[Openswan Users] Tunnels come up, but not all traffic goesthrough
Herbert Xu
herbert at gondor.apana.org.au
Fri Jun 11 10:41:04 CEST 2004
On Thu, Jun 10, 2004 at 01:25:40PM -0400, Michael Richardson wrote:
>
> # permit LAN-C to connect to special server at 1.19:
> iptables -A INPUT -i ipsec0 -s 192.168.2.0/24 -d 192.168.1.19/32 -j ACCEPT
> iptables -A INPUT -i ipsec0 -s 192.168.3.0/24 -d 192.168.1.19/32 -j DROP
>
> .... (appologies for syntax error)
>
> Now, if one simply "change all references to ipsec0 to eth1", then one
> has just permitted traffic from the outside to arrive on eth1, unencrypted.
No you haven't. As long as your IPsec connection is routed/up, there
will be a policy in the kernel policy engine that says any traffic
matching those criteria must be encrypted using IPsec. Any traffic
from 192.168.2.0/24 to 192.168.1.0/24 which comes in clear from
*any* interface will be dropped.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Users
mailing list