[Openswan Users] weird problem

Maverick maverick.pt at gmail.com
Sat Sep 12 14:41:48 EDT 2009 

Hi,

 

I've got a tunnel working ok started from one machine on my internal
network, and i can access the other side of the tunnel and the other side
can access my lan.

 

But now I moved openswan to the machine that has my internet interface, my
home made router J

 

The tunnel on this machine starts ok, but when I try to access any machine
on the other side of the tunnel, it doesn't work L but the other side can
still access my lan L

 

I don't know if its my iptables rules, but its weird because if I start the
tunnel on any other machine of my lan it works fine L

 

I try to ping a machine on the other side and it doesn't do anything :

 

# ping 10.112.32.78

PING 10.112.32.78 (10.112.32.78) 56(84) bytes of data.

.

 

Here are my iptables rules:

 

eth0 - LAN

eth3 - WAN

ipsec0 - ipsec tunnel

 

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o eth3 -j MASQUERADE

-A POSTROUTING -o ipsec0 -j MASQUERADE

-A PREROUTING -i eth3 -p tcp -m tcp -m multiport --dports
25,80,443,465,993,1194,3000 -j DNAT --to-destination 192.168.2.253

-A PREROUTING -i eth3 -p udp -m udp -m multiport --dports 1194 -j DNAT
--to-destination 192.168.2.253

COMMIT

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p ah -j ACCEPT

-A INPUT -p esp -j ACCEPT

-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp -m multiport --dports
22,902,3260,5901,9222,9333 -j ACCEPT

-A INPUT -i eth0 -m state --state NEW -m udp -p udp -m multiport --dports
161,162,177 -j ACCEPT

-A INPUT -i eth3 -m state --state NEW -m tcp -p tcp -m multiport --dports
25,465,993,1194,3000 -j ACCEPT

-A INPUT -i eth3 -m state --state NEW -m udp -p udp -m multiport --dports
1194 -j ACCEPT

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -p ah -j ACCEPT

-A FORWARD -p esp -j ACCEPT

-A FORWARD -p icmp -j ACCEPT

-A FORWARD -i lo -j ACCEPT

-A FORWARD -o eth3 -j ACCEPT

-A FORWARD -i eth3 -m state --state NEW -m tcp -p tcp -d 192.168.2.253 -m
multiport --dports 25,80,443,465,993,1194,3000 -j ACCEPT

-A FORWARD -i eth3 -m state --state NEW -m udp -p udp -d 192.168.2.253 -m
multiport --dports 1194

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090912/966e3c1e/attachment.html

More information about the Users mailing list