[Openswan Users] how to make a iptables rule based on ipsec interface, wehn interface ipsec+ don't exist in kernel 2.6

foren titze foren.titze at gmx.net
Fri Jul 8 15:44:10 CEST 2005 

Hello,

now I have  solved my problem with 
"ping into subnet behind my vpn-gateway with a linux-linux tunnel".
It was a iptables rule that was dropping all incoming traffic from eth0 
(external) to eth1 (internal).

That is my firewall for the vpn-gateway:
--------------------------------------------------
#! /bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

# eth0 extern 195.xxx.xxx.22
# eth1 intern 192.168.121.140

iptables -F
iptables -F -t nat
iptables -X

iptables -I INPUT -p udp --dport 1701 ! -i ipsec+ -j DROP

iptables -t nat -A POSTROUTING -s 192.168.121.0/24 -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.121.0/24 -o eth1 -j MASQUERADE

iptables -A FORWARD -i ipsec+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ipsec+ -j ACCEPT
iptables -A FORWARD -i ipsec+ -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o ipsec+ -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j DROP
#iptables -A FORWARD -i eth0 -o eth1 -j DROP #blocking traffic shown above


#iptables -t nat -A PREROUTING -i ipsec+ -j DNAT --to-destination 
192.168.121.140

ipsec setup --restart
-----------------------------------
What next? How can I block this dangerous traffic?
And how is it possible to Masquerade the traffic that comes from ipsec0 
(through the tunnel) and want in to my subnet?
The paket arrives at any machine in the subnet but with his external IP. So 
the machine sends the data back to this host over his own default-gateway.
-------------
14:29:25.274135 IP 134.147.130.30 > 192.168.121.202: icmp 64: echo request seq 
168
14:29:25.274170 IP 192.168.121.202 > 134.147.130.30: icmp 64: echo reply seq 
168
14:29:26.273128 IP 134.147.130.30 > 192.168.121.202: icmp 64: echo request seq 
169
14:29:26.273156 IP 192.168.121.202 > 134.147.130.30: icmp 64: echo reply seq 
169
14:29:27.275040 IP 134.147.130.30 > 192.168.121.202: icmp 64: echo request seq 
170
14:29:27.275076 IP 192.168.121.202 > 134.147.130.30: icmp 64: echo reply seq 
170
-----------

Can anybody help me?

THX Ben

More information about the Users mailing list