[Openswan Users] FC6 iptables problem

Xunhua Wang wangxx at jmu.edu
Thu Mar 22 16:40:13 EDT 2007


Hi,

I have a Fedora Core 6 box and have installed "Linux Openswan
U2.4.7/K2.6.20-1.2925.fc6 (netkey)" and xl2tpd-1.1.09 on it. This box has
two network interfaces, eth0 for internal connection and eth1 for external
connection.

When I disable iptables on this box, it works well: Using a MS Windows 2000
client with L2TP/IPsec combination, I can connect to the Linux box and
obtain an internal IP address. 

However, when I enabled iptables on the Linux box, I got the following error
(134.126.34.124 is the IP address of eth1 of the Linux box; 134.126.137.233
is the Windows client's IP address):

----- Traffic dump starts -----
[root at Newton ~]# tcpdump -n -nn -i eth1 host 134.126.137.233
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
14:29:26.076733 IP 134.126.137.233.500 > 134.126.34.124.500: isakmp: phase 1
I ident
14:29:26.077229 IP 134.126.34.124.500 > 134.126.137.233.500: isakmp: phase 1
R ident
14:29:26.262678 IP 134.126.137.233.500 > 134.126.34.124.500: isakmp: phase 1
I ident
14:29:26.280672 IP 134.126.34.124.500 > 134.126.137.233.500: isakmp: phase 1
R ident
14:29:26.352053 IP 134.126.137.233.4500 > 134.126.34.124.4500: NONESP-encap:
isakmp: phase 1 I ident[E]
14:29:26.363200 IP 134.126.34.124.4500 > 134.126.137.233.4500: NONESP-encap:
isakmp: phase 1 R ident[E]
14:29:26.368178 IP 134.126.137.233.4500 > 134.126.34.124.4500: NONESP-encap:
isakmp: phase 2/others I oakley-quick[E]
14:29:26.369257 IP 134.126.34.124.4500 > 134.126.137.233.4500: NONESP-encap:
isakmp: phase 2/others R oakley-quick[E]
14:29:26.371803 IP 134.126.137.233.4500 > 134.126.34.124.4500: NONESP-encap:
isakmp: phase 2/others I oakley-quick[E]
14:29:26.372550 IP 134.126.137.233.4500 > 134.126.34.124.4500: UDP-encap:
ESP(spi=0xa456a242,seq=0x1), length 140
14:29:26.372622 IP 134.126.34.124 > 134.126.137.233: ICMP host
134.126.34.124 unreachable - admin prohibited, length 138
----- Traffic dump ends -----

I checked /var/log/secure and found that an IPsec SA was indeed established.
It looks like that iptables has blocked the subsequent L2TP traffic.

The rules of my iptable is attached below. What have I done wrong.

----- Start of /etc/sysconfig/iptables -----
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 500 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp --dport 500 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp --dport 4500 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp --dport 4500 -j ACCEPT 
-A RH-Firewall-1-INPUT -i ppp0 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp1 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp2 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp3 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp4 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp5 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp6 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp7 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp8 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp9 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp10 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp11 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp12 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp13 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp14 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp15 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp16 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp17 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp18 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp19 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp20 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp21 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp+ -j ACCEPT
-A RH-Firewall-1-INPUT -o ppp+ -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
----- End of /etc/sysconfig/iptables -----

Thanks,

Steve



More information about the Users mailing list