[Openswan Users] Iptables and Openswan

Paul Wouters paul at xelerance.com
Tue May 19 14:37:44 EDT 2009


On Tue, 19 May 2009, Walter Willis wrote:

> I am using centos 4.7 with openswan the openswan workfine, but the upgrade
> kernel for 2.6.18... but the iptables not pass the openswan packets.

I am not sure how the updated kernel would break iptables....but

> iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT

You are missing for IPsec NAT-T:

iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT

> iptables -A INPUT -p udp --sport 50 --dport 50 -j ACCEPT
> iptables -A OUTPUT -p udp --sport 50 --dport 50 -j ACCEPT
> 
> iptables -A INPUT -p 50 -j ACCEPT
> iptables -A OUTPUT -p 50 -j ACCEPT

You will also need to have either FORWARD rules allowing things, or
ip_forward enabled in sysctl.conf.

Paul


More information about the Users mailing list