[Openswan Users] Firewall Issue

John Friesen johnf at clrtech.com
Wed Jul 20 16:28:31 CEST 2005


Hello,

 

I've been working on setting up a roadwarrior connection.  If I basically
allow everything through IPTables, I can get the tunnel up with no problem,
however, when I bring up the ruleset that actually includes some firewalling
(included below), I can't connect, and don't even see any error messages in
auth.log or syslog.  From my understanding, I've opened up the required
ports, however that's obviously not the case.  Can anyone point me in the
right direction?

 

Thank-you,

John Friesen

 

# Generated by iptables-save v1.2.2 on Tue Nov 20 07:03:37 2001

*mangle

:PREROUTING ACCEPT [589744:443331401]

:OUTPUT ACCEPT [36335:5003329]

COMMIT

# Completed on Tue Nov 20 07:03:37 2001

# Generated by iptables-save v1.2.2 on Tue Nov 20 07:03:37 2001

*filter

:INPUT DROP [4:248]

:FORWARD ACCEPT [546958:431886558]

:OUTPUT ACCEPT [36335:5003329]

 

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT -i eth1 -s 207.6.134.150 -d 0/0 -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --destination-port 50 -m state --state
NEW,RELATED,ESTABLISHED

-A INPUT -i eth1 -p tcp -m tcp --destination-port 51 -m state --state
NEW,RELATED,ESTABLISHED

-A INPUT -i eth1 -p udp -m udp --destination-port 50 -m state --state
NEW,RELATED,ESTABLISHED

-A INPUT -i eth1 -p udp -m udp --destination-port 51 -m state --state
NEW,RELATED,ESTABLISHED

-A INPUT -i eth1 -p udp -m udp --destination-port 500 -m state --state
NEW,RELATED,ESTABLISHED

-A INPUT -i eth1 -p udp -m udp --destination-port 4500 -m state --state
NEW,RELATED,ESTABLISHED

-A INPUT -i eth1 -p tcp -m tcp --destination-port 22 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --destination-port 10000 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --destination-port 47809 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth1 -p udp -j REJECT --reject-with icmp-port-unreachable

-A INPUT -i eth1 -p tcp -j REJECT --reject-with tcp-reset

COMMIT

# Completed on Tue Nov 20 07:03:37 2001

# Generated by iptables-save v1.2.2 on Tue Nov 20 07:03:37 2001

*nat

:PREROUTING ACCEPT [10748:545301]

:POSTROUTING ACCEPT [2549:154045]

:OUTPUT ACCEPT [2361:146221]

-A POSTROUTING -s 192.168.100.0/24 -d 192.168.100.1 -o eth0 -j ACCEPT

-A POSTROUTING -s 192.168.100.0/24 -d 10.0.1.0/24 -o eth0 -j ACCEPT

-A POSTROUTING -s 192.168.100.0/24 -o eth1 -j MASQUERADE

COMMIT

# Completed on Tue Nov 20 07:03:37 2001

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050720/3f81bd2f/attachment-0001.htm


More information about the Users mailing list