[Openswan Users] Tunneling gateway and ip_forward
mleech at nortel.com
Tue Feb 22 12:48:34 CET 2005
I've used Nate Carlsons config for roadwarriors to get a gateway machine
based on 2.3.1dr3.
I have a gateway machine that has a temporary Internet-side interface,
192.168.0.222, plugged into
a stub network consisting of a 8-port hub, and a laptop machine at
The other side of the gateway is plugged into the corporate network at
188.8.131.52, and I have
a route of 47/8 defined for the network 47 interface. The
192.168.0.222 interface is defined
as the default route.
I can setup a roadwarrior connection from the laptop (at 192.168.0.220),
and send pings intended
for addresses on network 47. Examination on the gateway indicates
that they're making it to
the gateway, and getting decapsulated, but not making it out onto the
network 47 interface.
So, I experimentally turned on ip_forward, and the packets make it out
onto network 47
like you'd expect. But I *can't* leave ip_forward turned on, because
then packets that
aren't tunneled through IPSEC will also get forwarded between
interfaces, which is
VERY VERY bad for security. Do I need to setup an iptables rule for
chain, and if so, how?
More information about the Users