[Openswan Users] Status of KLIPS

Tuomo Soini tis at foobar.fi
Sat Mar 14 05:46:40 EDT 2009


Chris Patch wrote:

> The way I do the rules for filtering in iptables for NETKEY with eth0
> being my outside interface is as follows:
> 
> iptables -t mangle -A PREROUTING -i eth0 -p 50 -j MARK --set-mark 0x9
> iptables -t mangle -A PREROUTING -i eth0 -p 50 -j RETURN
> iptables -t mangle -A PREROUTING -i eth0 -p udp --sport 500 --dport 500
> -j MARK --set-mark 0x9
> iptables -t mangle -A PREROUTING -i eth0 -p udp --sport 500 --dport 500
> -j RETURN
> iptables -A FORWARD -m mark --mark 0x9 -j ACCEPT
> iptables -A INPUT -m mark --mark 0x9 -j ACCEPT

Marking trick is not needed with centos-5.2. rhel5 codebase has support
for netfilter ipsec policy matching which is correct way to handle this.
Check for "policy" module from your iptables manpage.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Users mailing list