[Openswan Users] ipsec / l2tpd + iptables ?
Reza ISSANY
issanyr at laposte.net
Wed Nov 29 02:14:20 EST 2006
Hi,
The gateway have internet :
root at integration:~# ping google.com
PING google.com (72.14.207.99) 56(84) bytes of data.
64 bytes from 72.14.207.99: icmp_seq=1 ttl=245 time=86.7 ms
64 bytes from 72.14.207.99: icmp_seq=2 ttl=245 time=86.8 ms
64 bytes from 72.14.207.99: icmp_seq=3 ttl=245 time=86.8 ms
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 86.775/86.828/86.857/0.243 ms
and my iptable looks to be good :
#!/bin/sh
# reset des tables
iptables -F
#iptables-restore < /var/log/uiptables
iptables -t filter -A INPUT -p all -j ULOG --ulog-prefix=DefaultDrop
# default policy : DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# on accepte les paquets relatifs aux connexions deja ouvertes
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 172.16.7.0/16 -j ACCEPT
iptables -A FORWARD -s 172.16.7.0/16 -j ACCEPT
# Autorisation des requetes DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# on accepte les requetes icmp
iptables -A INPUT -i eth0 -p icmp -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m state --state NEW -j ACCEPT
# telnet
iptables -A INPUT -i eth0 -p tcp --dport 23 -j ACCEPT
# ssh
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# ipsec vpn
iptables -A INPUT -p udp -m udp -i eth0 --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT
# IKE negotiations
iptables -A INPUT -p udp -m udp -i eth0 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -m udp -o eth0 --dport 500 -j ACCEPT
# ESP encryption & authentication
iptables -A INPUT -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT
# L2TP roadwarrior
iptables -A INPUT -p udp -i eth0 --dport 1701 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 1701 -j ACCEPT
# accepte tout ce qui concerne l'interface loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# on accepte ce qui sort vers l'exterieur
iptables -A OUTPUT -o eth0 -j ACCEPT
Any idea ?
reza.
Paul Wouters a écrit :
> On Tue, 28 Nov 2006, Reza ISSANY wrote:
>
>
>> Here it is my ipsec verify command results :
>>
>> root at integration:~# ipsec verify
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path [OK]
>> Linux Openswan U2.4.7/K2.6.18.3dedibox_r6_final (netkey)
>> Checking for IPsec support in kernel [OK]
>> NETKEY detected, testing for disabled ICMP send_redirects [OK]
>> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
>> Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
>> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>> Checking that pluto is running [OK]
>> Checking for 'ip' command [OK]
>> Checking for 'iptables' command [OK]
>> Opportunistic Encryption Support [DISABLED]
>>
>> Any idea to activate Internet on vpn l2tpd clients ?
>>
>
> That looks good. Do the checks I asked you to do before:
>
>
>>> check
>>> for firewall rules, check for NAT, and check if the gateway can reach the
>>> internet
>>> on its "l2tp pool" IP address using 'ping -I sourceip www.google.com'
>>>
>>>
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061129/a8c3589b/attachment-0001.html
More information about the Users
mailing list