[Openswan Users] Problem with securing l2tpd (NETKEY 2.6)
Adrian Gruntkowski
adrian at ima.pl
Thu Jun 14 18:49:44 EDT 2007
Hello,
I have succefully setup the whole ipsec part with nat-traversal.
It's based on native NETKEY 2.6 (Debian Etch 2.6.18 kernel, recompiled).
Everything works fine, however my pain is l2tpd listening on all
interfaces (public ones included). Both l2tpd and openswan are
on the same physical server.
I've found that one way to secure it is to tag packets coming from
the tunnel (esp) and then pass them in following chains.
I've tested it but can't make it work. Below is my firewall configuration
(eth0 - public interface, eth2 - local network interface):
######################## BEGIN ##################################
# Mark VPN packets
iptables ${V} -t mangle ${A_OR_D} PREROUTING -i eth0 -p esp -j MARK --set-mark 1 #VPN
iptables ${V} -t nat ${A_OR_D} PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables ${V} -t nat ${A_OR_D} PREROUTING -s 0.0.0.0/0 -i eth0 -m mark --mark 1 -j ACCEPT
# Spoof protection
iptables ${V} -t nat ${A_OR_D} PREROUTING -d ${NET_IPSEC} -i eth0 -j DROP
iptables ${V} ${A_OR_D} INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables ${V} ${A_OR_D} INPUT -p icmp -j ACCEPT
iptables ${V} ${A_OR_D} INPUT -p tcp -m tcp --dport 22 -j ACCEPT #SSH
iptables ${V} ${A_OR_D} INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT #VPN
iptables ${V} ${A_OR_D} INPUT -p udp --dport 4500 -j ACCEPT
iptables ${V} ${A_OR_D} OUTPUT -p udp --sport 4500 -j ACCEPT
iptables ${V} ${A_OR_D} INPUT -p udp --dport 9411 -j ACCEPT
iptables ${V} ${A_OR_D} OUTPUT -p udp --sport 9411 -j ACCEPT
iptables ${V} ${A_OR_D} INPUT -p tcp --dport 9411 -j ACCEPT
iptables ${V} ${A_OR_D} OUTPUT -p tcp --sport 9411 -j ACCEPT
iptables ${V} ${A_OR_D} INPUT -i eth0 -m mark --mark 1 -j ACCEPT
iptables ${V} ${A_OR_D} FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables ${V} ${A_OR_D} FORWARD -i eth0 -m mark --mark 1 -j ACCEPT
iptables ${V} ${A_OR_D} FORWARD -i eth2 -j ACCEPT
####################### END #########################################
What am I doing wrong here? Thanks in advance for any help.
Greetings,
adrian at ima.pl
Adrian Gruntkowski
More information about the Users
mailing list