[Openswan Users] Nat'd XP L2TP client + iptables Nat'd

Jason Cullip jcullip at gmail.com
Fri Aug 25 15:57:02 EDT 2006 

When connecting via XP L2TP client I'm able to establish the connection and
ping the leftnexthop address, however I'm not able to get beyond this point
on our network.   If I stop iptables I'm able to gain access via the client
to anywhere on the internal network.  One then assumes I have a iptables
rule dropping the packets at some point. Any help figuring out why the
packets are being dropped would be appreciated.  If you need more
information then the iptables rules that follow, please let me know. Here is
a chunk of the iptables ruleset I'm using:

#Allow VPN
iptables -A INPUT -p udp -i eth1 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth1 --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -A INPUT -p 50 -i eth1 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth1 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --sport 1701 --dport 1701 -j ACCEPT
iptables -A OUTPUT -p udp -o eth1 --sport 1701 --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --sport 4500 --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth1 --sport 4500 --dport 4500 -j ACCEPT
iptables -A INPUT -p 17 -i eth1 -j ACCEPT
iptables -A OUTPUT -p 17 -o eth1 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
iptables -A INPUT -p 4 -j ACCEPT
iptables -A OUTPUT -p 4 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth1 -p esp -j MARK --set-mark 1
iptables -A FORWARD -i eth1 -m mark --mark 1 -d 10.0.0.0/8 -j ACCEPT

iptables -A INPUT -j ACCEPT -p all -s 10.0.0.0/8 -i eth0
iptables -A OUTPUT -j ACCEPT -p all -d 10.0.0.0/8 -o eth0

# Allow masquerading
iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/8 -d \! 10.129.88.0/24 -j
MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/8 -d \! 10.205.0.0/24 -j
MASQUERADE
#Prior to masquerading, the packets are routed via the filter table FORWARD
chain.
iptables -A FORWARD -t filter -o eth1 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state --state ESTABLISHED,RELATED
-j ACCEPT


Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060825/7de4ef53/attachment.html

More information about the Users mailing list