FW: [Openswan Users] OpensWan and Iptables

Daniel Bartlett dbartlett at pmsi-consulting.com
Tue Oct 26 11:16:45 CEST 2004 

Meant this to get on the archive as well...
Doh.

________________________________

From: Daniel Bartlett 
Sent: 26 October 2004 10:06
To: 'Giovanni'
Subject: RE: [Openswan Users] OpensWan and Iptables


Hi 
This should give you an idea:
 [ #Allow IKE ]

# Allow ESP Traffic from/to Gateway
iptables -A INPUT -i $EXTERNAL_INTERFACE -p esp -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p esp -j ACCEPT

# Tag Incoming IPSec Traffic. 'mark' sticks after processing.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -p esp -j MARK
--set-mark 1

# Forward Authenticated Traffic to LAN.
iptables -A FORWARD -i $EXTERNAL_INTERFACE -m mark --mark 1 -d
$LAN_ADDRESSES -j ACCEPT 
 
# Allow established connections to communicate back.
iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state
--state ESTABLISHED,RELATED -j ACCEPT
 
# SRC nat everything apart from esp traffic.
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p ! esp -j SNAT
--to-source $EXTERNAL_IPADDR 
 
I hope this helps.
 
Cheers,
Daniel.
 

________________________________

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Giovanni
Sent: 26 October 2004 09:53
To: users at openswan.org
Subject: [Openswan Users] OpensWan and Iptables



I'don't understand how to configure the firewall "iptables" adequately
so that it accepts the packets which come from wan and are destineted to
lan.

My VPN has like server:

Kernel 2.6.9

Openswan 2.2.0

IpTables 1.2.11

 

As I think the interface IPSEC don't exist, I don't know how to
recognize the packets which arrive from my VPN connection  and accept
them and how to distinguish the packets which arrive from Internet  and
decline them. 

At the moment  when the firewall is operative,  pings which come from my
client on VPN are all "DROP" by firewall.

I have already added policy for AH,ESP,IKE  on firewall, so that the
connceciton is accepted  and established, but then all my requests
towards my LAN are blocked by firewall.

Thanks.

 

Giovanni

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041026/82dbd9d7/attachment-0001.htm

More information about the Users mailing list