[Openswan Users] iptables problem

Vernon A. Fort vfort at provident-solutions.com
Thu Dec 2 14:46:53 CET 2004 

Giovani Moda - MR Informática wrote:

>Vernon,
>
>I had a similar problem with Arno's Iptables Firewall. Since Kernel 2.6 does
>not support KLIPS, no virtual interface (ipsecN) is created, making it all
>very difficult to work.
>
>My problem was that rp_filter must be DISABLED, and connection of private
>network adresses on the external ethert must be accepted. Since no virtual
>interface is created, the packets from you privates networks will all be
>routed through the externals interfaces. Arno's Iptables Firewall has some
>custom rules that drop those packets, and, by default, rp_filter is enable.
>After I made these changes, everything worked like a charm.
>
>Hope it helps,
>
>
>Giovani
>----- Original Message ----- 
>From: "Vernon A. Fort" <vfort at provident-solutions.com>
>To: <users at openswan.org>
>Sent: Thursday, December 02, 2004 1:24 PM
>Subject: [Openswan Users] iptables problem
>
>
>  
>
>>I have a VPN running:  Fedora Core 3 using iptables and openswan ipsec
>>
>>    192.168.1.0/24   => GW1 (FC3) <=INTERNET=> GW2 (FC3) <=>
>>    
>>
>192.168.2.0/24
>  
>
>>I know the VPN is working - I can drop the firewall and ALL traffic is
>>passing both ways.
>>
>>Side note - with FreeSwan, I was use to seeing the ipsec0 interface but
>>now it appears that everything goes out the nornal public interface -
>>why the change? - this made it very easy to add filtering.
>>
>>With the firewall active - oddly enough I can ping either side but
>>that's it.  I attempt to Remote Desktop from one NT server to the other
>>and nothing, not RDP, FTP, etc... but ping will work.  I use a firewall
>>script called gShield and have modified as followed:
>>
>>        $IPTABLES -A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
>>        $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>>        $IPTABLES -A INPUT -p ESP -j ACCEPT
>>        $IPTABLES -A OUTPUT -p ESP -j ACCEPT
>>        $IPTABLES -A INPUT -p AH -j ACCEPT
>>        $IPTABLES -A OUTPUT -p AH -j ACCEPT
>>
>>Absolutely NOTHING will pass with just these rules in place.  But when I
>>add on the 192.168.1.0/24 side:
>>
>>    $IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 1
>>    $IPTABLES -A FORWARD -i eth1 -m mark --mark 1 -d 192.168.2.0/24 -j
>>ACCEPT
>>
>>I can ping but nothing else.  Does anyone have a iptables example? or
>>can anyone point me in the right direction.
>>
Thanks for the information - As it turned out, I was my own fault.  The 
only port that was not working was RDP(3389) but it dawned on be several 
hours later that I had a port forward rule which enabled me to access 
RDP remotely.  So when I attemtped to RDP from this box through the VPN, 
it was forwarding it back to me.

The other item was to get the RESERVED address mapped out - this way I 
can connect from gate-to-gate without opening up all the 192.168 class b 
- just enabled 1 and 2

IT"S now working GREAT!

Vernon

More information about the Users mailing list