[Openswan Users] how to make a iptables rule based on ipsec interface, wehn interface ipsec+ don't exist in kernel 2.6

foren titze foren.titze at gmx.net
Fri Jul 8 15:44:10 CEST 2005


now I have  solved my problem with 
"ping into subnet behind my vpn-gateway with a linux-linux tunnel".
It was a iptables rule that was dropping all incoming traffic from eth0 
(external) to eth1 (internal).

That is my firewall for the vpn-gateway:
#! /bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

# eth0 extern 195.xxx.xxx.22
# eth1 intern

iptables -F
iptables -F -t nat
iptables -X

iptables -I INPUT -p udp --dport 1701 ! -i ipsec+ -j DROP

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -s -o eth1 -j MASQUERADE

iptables -A FORWARD -i ipsec+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ipsec+ -j ACCEPT
iptables -A FORWARD -i ipsec+ -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o ipsec+ -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j DROP
#iptables -A FORWARD -i eth0 -o eth1 -j DROP #blocking traffic shown above

#iptables -t nat -A PREROUTING -i ipsec+ -j DNAT --to-destination

ipsec setup --restart
What next? How can I block this dangerous traffic?
And how is it possible to Masquerade the traffic that comes from ipsec0 
(through the tunnel) and want in to my subnet?
The paket arrives at any machine in the subnet but with his external IP. So 
the machine sends the data back to this host over his own default-gateway.
14:29:25.274135 IP > icmp 64: echo request seq 
14:29:25.274170 IP > icmp 64: echo reply seq 
14:29:26.273128 IP > icmp 64: echo request seq 
14:29:26.273156 IP > icmp 64: echo reply seq 
14:29:27.275040 IP > icmp 64: echo request seq 
14:29:27.275076 IP > icmp 64: echo reply seq 

Can anybody help me?


More information about the Users mailing list