<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2523" name=GENERATOR>
<STYLE>@font-face {
font-family: Comic Sans MS;
}
@page Section1 {size: 595.3pt 841.9pt; margin: 70.85pt 2.0cm 2.0cm 2.0cm; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0cm; MARGIN-RIGHT: 0cm; FONT-FAMILY: "Times New Roman"; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.StileMessaggioDiPostaElettronica18 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal
}
SPAN.StileMessaggioDiPostaElettronica19 {
COLOR: navy; FONT-FAMILY: Arial; mso-style-type: personal-reply
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=IT vLink=purple link=blue>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=279431509-26102004>Meant this to get on the archive as
well...</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=279431509-26102004>Doh.</SPAN></FONT></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Daniel Bartlett <BR><B>Sent:</B> 26
October 2004 10:06<BR><B>To:</B> 'Giovanni'<BR><B>Subject:</B> RE: [Openswan
Users] OpensWan and Iptables<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=850110309-26102004><FONT face=Arial
color=#0000ff size=2>Hi </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=850110309-26102004><FONT face=Arial
color=#0000ff size=2>This should give you an idea:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN
class=850110309-26102004><!--StartFragment --> [ #Allow IKE ]<BR><BR>#
Allow ESP Traffic from/to Gateway<BR>iptables -A INPUT -i $EXTERNAL_INTERFACE -p
esp -j ACCEPT<BR>iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p esp -j
ACCEPT<BR><BR># Tag Incoming IPSec Traffic. 'mark' sticks after
processing.<BR>iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -p esp -j
MARK --set-mark 1<BR><BR># Forward Authenticated Traffic to LAN.<BR>iptables -A
FORWARD -i $EXTERNAL_INTERFACE -m mark --mark 1 -d $LAN_ADDRESSES -j ACCEPT
</SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=850110309-26102004><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN
class=850110309-26102004><!--StartFragment --></SPAN><SPAN
class=850110309-26102004><FONT face=Arial color=#0000ff size=2><FONT
face="Times New Roman" color=#000000 size=3># Allow established connections to
communicate back.</FONT></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=850110309-26102004>iptables -A FORWARD -i
$LAN_INTERFACE -o $EXTERNAL_INTERFACE -m state --state NEW,ESTABLISHED,RELATED
-j ACCEPT<BR>iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m
state --state ESTABLISHED,RELATED -j ACCEPT</SPAN></DIV>
<DIV><SPAN class=850110309-26102004><FONT face=Arial color=#0000ff size=2><SPAN
class=850110309-26102004><FONT face=Arial color=#0000ff size=2><FONT
face="Times New Roman" color=#000000
size=3></FONT></FONT></SPAN></FONT></SPAN> </DIV>
<DIV><SPAN class=850110309-26102004><FONT face=Arial color=#0000ff size=2><SPAN
class=850110309-26102004><FONT face=Arial color=#0000ff size=2><FONT
face="Times New Roman" color=#000000 size=3># SRC nat everything apart from esp
traffic.</FONT></FONT></SPAN></FONT></SPAN></DIV>
<DIV><SPAN class=850110309-26102004><!--StartFragment -->iptables -t nat -A
POSTROUTING -o $EXTERNAL_INTERFACE -p ! esp -j SNAT --to-source $EXTERNAL_IPADDR
</DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><SPAN class=850110309-26102004><FONT face=Arial color=#0000ff size=2>I hope
this helps.</FONT></SPAN></DIV>
<DIV><SPAN class=850110309-26102004><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=850110309-26102004><FONT face=Arial color=#0000ff
size=2>Cheers,</FONT></SPAN></DIV>
<DIV><SPAN class=850110309-26102004><FONT face=Arial color=#0000ff
size=2>Daniel.</FONT></SPAN></DIV>
<DIV></SPAN><SPAN class=850110309-26102004><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Giovanni<BR><B>Sent:</B>
26 October 2004 09:53<BR><B>To:</B> users@openswan.org<BR><B>Subject:</B>
[Openswan Users] OpensWan and Iptables<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face="Comic Sans MS" color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Comic Sans MS'">I'don't
understand how to configure the firewall</SPAN></FONT><FONT face=Arial
color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> </SPAN></FONT><FONT
face="Comic Sans MS" color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Comic Sans MS'">“iptables"
adequately so that it accepts the packets which come from wan and are destineted
to lan.</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face="Comic Sans MS" color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Comic Sans MS'">My VPN has
like server:</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Kernel
2.6.9<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Openswan
2.2.0<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">IpTables
1.2.11<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">As I think the interface IPSEC don't exist, I don't
know how to recognize the packets which arrive from my VPN
connection </SPAN></FONT><FONT face="Comic Sans MS" color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Comic Sans MS'"> and
accept them </SPAN></FONT><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">and how to
distinguish the packets which arrive from Internet</SPAN></FONT><FONT
face="Comic Sans MS" color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Comic Sans MS'"> and
decline them. </SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">At the
moment </SPAN></FONT><FONT face="Comic Sans MS" color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Comic Sans MS'"> when
</SPAN></FONT><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">the firewall is
operative</SPAN></FONT><FONT face="Comic Sans MS" color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Comic Sans MS'">,
</SPAN></FONT><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">pings which come from
my client on VPN are all "DROP" by firewall.</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">I have already added
policy for AH,ESP,IKE</SPAN></FONT><FONT face=Arial color=black size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial"> </SPAN></FONT><FONT
face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial"> on firewall, so that
the connceciton is accepted and established, but then all my requests
towards my LAN are blocked by firewall.</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Thanks.</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Giovanni<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P></DIV></BODY></HTML>