R: [Openswan Users] OpensWan and Iptables

John A. Sullivan III john.sullivan at nexusmgmt.com
Tue Nov 2 10:30:22 CET 2004


You ICMP packets for 172.16.1.200 will show up on your INPUT chain
rather than your FORWARD chain.  Are you allowing them there?

On Tue, 2004-11-02 at 10:02, Giovanni wrote:
>  
> 
> OK I have another question… please help me!!
> 
> My VPN/Firewall have this IP : public: 217.xxx.xxx.xxx ip on
> Dmz:10.0.0.200 Ip on Private Lan 172.16.1.200
> 
> I have a client in the Private lan with IP 172.16.1.10/11 ecc
> 
> From the vpn client if I ping 172.16.1.10/11 everything operates but
> if I ping 172.16.1.200 (is the ip on the firewall/vpn of the private
> lan) my firewall ACCEPT ESP packets and DROP the icmp packets!!!
> 
> Why???
> 
> Thanks
> 
> Giovanni
> 
>  
> 
>                                    
> ______________________________________________________________________
> 
> Da: Giovanni [mailto:gio_ton at tiscali.it] 
> Inviato: mercoledì 27 ottobre 2004 1.31
> A: 'users at openswan.org'
> Oggetto: R: [Openswan Users] OpensWan and Iptables
> 
> 
>  
> 
> Now works very well!!!
> 
> Thanks again
> 
>  
> 
>  
> 
>  
> 
> Hi 
> 
> This should give you an idea:
> 
>  [ #Allow IKE ]
> 
> # Allow ESP Traffic from/to Gateway
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p esp -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p esp -j ACCEPT
> 
> # Tag Incoming IPSec Traffic. 'mark' sticks after processing.
> iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -p esp -j MARK
> --set-mark 1
> 
> # Forward Authenticated Traffic to LAN.
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -m mark --mark 1 -d
> $LAN_ADDRESSES -j ACCEPT 
> 
>  
> 
> # Allow established connections to communicate back.
> 
> iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -m state
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state
> --state ESTABLISHED,RELATED -j ACCEPT
> 
>  
> 
> 
> # SRC nat everything apart from esp traffic.
> 
> 
> iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p ! esp -j SNAT
> --to-source $EXTERNAL_IPADDR 
> 
> 
>  
> 
> 
> I hope this helps.
> 
> 
>  
> 
> 
> Cheers,
> 
> 
> Daniel.
> 
> 
>  
> 
> 
> 
> ______________________________________________________________________
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



More information about the Users mailing list