[Openswan Users] openswan and firewall problems

[Michael Liebl]

Am Donnerstag, den 26. Mai 2005 schrubte Massimo Mazzoldi:

> I read about using MARK on iptables to divide encripted allowed from not
> allowed traffic in FORWARD rules...
> ...any example on how to do this?

Something like this:

## Allow Authenticated Traffic to Host.
# Allow ISAKMP for IPSEC. ok
#$IPTABLES -A INPUT -i $IPSEC_IF -s $IPSEC_NET -p udp --sport isakmp
--dport isakmp\
#       -j LOG --log-level $LOGLEVEL --log-prefix "INPUT ISAKMP ACCEPT: "
$IPTABLES -A INPUT -i $IPSEC_IF -s $IPSEC_NET -p udp --sport isakmp
--dport isakmp\
        -j ACCEPT

# Allow marked Packets to Host. ok
#$IPTABLES -A INPUT -i $IPSEC_IF -m mark --mark 3\
#       -j LOG --log-level $LOGLEVEL --log-prefix "ESP INPUT ACCEPT: "
$IPTABLES -A INPUT -i $IPSEC_IF -m mark --mark 3\
        -j ACCEPT

## Tag Incoming IPSec Traffic. 'mark' sticks after processing. ok
#$IPTABLES -t mangle -A PREROUTING -i $IPSEC_IF -p esp\
#       -j LOG --log-level $LOGLEVEL --log-prefix "ESP PREROUTING MARK: "
$IPTABLES -t mangle -A PREROUTING -i $IPSEC_IF -p esp\
        -j MARK --set-mark 3

Good luck.
-- 
    <) .--.	      Bei E-Mail Antworten muss der Betreff
    )#=+  '	     mit 'USENET' beginnen, sonst > /dev/null
   /## |     .+.						Liebe Grüsse,
,,/###,|,,,,,,|,,,,						Michael