R: [Openswan Users] OpensWan and Iptables

Giovanni gio_ton at tiscali.it
Tue Nov 2 16:02:15 CET 2004


 

OK I have another question
 please help me!!

My VPN/Firewall have this IP : public: 217.xxx.xxx.xxx ip on Dmz:10.0.0.200
Ip on Private Lan 172.16.1.200

I have a client in the Private lan with IP 172.16.1.10/11 ecc

>From the vpn client if I ping 172.16.1.10/11 everything operates but if I
ping 172.16.1.200 (is the ip on the firewall/vpn of the private lan) my
firewall ACCEPT ESP packets and DROP the icmp packets!!!

Why???

Thanks

Giovanni

 

  _____  

Da: Giovanni [mailto:gio_ton at tiscali.it] 
Inviato: mercoledì 27 ottobre 2004 1.31
A: 'users at openswan.org'
Oggetto: R: [Openswan Users] OpensWan and Iptables

 

Now works very well!!!

Thanks again

 

 

 

Hi 

This should give you an idea:

 [ #Allow IKE ]

# Allow ESP Traffic from/to Gateway
iptables -A INPUT -i $EXTERNAL_INTERFACE -p esp -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p esp -j ACCEPT

# Tag Incoming IPSec Traffic. 'mark' sticks after processing.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -p esp -j MARK
--set-mark 1

# Forward Authenticated Traffic to LAN.
iptables -A FORWARD -i $EXTERNAL_INTERFACE -m mark --mark 1 -d
$LAN_ADDRESSES -j ACCEPT 

 

# Allow established connections to communicate back.

iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state
--state ESTABLISHED,RELATED -j ACCEPT

 

# SRC nat everything apart from esp traffic.

iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p ! esp -j SNAT
--to-source $EXTERNAL_IPADDR 

 

I hope this helps.

 

Cheers,

Daniel.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041102/e2902b3b/attachment.htm


More information about the Users mailing list