[Openswan Users] openswan behind iptables

[Beat Zahnd]

rob at mokkinksystems.com wrote:

> Hi,
> 
> I think of modifying my firewall script.
> Does anyone have experience with ipsec/l2tp behind a firewall?
> And can someone post me some example rules?

You have to allow proto 50 (esp) and udp port 500.

My firewall script is based on the Security-Quickstart-HOWTO:

> http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/firewalls.html#FILTERS

I just added 2 additional lines:

> IPTABLES=/sbin/iptables
> WAN_IFACE="eth0"
> 
> # Any and all addresses from anywhere.
> ANYWHERE="0/0"
 >
> $IPTABLES -F  
> 
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P INPUT DROP
> 
> $IPTABLES -A INPUT -i lo -j ACCEPT
> 
> $IPTABLES -A INPUT  -p icmp  --icmp-type echo-reply \
>    -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
> $IPTABLES -A INPUT  -p icmp  --icmp-type destination-unreachable \
>    -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
> $IPTABLES -A INPUT  -p icmp  --icmp-type time-exceeded \
>    -s $ANYWHERE -i $WAN_IFACE -j ACCEPT

> $IPTABLES -A INPUT -p esp -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 500 -s $ANYWHERE -i $WAN_IFACE -j ACCEPT

> 
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
> $IPTABLES -A INPUT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "
> 
> echo "Iptables firewall is up `date`."
> 
> ##-- eof iptables.sh
> 

otherwise man iptables is very helpfull


Beat

-- 
Beat ZAHND
Physics Institute
University of Bern                   phone  +41 31 631 3466
Sidlerstrasse 5                      fax    +41 31 631 4405
CH-3012 Bern (Switzerland)  mailto:beat.zahnd at phim.unibe.ch