R: [Openswan Users] OpensWan and Iptables
Giovanni
gio_ton at tiscali.it
Tue Nov 2 16:02:15 CET 2004
OK I have another question
please help me!!
My VPN/Firewall have this IP : public: 217.xxx.xxx.xxx ip on Dmz:10.0.0.200
Ip on Private Lan 172.16.1.200
I have a client in the Private lan with IP 172.16.1.10/11 ecc
>From the vpn client if I ping 172.16.1.10/11 everything operates but if I
ping 172.16.1.200 (is the ip on the firewall/vpn of the private lan) my
firewall ACCEPT ESP packets and DROP the icmp packets!!!
Why???
Thanks
Giovanni
_____
Da: Giovanni [mailto:gio_ton at tiscali.it]
Inviato: mercoledì 27 ottobre 2004 1.31
A: 'users at openswan.org'
Oggetto: R: [Openswan Users] OpensWan and Iptables
Now works very well!!!
Thanks again
Hi
This should give you an idea:
[ #Allow IKE ]
# Allow ESP Traffic from/to Gateway
iptables -A INPUT -i $EXTERNAL_INTERFACE -p esp -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p esp -j ACCEPT
# Tag Incoming IPSec Traffic. 'mark' sticks after processing.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -p esp -j MARK
--set-mark 1
# Forward Authenticated Traffic to LAN.
iptables -A FORWARD -i $EXTERNAL_INTERFACE -m mark --mark 1 -d
$LAN_ADDRESSES -j ACCEPT
# Allow established connections to communicate back.
iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state
--state ESTABLISHED,RELATED -j ACCEPT
# SRC nat everything apart from esp traffic.
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p ! esp -j SNAT
--to-source $EXTERNAL_IPADDR
I hope this helps.
Cheers,
Daniel.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041102/e2902b3b/attachment.htm
More information about the Users
mailing list