[Openswan Users] Iptables ESTABLISHED/RELATED

Stephen J. McCracken sjmccracky at myrealbox.com
Mon Mar 21 11:22:07 CET 2005 

Chris wrote:
> What are the value of your variables like $PLUTO_INTERFACE?

These come out as the eth+ interfaces
> 
> What is the output of IPTABLES -L?
> 
> Do you really have VPN Traffic showing as coming from EthX?      All 
> mine shows coming from IPSECX.     When I write rules for the VPN I 
> used something like "iptables -A TABLENAME -I ipsec+ -j ACCEPT"

I am trying to use 26sec rather than KLIPS so have no ipsec interfaces
on which to hang firewalling.  I did find this thread:
http://www.gibraltar.at/pipermail/debian-openswan/2004-July/000022.html
but it basically says that there is no documentation on how to do some
of this right now.  To quote some of the reply:

>> Currently it works like this:
>> 
>> PREROUTING -> INPUT -> ESP decapsulation
>> 
>> At this point the path diverges for transport/tunnel mode packets.
>> Tunnel mode packets will reenter the stack starting from PREROUTING
>> just like a normal packet. Transport mode packets will continue
>> without going through any more netfilter tables.

So, if I understand this correctly, the tunnel mode packets *should* be 
recognized as RELATED/ESTABLISHED the second time through the tables. 
Is that correct?

> Why not try this line for your related.
> 
> iptables -I FORWARD 1 -i ipsec+ -m state --state ESTABLISHED,RELATED 
> -j ACCEPT

I don't have any ipsec+ interfaces.
> 
> I don't know why you are using -I on all your entries.    Generally I
>  use -A unless I need to change the order of the rules.     The "-I 
> FORWARD 1" ensures that the rules is the first rule in the chain. The
>  other source and destination is not really needed unless you need to
>  precisely control the access per IP Range.

I probably don't need it now and could use -A, but started trying to add
things in at the beginning of the FORWARD chain in the filter table.  I
then decided to add another chain (vpn_rules) which is statically in the
beginning of the FORWARD chain, so could easily use -A in the vpn_rules
chain.



> 
> Chris
> 
> ----- Original Message ----- From: "Stephen J. McCracken" 
> <sjmccracky at myrealbox.com> To: <users at openswan.org> Sent: Friday, 
> March 18, 2005 8:42 PM Subject: [Openswan Users] Iptables 
> ESTABLISHED/RELATED
> 
> 
> 
>> Trying to send this again...
>> 
>> Hello, all,
>> 
>> I am somewhat new to this, and have run into a problem.  I am 
>> working on getting a VPN up between a Linux Firewall (Openswan) and
>>  a Multitech RouteFinder.  I got everything working with a 
>> completely open VPN (using the default _updown_x509 script).  Now I
>>  am trying to tighten down the VPN to only allow some types of 
>> traffic across the VPN.  It seems to me that the iptables is not 
>> recognizing packets as established/related.
>> 
>> This is running on a Fedora Core 3 box with openswan-2.1.5-2.FC3.1 
>> rpm. The relevant part of the ruleset is attached below the log 
>> output.  In the logs I see the initial connection attempt (entered 
>> for debugging) and then a buch of rejects as the replies fall 
>> through the ruleset and get logged/rejected.  (I did try a search 
>> on this, but wiki.openswan.org doesn't resolve right now.)
>> 
>> Mar 18 11:32:26 lb kernel: VPN - WWW Traffic  :IN=eth0 OUT=eth3 
>> SRC=<machine on internal vpn> DST=<machine on remote vpn> LEN=60 
>> TOS=0x00 PREC=0x00 TTL=63 ID=7174 DF PROTO=TCP SPT=41666 DPT=80 
>> WINDOW=5840 RES=0x00 SYN URGP=0 Mar 18 11:32:26 lb kernel: No Rule 
>> - VPN     :IN=eth3 OUT=eth0 SRC=<machine on remote vpn> 
>> DST=<machine on internal vpn> LEN=44 TOS=0x00 PREC=0x00 TTL=31 
>> ID=1842 PROTO=TCP SPT=80 DPT=41666 WINDOW=4095 RES=0x00 ACK SYN 
>> URGP=0 Mar 18 11:32:26 lb kernel: No Rule - VPN     :IN=eth3 
>> OUT=eth0 SRC=<machine on remote vpn> DST=<machine on internal vpn> 
>> LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=1843 PROTO=TCP SPT=80 DPT=41666
>> WINDOW=4095 RES=0x00 ACK SYN URGP=0 Mar 18 11:32:27 lb kernel: No
>> Rule - VPN     :IN=eth3 OUT=eth0 SRC=<machine on remote vpn>
>> DST=<machine on internal vpn> LEN=44 TOS=0x00 PREC=0x00 TTL=31 
>> ID=1844 PROTO=TCP SPT=80 DPT=41666 WINDOW=4095 RES=0x00 ACK SYN 
>> URGP=0 Mar 18 11:32:28 lb kernel: No Rule - VPN     :IN=eth3 
>> OUT=eth0 SRC=<machine on remote vpn> DST=<machine on internal vpn> 
>> LEN=44 TOS=0x00 PREC=0x00 TTL=31 ID=1845 PROTO=TCP SPT=80 DPT=41666
>> WINDOW=4095 RES=0x00 ACK SYN URGP=0
>> 
>> 
>> 
>> ------ RULESET --------
>> 
>> iptables -A FORWARD -j vpn_rules iptables -A FORWARD -s 
>> $VPN_ADDRESS_RANGE -d $VPN_ADDRESS_RANGE -j LOG --log-level debug 
>> --log-prefix "No Rule - VPN     :" iptables -A FORWARD -s 
>> $VPN_ADDRESS_RANGE -d $VPN_ADDRESS_RANGE -j REJECT
>> 
>> 
>> iptables -I vpn_rules -o $PLUTO_INTERFACE -p icmp --icmp-type 8 -s 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
>> 
>> iptables -I vpn_rules -o $PLUTO_INTERFACE -p icmp --icmp-type 0 -s 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
>> 
>> iptables -I vpn_rules -o $PLUTO_INTERFACE -p tcp -m tcp -s 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -d 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport 
>> --dports 53,389,10101  -j ACCEPT
>> 
>> iptables -I vpn_rules -o $PLUTO_INTERFACE -p tcp -m tcp -s 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -d 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport 
>> --dports 8080,20,21,80,443,22,25,465,110,995,143,993 -j ACCEPT
>> 
>> # entered for debugging iptables -I vpn_rules -o $PLUTO_INTERFACE 
>> -p tcp -m tcp -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport 80 -j LOG 
>> --log-level debug --log-prefix "VPN - WWW Traffic  :"
>> 
>> iptables -I vpn_rules -o $PLUTO_INTERFACE -p udp -m udp -s 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -d 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport 
>> --dports 53,123  -j ACCEPT
>> 
>> iptables -I vpn_rules -o $PLUTO_INTERFACE -p icmp --icmp-type 3 -s 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
>> 
>> iptables -I vpn_rules -o $PLUTO_INTERFACE -p icmp --icmp-type 11 -s
>>  $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
>> 
>> iptables -I vpn_rules -o $PLUTO_INTERFACE -s 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m state --state 
>> ESTABLISHED,RELATED -j ACCEPT
>> 
>> iptables -I vpn_rules -i $PLUTO_INTERFACE -p icmp --icmp-type 8 -d 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
>> 
>> iptables -I vpn_rules -i $PLUTO_INTERFACE -p icmp --icmp-type 0 -d 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
>> 
>> iptables -I vpn_rules -i $PLUTO_INTERFACE -p tcp -m tcp -d 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -s 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport 
>> --dports 53,389,10101  -j ACCEPT
>> 
>> iptables -I vpn_rules -i $PLUTO_INTERFACE -p tcp -m tcp -d 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -s 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport 
>> --dports 8080,20,21,80,443,22,25,465,110,995,143,993 -j ACCEPT
>> 
>> # entered for debugging iptables -I vpn_rules -i $PLUTO_INTERFACE 
>> -p tcp -m tcp -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK --dport 80 -j LOG 
>> --log-level debug --log-prefix "VPN - WWW Traffic  :"
>> 
>> iptables -I vpn_rules -i $PLUTO_INTERFACE -p udp -m udp -d 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK --sport 1024: -s 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m multiport 
>> --dports 53,123  -j ACCEPT
>> 
>> iptables -I vpn_rules -i $PLUTO_INTERFACE -p icmp --icmp-type 3 -d 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
>> 
>> iptables -I vpn_rules -i $PLUTO_INTERFACE -p icmp --icmp-type 11 -d
>>  $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
>> 
>> iptables -I vpn_rules -i $PLUTO_INTERFACE -d 
>> $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s 
>> $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -m state --state 
>> ESTABLISHED,RELATED -j ACCEPT
>> 
>> _______________________________________________ Users mailing list
>>  Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> 
>> 
>>

More information about the Users mailing list