[Openswan Users] Iptables ESTABLISHED/RELATED

Stephen J. McCracken sjmccracky at myrealbox.com
Fri Mar 18 21:42:33 CET 2005 

Trying to send this again...

Hello, all,

I am somewhat new to this, and have run into a problem.  I am working on 
getting a VPN up between a Linux Firewall (Openswan) and a Multitech 
RouteFinder.  I got everything working with a completely open VPN (using 
the default _updown_x509 script).  Now I am trying to tighten down the 
VPN to only allow some types of traffic across the VPN.  It seems to me 
that the iptables is not recognizing packets as established/related.

This is running on a Fedora Core 3 box with openswan-2.1.5-2.FC3.1 rpm. 
  The relevant part of the ruleset is attached below the log output.  In 
the logs I see the initial connection attempt (entered for debugging) 
and then a buch of rejects as the replies fall through the ruleset and 
get logged/rejected.  (I did try a search on this, but wiki.openswan.org 
doesn't resolve right now.)

Mar 18 11:32:26 lb kernel: VPN - WWW Traffic  :IN=eth0 OUT=eth3 
SRC=<machine on internal vpn> DST=<machine on remote vpn> LEN=60 
TOS=0x00 PREC=0x00 TTL=63 ID=7174 DF PROTO=TCP SPT=41666 DPT=80 
WINDOW=5840 RES=0x00 SYN URGP=0
Mar 18 11:32:26 lb kernel: No Rule - VPN     :IN=eth3 OUT=eth0 
SRC=<machine on remote vpn> DST=<machine on internal vpn> LEN=44 
TOS=0x00 PREC=0x00 TTL=31 ID=1842 PROTO=TCP SPT=80 DPT=41666 WINDOW=4095 
RES=0x00 ACK SYN URGP=0
Mar 18 11:32:26 lb kernel: No Rule - VPN     :IN=eth3 OUT=eth0 
SRC=<machine on remote vpn> DST=<machine on internal vpn> LEN=44 
TOS=0x00 PREC=0x00 TTL=31 ID=1843 PROTO=TCP SPT=80 DPT=41666 WINDOW=4095 
RES=0x00 ACK SYN URGP=0
Mar 18 11:32:27 lb kernel: No Rule - VPN     :IN=eth3 OUT=eth0 
SRC=<machine on remote vpn> DST=<machine on internal vpn> LEN=44 
TOS=0x00 PREC=0x00 TTL=31 ID=1844 PROTO=TCP SPT=80 DPT=41666 WINDOW=4095 
RES=0x00 ACK SYN URGP=0
Mar 18 11:32:28 lb kernel: No Rule - VPN     :IN=eth3 OUT=eth0 
SRC=<machine on remote vpn> DST=<machine on internal vpn> LEN=44 
TOS=0x00 PREC=0x00 TTL=31 ID=1845 PROTO=TCP SPT=80 DPT=41666 WINDOW=4095 
RES=0x00 ACK SYN URGP=0



------ RULESET --------

iptables -A FORWARD -j vpn_rules
iptables -A FORWARD -s $VPN_ADDRESS_RANGE -d $VPN_ADDRESS_RANGE -j LOG 
--log-level debug --log-prefix "No Rule - VPN     :"
iptables -A FORWARD -s $VPN_ADDRESS_RANGE -d $VPN_ADDRESS_RANGE -j REJECT


iptables -I vpn_rules -o $PLUTO_INTERFACE -p icmp --icmp-type 8 -s 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT

iptables -I vpn_rules -o $PLUTO_INTERFACE -p icmp --icmp-type 0 -s 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT

iptables -I vpn_rules -o $PLUTO_INTERFACE -p tcp -m tcp -s 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -d 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport --dports 
53,389,10101  -j ACCEPT

iptables -I vpn_rules -o $PLUTO_INTERFACE -p tcp -m tcp -s 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -d 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport --dports 
8080,20,21,80,443,22,25,465,110,995,143,993 -j ACCEPT

# entered for debugging
iptables -I vpn_rules -o $PLUTO_INTERFACE -p tcp -m tcp -s 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport 80 -j LOG 
--log-level debug --log-prefix "VPN - WWW Traffic  :"

iptables -I vpn_rules -o $PLUTO_INTERFACE -p udp -m udp -s 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -d 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport --dports 
53,123  -j ACCEPT

iptables -I vpn_rules -o $PLUTO_INTERFACE -p icmp --icmp-type 3 -s 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT

iptables -I vpn_rules -o $PLUTO_INTERFACE -p icmp --icmp-type 11 -s 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT

iptables -I vpn_rules -o $PLUTO_INTERFACE -s 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m state --state 
ESTABLISHED,RELATED -j ACCEPT

iptables -I vpn_rules -i $PLUTO_INTERFACE -p icmp --icmp-type 8 -d 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT

iptables -I vpn_rules -i $PLUTO_INTERFACE -p icmp --icmp-type 0 -d 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT

iptables -I vpn_rules -i $PLUTO_INTERFACE -p tcp -m tcp -d 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -s 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport --dports 
53,389,10101  -j ACCEPT

iptables -I vpn_rules -i $PLUTO_INTERFACE -p tcp -m tcp -d 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -s 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport --dports 
8080,20,21,80,443,22,25,465,110,995,143,993 -j ACCEPT

# entered for debugging
iptables -I vpn_rules -i $PLUTO_INTERFACE -p tcp -m tcp -d 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport 80 -j LOG 
--log-level debug --log-prefix "VPN - WWW Traffic  :"

iptables -I vpn_rules -i $PLUTO_INTERFACE -p udp -m udp -d 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -s 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport --dports 
53,123  -j ACCEPT

iptables -I vpn_rules -i $PLUTO_INTERFACE -p icmp --icmp-type 3 -d 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT

iptables -I vpn_rules -i $PLUTO_INTERFACE -p icmp --icmp-type 11 -d 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT

iptables -I vpn_rules -i $PLUTO_INTERFACE -d 
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m state --state 
ESTABLISHED,RELATED -j ACCEPT

More information about the Users mailing list