[Openswan Users]
Help a NOOB!!! Linux Firewall issues with Fedora 4 and OpenSWan
Pat Fricke
sales at prfhome.com
Thu Dec 29 13:20:12 CET 2005
Using Fedora Core 4, Linux Firewall and Open Swan 2.4.4
Long and short of it is I have a tunnel established by a road warrior
LinkSys router but the workstations cannot connect to the SAMBA shares. Both
the secure log on the Fedora box and the LinkSys router show the tunnel is
connected (STATE_QUICK_R2: IPsec SA established {ESP=>0xadec39d6 <0x77944d7f
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
I have read all that I can find but somehow am missing a key point
somewhere. I am assuming the problem is in the firewall but I don't know for
sure. Here is my iptables.
Can someone PLEASE help.
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p gre -i eth0 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp -i eth0 --dport 500 -j ACCEPT
-A INPUT -p udp -m udp -i eth0 --dport 4500 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 -d 0/0 -i eth0 --dport 67:68
--sport 67:68 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 -d 0/0 -i eth1 --dport 67:68
--sport 67:68 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 -j REJECT --syn
-A INPUT -i ipsec0 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p udp -m udp --dport 23 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 113 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --sport 1723 -j ACCEPT
-A OUTPUT -p udp -m udp -o eth0 --dport 500 -j ACCEPT
-A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT
-A OUTPUT -p 50 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o ipsec0 -j ACCEPT
-A OUTPUT -p tcp -m tcp -o eth0 --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp -o eth0 --dport 1723 -j ACCEPT
-A INPUT -p tcp -m tcp -m state --sport 3500:4000 --state NEW -j ACCEPT
-A INPUT -j RH-Lokkit-0-50-INPUT
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed
and my ipsec.conf
version 2
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
# sample VPN connection
conn %default
authby=secret
conn vpn
left=xxx.xxx.xxx.xxx (real world ip)
leftid= xxx.xxx.xxx.xxx (real world ip)
leftnexthop= xxx.xxx.xxx.xxx (real world gateway ip)
right=%any
rightnexthop=%defaultroute
rightsubnet=192.168.0.0/24
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
auto=add
include /etc/ipsec.d/examples/no_oe.conf
Thank you,
Pat R. Fricke
PRF Enterprises
(503)520-9757
sales at prfhome.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051229/41530fc3/attachment-0001.htm
More information about the Users
mailing list