[Openswan Users] firewalling

Peter McGill petermcgill at goco.net
Fri Nov 10 10:15:43 EST 2006

> I have a firewall which is stuck allowing packets back into it.
> It can send out ESP packets and see them come back in however they never
> make it between eth1 and ipsec0.
> Host A behind firewall A can send a ping request to Host B it replies but
> the reply never gets back to Firewall A's ipsec0 interface it does leave
> Firewall B's server.

You may be missing (Although I can't say for certain without seeing your full firewall rules.):
iptables -A INPUT -i ipsec0 -j ACCEPT
In addition to allowing ESP packets, you also need to allow the unencrypted packets, before and after encryption.
With klips this is easy, just add rules for ipsec0, with netkey there is no ipsec0, so you must mark the packets.
Marking works for 2.4 or 2.6 kernels using klips or netkey, so I recommend using it instead.

If your using iptables, the following rules should work for most openswan setups:
iptables -t mangle -A INPUT -i eth0 -p udp --dport isakmp -j MARK --set-mark 1 # isakmp = 500
iptables -t mangle -A INPUT -i eth0 -p udp --dport 4500 -j MARK --set-mark 1 # 4500 is used w/ nat-t
iptables -t mangle -A INPUT -i eth0 -p esp -j MARK --set-mark 1 # esp = 50
# most of us don't use ah, so you can probably leave the next line out, I've included it for completeness
iptables -t mangle -A INPUT -i eth0 -p ah -j MARK --set-mark 1 # ah = 51
iptables -A INPUT -m mark --mark 1 -j ACCEPT
iptables -A FORWARD -m mark --mark 1 -j ACCEPT
# if your not using this (iptables -A OUTPUT -j ACCEPT), then you'll also need the following.
iptables -A OUTPUT -o eth0 -p udp --sport isakmp -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
iptables -A OUTPUT -o eth0 -p esp -j ACCEPT
iptables -A OUTPUT -o eth0 -p ah -j ACCEPT # again you only need this if your using ah
And of course replace eth0 with your public interface if it's different, and change the mark (1) if your using 1 for something else
Other rules could still disrupt the traffic internal to your network or even between the tunnel endpoints, depending on ordering and
things, so you should still read up on iptables and understand the flow and what's going on.

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited 

More information about the Users mailing list