[Openswan Users] Iptables problem (netkey)

Nicole Hähnel nicole.haehnel at gmx.net
Thu Jan 10 08:01:02 EST 2008


Peter McGill schrieb:
> I don't know how many times I've repeated this now...
> You should try searching the internet/list history for openswan iptables,
> there is already a lot of help out there this way.
>
> To summarize, accept inbound IPSec.
> iptables -t filter -A INPUT -p 17 --dport 500 -j ACCEPT # udp/isakmp
> iptables -t filter -A INPUT -p 50 -j ACCEPT # esp
> Mark IPSec, and allow decrypted IPSec.
> iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
> iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
> iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
> iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
> Accept outbound.
> iptables -t filter -A OUTPUT -j ACCEPT
> iptables -t filter -A FORWARD -s <local subnet, ie: 192.168.5.0/24> -j ACCEPT
> Exempt IPSec from your NAT rules, if any...
> Note the -I because this needs to be before any SNAT or MASQUERADE rules.
> iptables -t nat -I POSTROUTING -d <remote subnet, ie: 192.168.10.0/24> -j ACCEPT
> Feel free to further qualify the above with the appropriate interfaces, etc...
>
>
> Peter McGill
>  
>
>   
>> -----Original Message-----
>> From: users-bounces at openswan.org 
>> [mailto:users-bounces at openswan.org] On Behalf Of Nicole Hahnel
>> Sent: January 9, 2008 9:52 AM
>> To: users at lists.openswan.org
>> Subject: [Openswan Users] Iptables problem (netkey)
>>
>> Hi,
>>
>> today we switched from klips to netkey on SLES10 SP1 
>> 2.6.16.54-0.2.3-default, openswan 2.4.11,
>> because server crashes with ipsec module running.
>> Until now we added iptables rules on interface ipsec0 to 
>> accept traffic 
>> between networks.
>> Without an ipsec interface it's a little bit difficult to add rules.
>>
>> We tried:
>>
>> iptables -A FORWARD -s net1 -d net2 -m state --state NEW
>> iptables -A FORWARD -s net2 -d net1 -m state --state NEW
>>
>> but it won't work.
>>
>> I only see: 
>> kernel: -- DENY IN=dsl0 OUT= MAC=xxxx SRC=xxx DST=xxx LEN=72 TOS=0x00 
>> PREC=0x00 TTL=57 ID=55683 PROTO=4
>>
>> Do I have to add a rule to allow PROTO 4?
>>
>>
>> Thanks!
>> Nicole
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>> 7?n=283155
>>     
>
>   

I'm very confused. ;) Everybody said something else.

I don't really know which rules I've to add in my iptables script.
I tried Peter's rules, but everything was dropped.
But if I allow only protocol 4, excepting esp and udp 500, everything 
works fine!?
Why?

Using klips, I never saw any protpcol 4 packets.

What's the right way, policy match or masking packets?

So far I can't realize...

Thanks!
Nicole


More information about the Users mailing list