[Openswan Users] iptables problems

Michael Surette msurette at laframboise.net
Wed Jun 14 12:41:10 CEST 2006 

I am trying to set up a tunnel between two linux machines.  When I run ipsec 
verify, it tells me that my masquerading is a problem.  My masquerading is 
not from 172.17.0.0/16 to 0.0.0.0/0 as ipsec reports, but explicitly excludes 
the 172.16.0.0/12 block and I don't believe that it should be a problem.

Here are the outputs from ipsec 'verify' and 'iptables-save'.  Any pointers or 
ideas on how to fix this problem would be appreciated.

=================

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan 2.4.5 (klips)
Checking for IPsec support in kernel                        	[OK]
KLIPS detected, checking for NAT Traversal support          	[FAILED]
Checking for RSA private key (/etc/ipsec.secrets)           	[OK]
Checking that pluto is running                              	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing                              
Checking tun0x1002 at 206.130.227.150 from 172.17.0.0/16 to 172.16.0.0/16	
[FAILED]
  MASQUERADE from 172.17.0.0/16 to 0.0.0.0/0 kills tunnel 172.17.0.0/16 -> 
172.16.0.0/16
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: bill                	[MISSING]
   Does the machine have at least one non-private address?  	[OK]
   Looking for TXT in reverse dns zone: 86.199.1.72.in-addr.arpa.	[MISSING]

=================

# Generated by iptables-save v1.3.5 on Wed Jun 14 11:09:55 2006
*nat
:PREROUTING ACCEPT [121679:23327919]
:POSTROUTING ACCEPT [1657:121600]
:OUTPUT ACCEPT [3477:236536]
-A POSTROUTING -s 172.17.0.0/255.255.0.0 -d ! 172.16.0.0/255.240.0.0 -j 
MASQUERADE 
COMMIT
# Completed on Wed Jun 14 11:09:55 2006
# Generated by iptables-save v1.3.5 on Wed Jun 14 11:09:55 2006
*mangle
:PREROUTING ACCEPT [557809:117225111]
:INPUT ACCEPT [267034:59977527]
:FORWARD ACCEPT [282541:54546832]
:OUTPUT ACCEPT [326144:89185831]
:POSTROUTING ACCEPT [488964:137993991]
COMMIT
# Completed on Wed Jun 14 11:09:55 2006
# Generated by iptables-save v1.3.5 on Wed Jun 14 11:09:55 2006
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [845:139395]
-A INPUT -i lo -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i ipsec0 -j ACCEPT 
-A INPUT -p esp -j ACCEPT 
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT 
-A INPUT -s 172.17.0.0/255.255.0.0 -j ACCEPT 
-A INPUT -i eth1 -p tcp -m multiport --dports 67,68 -j ACCEPT 
-A INPUT -i eth1 -p udp -m multiport --dports 67,68 -j ACCEPT 
-A INPUT -i eth1 -p tcp -m multiport --sports 67,68 -j ACCEPT 
-A INPUT -i eth1 -p udp -m multiport --sports 67,68 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 22,25,143,465,587,993,995 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p tcp -m tcp --dport 25 -j REJECT --reject-with 
icmp-port-unreachable 
-A FORWARD -i ipsec0 -j ACCEPT 
-A FORWARD -o ipsec0 -j ACCEPT 
-A FORWARD -p esp -j ACCEPT 
-A FORWARD -p udp -m multiport --dports 500,4500 -j ACCEPT 
-A FORWARD -p tcp -m multiport --dports 137,138,139,445 -j REJECT 
--reject-with icmp-port-unreachable 
-A FORWARD -p udp -m multiport --dports 137,138,139,445 -j REJECT 
--reject-with icmp-port-unreachable 
-A FORWARD -s 172.17.0.0/255.255.0.0 -j ACCEPT 
-A FORWARD -p tcp -m multiport --dports 67,68 -j REJECT --reject-with 
icmp-port-unreachable 
-A FORWARD -p udp -m multiport --dports 67,68 -j REJECT --reject-with 
icmp-port-unreachable 
-A FORWARD -p tcp -m multiport --sports 67,68 -j REJECT --reject-with 
icmp-port-unreachable 
-A FORWARD -p udp -m multiport --sports 67,68 -j REJECT --reject-with 
icmp-port-unreachable 
-A FORWARD -d 10.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -s 10.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -d 172.16.0.0/255.240.0.0 -j REJECT --reject-with 
icmp-port-unreachable 
-A FORWARD -s 172.16.0.0/255.240.0.0 -j REJECT --reject-with 
icmp-port-unreachable 
-A FORWARD -d 169.254.0.0/255.255.0.0 -j REJECT --reject-with 
icmp-port-unreachable 
-A FORWARD -s 169.254.0.0/255.255.0.0 -j REJECT --reject-with 
icmp-port-unreachable 
-A FORWARD -d 192.168.0.0/255.255.0.0 -j REJECT --reject-with 
icmp-port-unreachable 
-A FORWARD -s 192.168.0.0/255.255.0.0 -j REJECT --reject-with 
icmp-port-unreachable 
-A OUTPUT -o ipsec0 -j ACCEPT 
-A OUTPUT -p esp -j ACCEPT 
-A OUTPUT -p udp -m multiport --dports 500,4500 -j ACCEPT 
COMMIT
# Completed on Wed Jun 14 11:09:55 2006

More information about the Users mailing list