[Openswan Users] Netfilter/conntrack
Tomasz Grzelak
tgrzelak at wktpolska.com.pl
Fri Jan 21 07:46:05 CET 2005
Dnia pią 21. stycznia 2005 00:05, Jason Sigurdur napisał:
> Hi, I have just noticed that with using the following rules on my external
> interface that the
> Ipsec "ESP" packets go throught the 'ESTABLISHED,RELATED' rule. IF I
> comment out the lines with the
> -p 50 and -p 51 and restart ipsec it still uses the 'ESTABLISHED RELATED'
> rule?
>
> What is happening here?
>
> Thx jason
>
> iptables -A IN_ETHX -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A IN_ETHX ! -i eth0 -m state --state NEW -j ACCEPT
I'm not sure if I understand you well, but the two lines above accept all the
established and related connections, and all incoming connections except for
the eth0 interface. This also includes the AH and ESP, because you did NOT
specify protocols in these two lines. So no matter the rest of the rules,
incoming IPSec will work (and other protocols), but only if it does not use
the eth0 interface, beacuse it will match the second rule. The rest of
connection will match the first rule.
By the way, you have '! -i eth0' - shouldn't it be '-i ! eth0' ?
Tom
More information about the Users
mailing list