[Openswan Users] ipsec / l2tpd + iptables ?

Reza ISSANY issanyr at laposte.net
Wed Nov 29 02:14:20 EST 2006


The gateway have internet :
root at integration:~# ping google.com
PING google.com ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=245 time=86.7 ms
64 bytes from icmp_seq=2 ttl=245 time=86.8 ms
64 bytes from icmp_seq=3 ttl=245 time=86.8 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 86.775/86.828/86.857/0.243 ms

and my iptable looks to be good :

# reset des tables
iptables -F

#iptables-restore < /var/log/uiptables
iptables -t filter -A INPUT -p all -j ULOG --ulog-prefix=DefaultDrop

# default policy : DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# on accepte les paquets relatifs aux connexions deja ouvertes
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s -j ACCEPT
iptables -A FORWARD -s -j ACCEPT

# Autorisation des requetes DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# on accepte les requetes icmp
iptables -A INPUT -i eth0 -p icmp -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m state --state NEW -j ACCEPT

# telnet
iptables -A INPUT -i eth0 -p tcp --dport 23 -j ACCEPT

# ssh
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# ipsec vpn
iptables -A INPUT  -p udp -m udp -i eth0 --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT
# IKE negotiations
iptables -A INPUT  -p udp -m udp -i eth0 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -m udp -o eth0 --dport 500 -j ACCEPT
# ESP encryption & authentication
iptables -A INPUT  -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT
# L2TP roadwarrior
iptables -A INPUT  -p udp -i eth0 --dport 1701 -j ACCEPT
iptables -A OUTPUT  -p udp -o eth0 --dport 1701 -j ACCEPT

# accepte tout ce qui concerne l'interface loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# on accepte ce qui sort vers l'exterieur
iptables -A OUTPUT -o eth0 -j ACCEPT

Any idea ?


Paul Wouters a écrit :
> On Tue, 28 Nov 2006, Reza ISSANY wrote:
>> Here it is my ipsec verify command results :
>> root at integration:~# ipsec verify
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path                                 [OK]
>> Linux Openswan U2.4.7/K2.6.18.3dedibox_r6_final (netkey)
>> Checking for IPsec support in kernel                            [OK]
>> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
>> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
>> Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
>>  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>> Checking that pluto is running                                  [OK]
>> Checking for 'ip' command                                       [OK]
>> Checking for 'iptables' command                                 [OK]
>> Opportunistic Encryption Support                                [DISABLED]
>> Any idea to activate Internet on vpn l2tpd clients ?
> That looks good. Do the checks I asked you to do before:
>>> check
>>> for firewall rules, check for NAT, and check if the gateway can reach the
>>> internet
>>> on its "l2tp pool" IP address using 'ping -I sourceip www.google.com'
> Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061129/a8c3589b/attachment-0001.html 

More information about the Users mailing list