R: [Openswan Users] OpensWan and Iptables
Giovanni
gio_ton at tiscali.it
Wed Oct 27 02:31:06 CEST 2004
Now works very well!!!
Thanks again
Hi
This should give you an idea:
[ #Allow IKE ]
# Allow ESP Traffic from/to Gateway
iptables -A INPUT -i $EXTERNAL_INTERFACE -p esp -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p esp -j ACCEPT
# Tag Incoming IPSec Traffic. 'mark' sticks after processing.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -p esp -j MARK
--set-mark 1
# Forward Authenticated Traffic to LAN.
iptables -A FORWARD -i $EXTERNAL_INTERFACE -m mark --mark 1 -d
$LAN_ADDRESSES -j ACCEPT
# Allow established connections to communicate back.
iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state
--state ESTABLISHED,RELATED -j ACCEPT
# SRC nat everything apart from esp traffic.
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p ! esp -j SNAT
--to-source $EXTERNAL_IPADDR
I hope this helps.
Cheers,
Daniel.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041027/ae8bb46b/attachment.htm
More information about the Users
mailing list