[Openswan Users] Status of KLIPS
Tuomo Soini
tis at foobar.fi
Sat Mar 14 05:46:40 EDT 2009
Chris Patch wrote:
> The way I do the rules for filtering in iptables for NETKEY with eth0
> being my outside interface is as follows:
>
> iptables -t mangle -A PREROUTING -i eth0 -p 50 -j MARK --set-mark 0x9
> iptables -t mangle -A PREROUTING -i eth0 -p 50 -j RETURN
> iptables -t mangle -A PREROUTING -i eth0 -p udp --sport 500 --dport 500
> -j MARK --set-mark 0x9
> iptables -t mangle -A PREROUTING -i eth0 -p udp --sport 500 --dport 500
> -j RETURN
> iptables -A FORWARD -m mark --mark 0x9 -j ACCEPT
> iptables -A INPUT -m mark --mark 0x9 -j ACCEPT
Marking trick is not needed with centos-5.2. rhel5 codebase has support
for netfilter ipsec policy matching which is correct way to handle this.
Check for "policy" module from your iptables manpage.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Users
mailing list