[Openswan Users] iptables problem

Giovani Moda - MR Informática giovani at mrinformatica.com.br
Thu Dec 2 16:46:56 CET 2004


Vernon,

I had a similar problem with Arno's Iptables Firewall. Since Kernel 2.6 does
not support KLIPS, no virtual interface (ipsecN) is created, making it all
very difficult to work.

My problem was that rp_filter must be DISABLED, and connection of private
network adresses on the external ethert must be accepted. Since no virtual
interface is created, the packets from you privates networks will all be
routed through the externals interfaces. Arno's Iptables Firewall has some
custom rules that drop those packets, and, by default, rp_filter is enable.
After I made these changes, everything worked like a charm.

Hope it helps,


Giovani
----- Original Message ----- 
From: "Vernon A. Fort" <vfort at provident-solutions.com>
To: <users at openswan.org>
Sent: Thursday, December 02, 2004 1:24 PM
Subject: [Openswan Users] iptables problem


> I have a VPN running:  Fedora Core 3 using iptables and openswan ipsec
>
>     192.168.1.0/24   => GW1 (FC3) <=INTERNET=> GW2 (FC3) <=>
192.168.2.0/24
>
> I know the VPN is working - I can drop the firewall and ALL traffic is
> passing both ways.
>
> Side note - with FreeSwan, I was use to seeing the ipsec0 interface but
> now it appears that everything goes out the nornal public interface -
> why the change? - this made it very easy to add filtering.
>
> With the firewall active - oddly enough I can ping either side but
> that's it.  I attempt to Remote Desktop from one NT server to the other
> and nothing, not RDP, FTP, etc... but ping will work.  I use a firewall
> script called gShield and have modified as followed:
>
>         $IPTABLES -A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
>         $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>         $IPTABLES -A INPUT -p ESP -j ACCEPT
>         $IPTABLES -A OUTPUT -p ESP -j ACCEPT
>         $IPTABLES -A INPUT -p AH -j ACCEPT
>         $IPTABLES -A OUTPUT -p AH -j ACCEPT
>
> Absolutely NOTHING will pass with just these rules in place.  But when I
> add on the 192.168.1.0/24 side:
>
>     $IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 1
>     $IPTABLES -A FORWARD -i eth1 -m mark --mark 1 -d 192.168.2.0/24 -j
> ACCEPT
>
> I can ping but nothing else.  Does anyone have a iptables example? or
> can anyone point me in the right direction.
>
> Vernon
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.289 / Virus Database: 265.4.4 - Release Date: 30/11/2004



More information about the Users mailing list