[Openswan Users] Iptables and Openswan
Walter Willis
walterwn at gmail.com
Tue May 19 15:49:31 EDT 2009
yes the rule forward also is into script.
2009/5/19 Paul Wouters <paul at xelerance.com>
> On Tue, 19 May 2009, Walter Willis wrote:
>
> I am using centos 4.7 with openswan the openswan workfine, but the upgrade
>> kernel for 2.6.18... but the iptables not pass the openswan packets.
>>
>
> I am not sure how the updated kernel would break iptables....but
>
> iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
>> iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>>
>
> You are missing for IPsec NAT-T:
>
> iptables -A INPUT -p udp --dport 4500 -j ACCEPT
> iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
>
> iptables -A INPUT -p udp --sport 50 --dport 50 -j ACCEPT
>> iptables -A OUTPUT -p udp --sport 50 --dport 50 -j ACCEPT
>>
>> iptables -A INPUT -p 50 -j ACCEPT
>> iptables -A OUTPUT -p 50 -j ACCEPT
>>
>
> You will also need to have either FORWARD rules allowing things, or
> ip_forward enabled in sysctl.conf.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090519/82db7502/attachment-0001.html
More information about the Users
mailing list