[Openswan Users]

foren titze foren.titze at gmx.net
Tue Aug 30 14:55:40 CEST 2005


Am Dienstag, 30. August 2005 13:44 schrieb Norman Rasmussen:
> your MY_REJECT drop all line is getting hit _before_ the ACCEPT lines for
> ipsec.
>
> i.e. you need to delete and reinsert the MY_REJECT target at the end
> of the INPUT table so that it happens last.
>

OK. That it. For the next time, Iptables matches the first line and take it as 
the given rule.
> On 30/08/05, foren titze <foren.titze at gmx.net> wrote:
> > Am Dienstag, 30. August 2005 13:16 schrieb Paul Wouters:
> > > On Tue, 30 Aug 2005, foren titze wrote:
> > > > Then I try to open the Ports you give to me.
> > >
> > > Those are not ports but protocols. eg not "-p tcp --dport 50" but "-p
> > > 50"
> >
> > 3ast tmp # iptables -L -n
> > Chain INPUT (policy DROP)
> > target     prot opt source               destination
> > LOG        all  --  0.0.0.0/0            0.0.0.0/0           state
> > INVALID limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `INPUT
> > INVALID ' DROP       all  --  0.0.0.0/0            0.0.0.0/0          
> > state INVALID MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0         
> >  tcp flags:0x3F/0x00
> > MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > flags:0x03/0x03
> > MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > flags:0x06/0x06
> > MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > flags:0x05/0x05
> > MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > flags:0x11/0x01
> > MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > flags:0x18/0x08
> > MY_DROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > flags:0x30/0x20
> > ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> > ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> > RELATED,ESTABLISHED
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW
> > tcp dpt:80
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW
> > tcp dpt:443
> > ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW
> > tcp dpt:220
> > MY_REJECT  all  --  0.0.0.0/0            0.0.0.0/0
> > ACCEPT     esp  --  195.xxx.xxx.21       0.0.0.0/0
> > ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW
> > udp dpt:500
> >
> > Chain FORWARD (policy DROP)
> > target     prot opt source               destination
> >
> > Chain MY_DROP (7 references)
> > target     prot opt source               destination
> > LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg
> > 2/sec burst 5 LOG flags 0 level 4 prefix `PORTSCAN DROP '
> > DROP       all  --  0.0.0.0/0            0.0.0.0/0
> >
> > Chain MY_REJECT (2 references)
> > target     prot opt source               destination
> > LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg
> > 2/sec burst 5 LOG flags 0 level 4 prefix `REJECT TCP '
> > REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with
> > tcp-reset
> > LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg
> > 2/sec burst 5 LOG flags 0 level 4 prefix `REJECT UDP '
> > REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           reject-with
> > icmp-port-unreachable
> > LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg
> > 2/sec burst 5 LOG flags 0 level 4 prefix `DROP ICMP '
> > DROP       icmp --  0.0.0.0/0            0.0.0.0/0
> > LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg
> > 2/sec burst 5 LOG flags 0 level 4 prefix `REJECT OTHER '
> > REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
> > icmp-proto-unreachable
> >
> > Chain OUTPUT (policy DROP)
> > target     prot opt source               destination
> > LOG        all  --  0.0.0.0/0            0.0.0.0/0           state
> > INVALID limit: avg 2/sec burst 5 LOG flags 0 level 4 prefix `OUTPUT
> > INVALID ' DROP       all  --  0.0.0.0/0            0.0.0.0/0          
> > state INVALID ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> > ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> > NEW,RELATED,ESTABLISHED
> > MY_REJECT  all  --  0.0.0.0/0            0.0.0.0/0
> >
> > I don't use AH. Kernelmodul ipt_esp is loaded.
> > But Iptables is dropping pakets further on:
> > ---
> > REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> > SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> > ID=28462 PROTO=ESP SPI=0x23d9d5aa
> > REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> > SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> > ID=28463 PROTO=ESP SPI=0x23d9d5aa
> > REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> > SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> > ID=28464 PROTO=ESP SPI=0x23d9d5aa
> > REJECT OTHER IN=eth1 OUT= MAC=00:20:ed:8f:9b:c5:00:d0:02:76:63:fc:08:00
> > SRC=195.xxx.xxx.21 DST=134.147.130.30 LEN=120 TOS=0x00 PREC=0x00 TTL=51
> > ID=28465 PROTO=ESP SPI=0x23d9d5aa
> > ----
> >
> > Ben
> >
> > > Paul
> >
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users


More information about the Users mailing list