 ULA Networks -------------------------"; echo " |\\"; ip6tables -A FORWARD -s fec0::/10 -d fc00::/7 -j ACCEPT ip6tables -A FORWARD -d fec0::/10 -s fc00::/7 -j ACCEPT echo " | +--> fec0::/10 <←> fc00::/7 : ACCEPT"; echo " | |"; echo " | "+ IPv6 - Forwarding Addrs SWAN 2 ULA Networks : [OK] echo " |"; } # ----------------------------------------------------------------------------------------------------- # CF : https://howto.zw3b.fr/linux/securite/comment-faire-un-reseau-ipv6-firewall-icmpv6 NET_IF=ens3 ##### # We accept responses to queries requested from this machine ##### function generique() { # Allow anything out on the internet ip6tables -A OUTPUT -o $NET_IF -j ACCEPT # Allow established, related packets back in ip6tables -A INPUT -i $NET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT echo " "+ GENERIQUE : [OK] } #### # Stephane Bortzmeyer's rule: DROP ICMP LIMIT 1/sec per IPv6::/128 # To be sent after the aICMPv6 chain (so that it is above -I) - https://www.bortzmeyer.org/ #### function icmpv6_limit() { # Above 1 ping per second (ICMPv6 echo-request) we DROP the PING blast from a single IPv6 source (mask 128) ip6tables -I INPUT -p icmpv6 --icmpv6-type 128/0 -m hashlimit --hashlimit-name ICMP --hashlimit-above 1/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-srcmask 128 -j DROP echo " "+ ICMPV6 - LIMIT 1/second DROP : [OK] } ##### # The script by Stephane Huc (ICMPv6 packettypes) - https://stephane-huc.net/ ##### function icmpv6_huc() { # Allow dedicated ICMPv6 packettypes, do this in an extra chain because we need it everywhere ip6tables -N aICMPs # Destination unreachable ip6tables -A aICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT # destination-unreachable; Must Not Be Dropped # Packet too big ip6tables -A aICMPs -p icmpv6 --icmpv6-type 2/0 -j ACCEPT # packet too big; Must Not Be Dropped # Time exceeded ip6tablesE -A aICMPs -p icmpv6 --icmpv6-type 3/0 -j ACCEPT # time exceeded ip6tables -A aICMPs -p icmpv6 --icmpv6-type 3/1 -j ACCEPT # time exceeded # Parameter problem ip6tables -A aICMPs -p icmpv6 --icmpv6-type 4/0 -j ACCEPT # parameter pb: Erroneous header field encountered ip6tables -A aICMPs -p icmpv6 --icmpv6-type 4/1 -j ACCEPT # parameter pb: Unrecognized Next Header Type encountered ip6tables -A aICMPs -p icmpv6 --icmpv6-type 4/2 -j ACCEPT # parameter pb: Unrecognized IPv6 option encountered # Echo Request (protect against flood) # Commenter cette ligne # ip6tables -A aICMPs -p icmpv6 --icmpv6-type 128/0 -m limit --limit 1/sec --limit-burst 1 -j ACCEPT # ping tool: echo request message ip6tables -A aICMPs -p icmpv6 --icmpv6-type 128/0 -j ACCEPT # Echo Reply # Commenter cette ligne # ip6tables -A aICMPs -p icmpv6 --icmpv6-type 129/0 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT # ping tool: echo reply message ip6tables -A aICMPs -p icmpv6 --icmpv6-type 128/0 -j ACCEPT echo " "+ ICMPV6 - DEFAULT : [OK] # link-local multicast receive notification mssg (need link-local src address, with hop-limit: 1) ip6tables -A aICMPs -p icmpv6 --icmpv6-type 130/0 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT ip6tables -A aICMPs -p icmpv6 --icmpv6-type 131/0 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT ip6tables -A aICMPs -p icmpv6 --icmpv6-type 132/0 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT echo " "+ ICMPV6 - LINK-LOCAL : [OK] # address configuration and routeur selection mssg (received with hop limit = 255) ip6tables -A aICMPs -p icmpv6 --icmpv6-type 133/0 -m hl --hl-eq 255 -j ACCEPT # Router Solicitation ip6tables -A aICMPs -p icmpv6 --icmpv6-type 134/0 -s fe80::/64 -m hl --hl-eq 255 -j ACCEPT # Router Advertisement ip6tables -A aICMPs -p icmpv6 --icmpv6-type 135/0 -m hl --hl-eq 255 -j ACCEPT # Neighbor Solicitation ip6tables -A aICMPs -p icmpv6 --icmpv6-type 136/0 -m hl --hl-eq 255 -j ACCEPT # Neighbor Advertisement ip6tables -A aICMPs -p icmpv6 --icmpv6-type 137/0 -j DROP # Redirect Message ip6tables -A aICMPs -p icmpv6 --icmpv6-type 138/0 -j DROP # Router Renumbering (Rechargement du routeur) ip6tables -A aICMPs -p icmpv6 --icmpv6-type 139/0 -j DROP # ICMP Node Information Query ip6tables -A aICMPs -p icmpv6 --icmpv6-type 140/0 -j DROP # ICMP Node Information Response ip6tables -A aICMPs -p icmpv6 --icmpv6-type 141/0 -d ff02::1 -m hl --hl-eq 255 -j ACCEPT # Inverse Neighbor Discovery Solicitation Message ip6tables -A aICMPs -p icmpv6 --icmpv6-type 142/0 -m hl --hl-eq 255 -j ACCEPT # Inverse Neighbor Discovery Advertisement Message echo " "+ ICMPV6 - ADD CONF '&' ROUT€ SELECTION : [OK] # link-local multicast receive notification mssg (need link-local src address, with hop-limit: 1) ip6tables -A aICMPs -p icmpv6 --icmpv6-type 143 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT # needed for mobylity ip6tables -A aICMPs -p icmpv6 --icmpv6-type 144/0 -j DROP ip6tables -A aICMPs -p icmpv6 --icmpv6-type 145/0 -j DROP ip6tables -A aICMPs -p icmpv6 --icmpv6-type 146/0 -j DROP ip6tables -A aICMPs -p icmpv6 --icmpv6-type 147 -j DROP # SEND certificate path notification mssg (received with hop limit = 255) ip6tables -A aICMPs -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT # Certification Path Solicitation Message ip6tables -A aICMPs -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT # Certification Path Advertisement Message # multicast routeur discovery mssg (need link-local src address and hop limit = 1) ip6tables -A aICMPs -p icmpv6 --icmpv6-type 151 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT ip6tables -A aICMPs -p icmpv6 --icmpv6-type 152 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT ip6tables -A aICMPs -p icmpv6 --icmpv6-type 153 -s fe80::/64 -m conntrack --ctstate NEW -m hl --hl-eq 1 -j ACCEPT echo " "+ ICMPV6 - MULTICAST ROUT€ DISCOVERY : [OK] # ip6tables -A aICMPs -p icmpv6 --icmpv6-type 200 -j DROP # private experimentation ip6tables -A aICMPs -p icmpv6 --icmpv6-type 201 -j DROP # private experimentation ip6tables -A aICMPs -p icmpv6 --icmpv6-type 255 -j DROP # expansion error messages ICMPv6 echo " "+ ICMPV6 - EXPERIMENTATION : [OK] # Only the ROUT€ is allowed to ping us (read FAQ this is a requirement) # ip6tables -A INPUT -p icmpv6 -m limit --limit 5/s --limit-burst 4 -j aICMPs # ip6tables -A OUTPUT -m state ! --state INVALID -j aICMPs # Add Personnal ip6tables -I INPUT -p icmpv6 -j aICMPs ip6tables -I FORWARD -p icmpv6 -j aICMPs ip6tables -I OUTPUT -p icmpv6 -j aICMPs echo " "+ ICMPV6 - INLIMIT + OUTPUT : [OK] } Example : https://howto.zw3b.fr/linux/securite/comment-faire-un-reseau-ipv6-firewall-icmpv6 Todo : https://www.zw3b.fr/pub/vpn/strongSwan-v6.0/iptables_blacklist.txt # ---------------- # To allow this IPv4 network "172.16.8.0/24" to browse the Internet with the address public. # iptables -A FORWARD -i ens3 -o ens3 -s 172.16.8.0/24 -j ACCEPT # iptables -A FORWARD -o ens3 -i ens3 -d 172.16.8.0/24 -j ACCEPT # iptables -t nat -A POSTROUTING -o ens3 -s 172.16.8.0/24 ! -d 10.0.0.0/8 -j MASQUERADE # To allow this IPv6 network "fec0::eeee:1ab3:00ca:d000/120" to browse the Internet with the address public. # ip6tables -t nat -A POSTROUTING -o ens3 -s fec0::eeee:1ab3:00ca:d000/120 ! -d fc00::/7 -j MASQUERADE #------------------ # Outside StrongSwan : # To deprecate IPv6 GUA so that outgoing requests (from the machine) use ULAs # if the container Gateway is a ULA address # ip -6 addr add 2001:db8::1:0:faac:10/128 dev eth0 # ip -6 addr add fc00::1:0:faac:10/128 dev eth0 # ip -6 addr change 2001:db8::1:0:faac:10/128 dev eth0 preferred_lft 0 # ----------------- # To allow this ULA network "fc01::10:106:42:0" to browse the Internet with the GUA address 2001:db8::1:0:0:1 (while being hidden - like in IPv4 10.106.42.0) # Using the GUA IPv6 address of this machine (under router) # ip -6 addr add 2001:db8::1:0:0:1/128 dev lanbr0 # ip6tables -t nat -A POSTROUTING -o lanbr0 -s fc01::10:106:42:0/112 ! -d fc00::/7 -j MASQUERADE # To allow this ULA network "fc01::192:168:0:0" to browse the Internet with the GUA address 2001:db8::2:0:0:1 (while being hidden - like in IPv4 192.168.0.0) # Using the GUA IPv6 address of this machine (under router) # ip -6 addr add 2001:db8::2:0:0:1/128 dev lanbr0 # ip6tables -t nat -A POSTROUTING -o lanbr0 -s fc01::192:168:0:0/112 ! -d fc00::/7 -j MASQUERADE # Don't forget to add neighbors' GUA addresses as proxy addresses on the main router. # ip -6 addr add 2001:db8::0:0:0:1/64 dev netbr0 # ip -6 neigh add proxy 2001:db8::1:0:0:1 dev netbr0 # ip -6 neigh add proxy 2001:db8::2:0:0:1 dev netbr0 # radvd to your desired configuration ;) # for GUA or ULA addresses or EUI-64 addresses in 0:0, EUI-64 on ULA addresses only, especially for pity's sake. Thanks, see you soon. # ----------------- Date : 20250318 O.Romain.Jaillet-ramey aKa LAB3W.ORJ Founder ZW3B.FR | TV | EU | NET | COM | BLOG and more..