[Openswan Users] Iptables and Openswan

Michael H. Warfield mhw at WittsEnd.com
Tue May 19 18:39:28 EDT 2009


On Tue, 2009-05-19 at 12:22 -0500, Walter Willis wrote:
> I am using centos 4.7 with openswan the openswan workfine, but the
> upgrade kernel for 2.6.18... but the iptables not pass the openswan
> packets.

> the ping net to net work fine, respond 

> iptables script 

> #!/bin/sh
> iptables -F 




> iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT

	Paul has already pointed out you need port 4500 UDP for NAT-T as well.
You also have not indicated if this is behind a NAT device or you are
talking to another system that's behind a NAT device (at which time your
ordered pair of sport and dport may be wrong).

	Just for giggles, try dropping the complementary sport and dport and
retest.

iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT

	If that works and the original doesn't, you may have some quirky
NAT'ing going on.

> iptables -A INPUT -p udp --sport 50 --dport 50 -j ACCEPT
> iptables -A OUTPUT -p udp --sport 50 --dport 50 -j ACCEPT

	The above rules don't make sense.  UDP port 50 has nothing to do with
IPSec or IKE.

> iptables -A INPUT -p 50 -j ACCEPT
> iptables -A OUTPUT -p 50 -j ACCEPT

	You might also want to included protocol 51 (AH) in there but it
shouldn't be required and shouldn't be breaking anything here.

> ... rules ...

	Insert the following rule just above your "DROP" rule, retest, and
examine the result:

iptables -A INPUT -j LOG

> iptables -A INPUT -j DROP

> but run script and the ping of net to net not passed, the iptables -A
> INPUT -j DROP is the problem, 

	You say you're using CenOS 4.7 (why not 5.3?).  I'm a little curious
why you are not using the /etc/sysconfig/iptables file and the iptables
service.  Not that it really matters.  But the default set of firewall
rules from the CentOS install should have been sufficient so I'm not
sure what you are trying to accomplish by setting them up manually like
this.

> compile bad to kernel ??
> line the drop fail ???

	Total failure to parse the above sentences.  I have no idea what you
were asking.

> Thanks!!!

	Regards,
	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20090519/cf2bd385/attachment.bin 


More information about the Users mailing list