[Openswan Users] Iptables and Openswan
Paul Wouters
paul at xelerance.com
Tue May 19 14:37:44 EDT 2009
On Tue, 19 May 2009, Walter Willis wrote:
> I am using centos 4.7 with openswan the openswan workfine, but the upgrade
> kernel for 2.6.18... but the iptables not pass the openswan packets.
I am not sure how the updated kernel would break iptables....but
> iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
You are missing for IPsec NAT-T:
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
> iptables -A INPUT -p udp --sport 50 --dport 50 -j ACCEPT
> iptables -A OUTPUT -p udp --sport 50 --dport 50 -j ACCEPT
>
> iptables -A INPUT -p 50 -j ACCEPT
> iptables -A OUTPUT -p 50 -j ACCEPT
You will also need to have either FORWARD rules allowing things, or
ip_forward enabled in sysctl.conf.
Paul
More information about the Users
mailing list