R: [Openswan Users] OpensWan and Iptables
John A. Sullivan III
john.sullivan at nexusmgmt.com
Tue Nov 2 10:30:22 CET 2004
You ICMP packets for 172.16.1.200 will show up on your INPUT chain
rather than your FORWARD chain. Are you allowing them there?
On Tue, 2004-11-02 at 10:02, Giovanni wrote:
>
>
> OK I have another question… please help me!!
>
> My VPN/Firewall have this IP : public: 217.xxx.xxx.xxx ip on
> Dmz:10.0.0.200 Ip on Private Lan 172.16.1.200
>
> I have a client in the Private lan with IP 172.16.1.10/11 ecc
>
> From the vpn client if I ping 172.16.1.10/11 everything operates but
> if I ping 172.16.1.200 (is the ip on the firewall/vpn of the private
> lan) my firewall ACCEPT ESP packets and DROP the icmp packets!!!
>
> Why???
>
> Thanks
>
> Giovanni
>
>
>
>
> ______________________________________________________________________
>
> Da: Giovanni [mailto:gio_ton at tiscali.it]
> Inviato: mercoledì 27 ottobre 2004 1.31
> A: 'users at openswan.org'
> Oggetto: R: [Openswan Users] OpensWan and Iptables
>
>
>
>
> Now works very well!!!
>
> Thanks again
>
>
>
>
>
>
>
> Hi
>
> This should give you an idea:
>
> [ #Allow IKE ]
>
> # Allow ESP Traffic from/to Gateway
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p esp -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p esp -j ACCEPT
>
> # Tag Incoming IPSec Traffic. 'mark' sticks after processing.
> iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -p esp -j MARK
> --set-mark 1
>
> # Forward Authenticated Traffic to LAN.
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -m mark --mark 1 -d
> $LAN_ADDRESSES -j ACCEPT
>
>
>
> # Allow established connections to communicate back.
>
> iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -m state
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state
> --state ESTABLISHED,RELATED -j ACCEPT
>
>
>
>
> # SRC nat everything apart from esp traffic.
>
>
> iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p ! esp -j SNAT
> --to-source $EXTERNAL_IPADDR
>
>
>
>
>
> I hope this helps.
>
>
>
>
>
> Cheers,
>
>
> Daniel.
>
>
>
>
>
>
> ______________________________________________________________________
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
More information about the Users
mailing list