[Openswan Users] openswan + xl2tpd + iptables issues

Dennison Williams dennison.williams at gmail.com
Thu Apr 1 22:46:51 EDT 2010


Hello,

I have found a number of good threads regarding this subject in the
archives, but I still seem to be missing the point.

Using openswan U2.6.25/K2.6.26-2-486 (netkey) with a client trying to
make use of xl2tpd via a NAT-T connection I am unable to get my marked
packets through the firewall.  This obviously reeks of a firewall
misconfiguration, but I can not seem to find the issue any where.  I am
able to get the IPsec SA established in tunnel mode no problem.

The basics of the firewall config is as follows (with the extended
version below):
iptables -t mangle -A PREROUTING -i eth1 -p udp --dport 4500 -j MARK
--set-mark 1
iptables -t filter -A INPUT -i eth1 -m mark --mark 1 -j ACCEPT
iptables -t filter -A INPUT -j LOG
iptables -t filter -A INPUT -j REJECT

whenever I attempt to bring up the xl2tp connection from a linux client
I see the count for the first rule increasing in the mangle/PREROUTING
table, but the match is never found in the filter/INPUT table at the 3rd
rule.  eth1 is my external facing interface with a public ip addr by the
way.

Any feedback is appreciated.
Sincerely,
Dennison Williams

Kernel: 2.6.26-2-486
Distro: Debian 5.0.4
iptables: v1.4.2
iptables-save output:
# Completed on Thu Apr  1 19:46:09 2010
# Generated by iptables-save v1.4.2 on Thu Apr  1 19:46:09 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8424:1975530]
:Accounting - [0:0]
-A INPUT -d 127.0.0.0/8 -i ! lo -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -j Accounting
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m mark --mark 0x1 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j
ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
--name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5667 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A Accounting -o eth1
-A Accounting -i eth1
-A Accounting -p tcp -m multiport --ports 22
-A Accounting -p tcp -m multiport --ports 25
-A Accounting -p tcp -m multiport --ports 9001
-A Accounting -p tcp -m multiport --ports 9030
-A Accounting -p tcp -m multiport --ports 80
-A Accounting -p tcp -m multiport --ports 443
-A Accounting -p tcp -m multiport --ports 5667
-A Accounting -p esp
-A Accounting -p udp -m multiport --ports 500,4500
-A Accounting -p tcp -m multiport --ports 5038,2000
-A Accounting -p udp -m multiport --ports 2727,5060,5060,4569,4569
COMMIT
# Completed on Thu Apr  1 19:46:09 2010
# Generated by iptables-save v1.4.2 on Thu Apr  1 19:46:09 2010
*mangle
:PREROUTING ACCEPT [10062:4459588]
:INPUT ACCEPT [10062:4459588]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8637:1986276]
:POSTROUTING ACCEPT [8640:1986501]
-A PREROUTING -i eth1 -p udp -m udp --dport 500 -j MARK --set-xmark
0x1/0xffffffff
-A PREROUTING -i eth1 -p udp -m udp --dport 4500 -j MARK --set-xmark
0x1/0xffffffff
-A PREROUTING -i eth1 -p esp -j MARK --set-xmark 0x1/0xffffffff
COMMIT
# Completed on Thu Apr  1 19:46:09 2010

I will post any other information if you think it will help debug this
issue, but since this isn't even getting to the xl2tpd server and the
ipsec link seems good.


More information about the Users mailing list