[Openswan Users] Tunnels come up, but not all traffic goesthrough
Jacco de Leeuw
jacco2 at dds.nl
Thu Jun 10 17:35:47 CEST 2004
Nate Carlson wrote:
> Just for the sake of reference, how would you, for example, tag all data
> that is coming in via IPSec and going out to your internal network (eth1)?
> With klips, it's easy:
>
> iptables -I FORWARD -i ipsec0 -o eth1 <...>
>
> With 26sec, I'm not aware of a way to do it besides tagging on IP address;
> the hard part is you don't always know the remote IP (roadwarriors and
> such). If there is a simple way to do it, I'd love to hear about it!
I don't know if you can use this but Chris Andrews wrote that he uses fwmark.
Marks applied to encrypted packets remain set on the unencrypted packets,
and we can use this to determine which packets arrived via the IPSec SA. The
'mark' is internal to the kernel, and can't be set on packets outside of the
system, so it's safe to use this match.
iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT
http://www.funknet.org/doc/tunnel/l2tp.html
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list