[Openswan Users] iptables problem
Vernon A. Fort
vfort at provident-solutions.com
Thu Dec 2 09:24:35 CET 2004
I have a VPN running: Fedora Core 3 using iptables and openswan ipsec
192.168.1.0/24 => GW1 (FC3) <=INTERNET=> GW2 (FC3) <=> 192.168.2.0/24
I know the VPN is working - I can drop the firewall and ALL traffic is
passing both ways.
Side note - with FreeSwan, I was use to seeing the ipsec0 interface but
now it appears that everything goes out the nornal public interface -
why the change? - this made it very easy to add filtering.
With the firewall active - oddly enough I can ping either side but
that's it. I attempt to Remote Desktop from one NT server to the other
and nothing, not RDP, FTP, etc... but ping will work. I use a firewall
script called gShield and have modified as followed:
$IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p ESP -j ACCEPT
$IPTABLES -A OUTPUT -p ESP -j ACCEPT
$IPTABLES -A INPUT -p AH -j ACCEPT
$IPTABLES -A OUTPUT -p AH -j ACCEPT
Absolutely NOTHING will pass with just these rules in place. But when I
add on the 192.168.1.0/24 side:
$IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 1
$IPTABLES -A FORWARD -i eth1 -m mark --mark 1 -d 192.168.2.0/24 -j
ACCEPT
I can ping but nothing else. Does anyone have a iptables example? or
can anyone point me in the right direction.
Vernon
More information about the Users
mailing list