[Openswan Users] Iptables problem (netkey)

Peter McGill petermcgill at goco.net
Wed Jan 9 10:36:19 EST 2008 

I don't know how many times I've repeated this now...
You should try searching the internet/list history for openswan iptables,
there is already a lot of help out there this way.

To summarize, accept inbound IPSec.
iptables -t filter -A INPUT -p 17 --dport 500 -j ACCEPT # udp/isakmp
iptables -t filter -A INPUT -p 50 -j ACCEPT # esp
Mark IPSec, and allow decrypted IPSec.
iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
Accept outbound.
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A FORWARD -s <local subnet, ie: 192.168.5.0/24> -j ACCEPT
Exempt IPSec from your NAT rules, if any...
Note the -I because this needs to be before any SNAT or MASQUERADE rules.
iptables -t nat -I POSTROUTING -d <remote subnet, ie: 192.168.10.0/24> -j ACCEPT
Feel free to further qualify the above with the appropriate interfaces, etc...


Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Nicole Hahnel
> Sent: January 9, 2008 9:52 AM
> To: users at lists.openswan.org
> Subject: [Openswan Users] Iptables problem (netkey)
> 
> Hi,
> 
> today we switched from klips to netkey on SLES10 SP1 
> 2.6.16.54-0.2.3-default, openswan 2.4.11,
> because server crashes with ipsec module running.
> Until now we added iptables rules on interface ipsec0 to 
> accept traffic 
> between networks.
> Without an ipsec interface it's a little bit difficult to add rules.
> 
> We tried:
> 
> iptables -A FORWARD -s net1 -d net2 -m state --state NEW
> iptables -A FORWARD -s net2 -d net1 -m state --state NEW
> 
> but it won't work.
> 
> I only see: 
> kernel: -- DENY IN=dsl0 OUT= MAC=xxxx SRC=xxx DST=xxx LEN=72 TOS=0x00 
> PREC=0x00 TTL=57 ID=55683 PROTO=4
> 
> Do I have to add a rule to allow PROTO 4?
> 
> 
> Thanks!
> Nicole
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list