[Openswan Users]

Norman Rasmussen normanr at gmail.com
Tue Aug 30 14:44:32 CEST 2005


your MY_REJECT drop all line is getting hit _before_ the ACCEPT lines for ipsec.

i.e. you need to delete and reinsert the MY_REJECT target at the end
of the INPUT table so that it happens last.

On 30/08/05, foren titze <foren.titze at gmx.net> wrote:
> Am Dienstag, 30. August 2005 13:16 schrieb Paul Wouters:
> > On Tue, 30 Aug 2005, foren titze wrote:
> > > Then I try to open the Ports you give to me.
> >
> > Those are not ports but protocols. eg not "-p tcp --dport 50" but "-p 50"
> 
> 3ast tmp # iptables -L -n
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> LOG        all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
> limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `INPUT INVALID '
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
> MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> flags:0x3F/0x00
> MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> flags:0x03/0x03
> MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> flags:0x06/0x06
> MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> flags:0x05/0x05
> MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> flags:0x11/0x01
> MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> flags:0x18/0x08
> MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> flags:0x30/0x20
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
> dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
> dpt:443
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp
> dpt:220
> MY_REJECT  all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     esp  --  195.xxx.xxx.21       0.0.0.0/0
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp
> dpt:500
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> 
> Chain MY_DROP (7 references)
> target     prot opt source               destination
> LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec
> burst 5 LOG flags 0 level 4 prefix `PORTSCAN DROP '
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain MY_REJECT (2 references)
> target     prot opt source               destination
> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec
> burst 5 LOG flags 0 level 4 prefix `REJECT TCP '
> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with
> tcp-reset
> LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec
> burst 5 LOG flags 0 level 4 prefix `REJECT UDP '
> REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           reject-with
> icmp-port-unreachable
> LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec
> burst 5 LOG flags 0 level 4 prefix `DROP ICMP '
> DROP       icmp --  0.0.0.0/0            0.0.0.0/0
> LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 2/sec
> burst 5 LOG flags 0 level 4 prefix `REJECT OTHER '
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
> icmp-proto-unreachable
> 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination
> LOG        all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
> limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `OUTPUT INVALID '
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> NEW,RELATED,ESTABLISHED
> MY_REJECT  all  --  0.0.0.0/0            0.0.0.0/0
> 
> I don't use AH. Kernelmodul ipt_esp is loaded.
> But Iptables is dropping pakets further on:
> ---
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> ID=28462 PROTO=ESP SPI=0x23d9d5aa
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> ID=28463 PROTO=ESP SPI=0x23d9d5aa
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> ID=28464 PROTO=ESP SPI=0x23d9d5aa
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> ID=28465 PROTO=ESP SPI=0x23d9d5aa
> ----
> 
> Ben
> >
> > Paul
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/


More information about the Users mailing list