[Openswan Users] iptables problem
Vernon A. Fort
vfort at provident-solutions.com
Thu Dec 2 14:46:53 CET 2004
Giovani Moda - MR Informática wrote:
>Vernon,
>
>I had a similar problem with Arno's Iptables Firewall. Since Kernel 2.6 does
>not support KLIPS, no virtual interface (ipsecN) is created, making it all
>very difficult to work.
>
>My problem was that rp_filter must be DISABLED, and connection of private
>network adresses on the external ethert must be accepted. Since no virtual
>interface is created, the packets from you privates networks will all be
>routed through the externals interfaces. Arno's Iptables Firewall has some
>custom rules that drop those packets, and, by default, rp_filter is enable.
>After I made these changes, everything worked like a charm.
>
>Hope it helps,
>
>
>Giovani
>----- Original Message -----
>From: "Vernon A. Fort" <vfort at provident-solutions.com>
>To: <users at openswan.org>
>Sent: Thursday, December 02, 2004 1:24 PM
>Subject: [Openswan Users] iptables problem
>
>
>
>
>>I have a VPN running: Fedora Core 3 using iptables and openswan ipsec
>>
>> 192.168.1.0/24 => GW1 (FC3) <=INTERNET=> GW2 (FC3) <=>
>>
>>
>192.168.2.0/24
>
>
>>I know the VPN is working - I can drop the firewall and ALL traffic is
>>passing both ways.
>>
>>Side note - with FreeSwan, I was use to seeing the ipsec0 interface but
>>now it appears that everything goes out the nornal public interface -
>>why the change? - this made it very easy to add filtering.
>>
>>With the firewall active - oddly enough I can ping either side but
>>that's it. I attempt to Remote Desktop from one NT server to the other
>>and nothing, not RDP, FTP, etc... but ping will work. I use a firewall
>>script called gShield and have modified as followed:
>>
>> $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
>> $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>> $IPTABLES -A INPUT -p ESP -j ACCEPT
>> $IPTABLES -A OUTPUT -p ESP -j ACCEPT
>> $IPTABLES -A INPUT -p AH -j ACCEPT
>> $IPTABLES -A OUTPUT -p AH -j ACCEPT
>>
>>Absolutely NOTHING will pass with just these rules in place. But when I
>>add on the 192.168.1.0/24 side:
>>
>> $IPTABLES -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 1
>> $IPTABLES -A FORWARD -i eth1 -m mark --mark 1 -d 192.168.2.0/24 -j
>>ACCEPT
>>
>>I can ping but nothing else. Does anyone have a iptables example? or
>>can anyone point me in the right direction.
>>
Thanks for the information - As it turned out, I was my own fault. The
only port that was not working was RDP(3389) but it dawned on be several
hours later that I had a port forward rule which enabled me to access
RDP remotely. So when I attemtped to RDP from this box through the VPN,
it was forwarding it back to me.
The other item was to get the RESERVED address mapped out - this way I
can connect from gate-to-gate without opening up all the 192.168 class b
- just enabled 1 and 2
IT"S now working GREAT!
Vernon
More information about the Users
mailing list