[Openswan Users] http and smtp not working

Peter McGill petermcgill at goco.net
Fri Sep 21 08:59:18 EDT 2007 

Ok, that might not be exactly what you want, it would allow public access to your http and smtp.

But if your using NETKEY (ipsec --version will say so) then your ipsec traffic appears to come
In through your public interface. To tell the difference, mark your ipsec packets with the MARK target.
(man iptables) And then qualify your ACCEPT rules for http and smtp with the --mark filter.

Ie)
Iptables -p udp --dport isakmp -j MARK --set-mark 1
Iptables -p udp --dport 4500 -j MARK --set-mark 1
Iptables -p esp -j MARK --set-mark 1
Iptables -m mark --mark 1 -j ACCEPT

Note this accepts all ipsec traffic, you could further qualify it...
Iptables -p udp --dport isakmp -j MARK --set-mark 1
Iptables -p udp --dport 4500 -j MARK --set-mark 1
Iptables -p esp -j MARK --set-mark 1
Iptables -p udp --dport isakmp -j ACCEPT
Iptables -p udp --dport 4500 -j ACCEPT
Iptables -p esp -j ACCEPT
Iptables -m mark --mark 1 -s 192.168.1.0/24 -p tcp --dport http -j ACCEPT
Iptables -m mark --mark 1 -s 192.168.1.0/24 -p tcp --dport smtp -j ACCEPT

Peter McGill
 

> -----Original Message-----
> From: Peter McGill [mailto:petermcgill at goco.net] 
> Sent: September 21, 2007 8:45 AM
> To: 'txjin'; 'users at openswan.org'
> Subject: RE: [Openswan Users] http and smtp not working
> 
> I can't be completely sure, because this output doesn't show 
> all the rule details like interface.
> But if the first two rules in the Firewall chain apply to 
> your loopback and internal LAN interfaces,
> While the others apply to your public wan internet interface, 
> then I have an answer.
> 
> Your blocking all tcp traffic except ssh.
> Try copying your ACCEPT NEW ssh rule for both http and smtp.
> 
> Peter
> 
> > -----Original Message-----
> > From: users-bounces at openswan.org 
> > [mailto:users-bounces at openswan.org] On Behalf Of txjin
> > Sent: September 20, 2007 10:05 PM
> > To: users at openswan.org
> > Subject: [Openswan Users] http and smtp not working
> > 
> > I have set up a openswan server and can ping computers on 
> the network 
> > from my roadwarrior computer, but I can't use http or smtp on those 
> > computers.  I'm not exactly sure what is going on.
> > Computers on the network can connect to web servers on the 
> > roadwarrior 
> > computer.
> > tcpdump from interface eth0 the packets never appear on eth1
> > tcpdump -i eth0 host 192.168.1.232
> > 
> > 20:58:01.486528 IP 192.168.1.232.33099 > 192.168.7.164.http: S 
> > 1183908294:1183908294(0) win 5840 <mss 1460,sackOK,timestamp 
> > 438761098 
> > 0,nop,wscale 2>
> > 20:58:01.534147 IP 192.168.7.177 > 192.168.1.232: icmp 68: host 
> > 192.168.7.164 unreachable - admin prohibited
> > 
> > 
> > iptables -L on openswan firewall
> > 
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> > EXTRA1     all  --  anywhere             anywhere
> > RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> > 
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> > RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> > 
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> > 
> > Chain RH-Firewall-1-INPUT (2 references)
> > target     prot opt source               destination
> > ACCEPT     all  --  anywhere             anywhere
> > ACCEPT     all  --  anywhere             anywhere
> > ACCEPT     icmp --  anywhere             anywhere           
>  icmp any
> > ACCEPT     ipv6-crypt--  anywhere             anywhere
> > ACCEPT     ipv6-auth--  anywhere             anywhere
> > ACCEPT     udp  --  anywhere             224.0.0.251         
> > udp dpt:5353
> > ACCEPT     udp  --  anywhere             anywhere            
> > udp dpt:ipp
> > ACCEPT     all  --  anywhere             anywhere            state 
> > RELATED,ESTABLISHED
> > ACCEPT     tcp  --  anywhere             anywhere            
> > state NEW 
> > tcp dpt:ssh
> > REJECT     all  --  anywhere             anywhere            
> > reject-with 
> > icmp-host-prohibited
> > 
> > Chain EXTRA1 (1 references)
> > target     prot opt source               destination
> > ACCEPT     udp  --  anywhere             anywhere            
> > udp dpt:isakmp
> > ACCEPT     udp  --  anywhere             anywhere            
> > udp dpt:4500
> > ACCEPT     tcp  --  anywhere             anywhere            
> > tcp dpt:4500
> > ACCEPT     tcp  --  anywhere             anywhere            
> > tcp dpt:isakmp
> > ACCEPT     ipv6-crypt--  anywhere             
> > 64.221.219.99.ptr.us.xo.net
> > 
> > 
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan: 
> > http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> > 7?n=283155

More information about the Users mailing list