[Openswan Users]
Norman Rasmussen
normanr at gmail.com
Tue Aug 30 14:44:32 CEST 2005
your MY_REJECT drop all line is getting hit _before_ the ACCEPT lines for ipsec.
i.e. you need to delete and reinsert the MY_REJECT target at the end
of the INPUT table so that it happens last.
On 30/08/05, foren titze <foren.titze at gmx.net> wrote:
> Am Dienstag, 30. August 2005 13:16 schrieb Paul Wouters:
> > On Tue, 30 Aug 2005, foren titze wrote:
> > > Then I try to open the Ports you give to me.
> >
> > Those are not ports but protocols. eg not "-p tcp --dport 50" but "-p 50"
>
> 3ast tmp # iptables -L -n
> Chain INPUT (policy DROP)
> target prot opt source destination
> LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
> limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `INPUT INVALID '
> DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
> MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x3F/0x00
> MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x03/0x03
> MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x06/0x06
> MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x05/0x05
> MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x11/0x01
> MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x18/0x08
> MY_DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x30/0x20
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpt:80
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpt:443
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
> dpt:220
> MY_REJECT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT esp -- 195.xxx.xxx.21 0.0.0.0/0
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp
> dpt:500
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
>
> Chain MY_DROP (7 references)
> target prot opt source destination
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec
> burst 5 LOG flags 0 level 4 prefix `PORTSCAN DROP '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain MY_REJECT (2 references)
> target prot opt source destination
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec
> burst 5 LOG flags 0 level 4 prefix `REJECT TCP '
> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with
> tcp-reset
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec
> burst 5 LOG flags 0 level 4 prefix `REJECT UDP '
> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with
> icmp-port-unreachable
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec
> burst 5 LOG flags 0 level 4 prefix `DROP ICMP '
> DROP icmp -- 0.0.0.0/0 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/sec
> burst 5 LOG flags 0 level 4 prefix `REJECT OTHER '
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
> icmp-proto-unreachable
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
> limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `OUTPUT INVALID '
> DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> MY_REJECT all -- 0.0.0.0/0 0.0.0.0/0
>
> I don't use AH. Kernelmodul ipt_esp is loaded.
> But Iptables is dropping pakets further on:
> ---
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> ID=28462 PROTO=ESP SPI=0x23d9d5aa
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> ID=28463 PROTO=ESP SPI=0x23d9d5aa
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> ID=28464 PROTO=ESP SPI=0x23d9d5aa
> REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> ID=28465 PROTO=ESP SPI=0x23d9d5aa
> ----
>
> Ben
> >
> > Paul
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the Users
mailing list