[Openswan Users] openswan + xl2tpd + iptables issues

[Dennison Williams]

Hello,

I have found a number of good threads regarding this subject in the
archives, but I still seem to be missing the point.

Using openswan U2.6.25/K2.6.26-2-486 (netkey) with a client trying to
make use of xl2tpd via a NAT-T connection I am unable to get my marked
packets through the firewall.  This obviously reeks of a firewall
misconfiguration, but I can not seem to find the issue any where.  I am
able to get the IPsec SA established in tunnel mode no problem.

The basics of the firewall config is as follows (with the extended
version below):
iptables -t mangle -A PREROUTING -i eth1 -p udp --dport 4500 -j MARK
--set-mark 1
iptables -t filter -A INPUT -i eth1 -m mark --mark 1 -j ACCEPT
iptables -t filter -A INPUT -j LOG
iptables -t filter -A INPUT -j REJECT

whenever I attempt to bring up the xl2tp connection from a linux client
I see the count for the first rule increasing in the mangle/PREROUTING
table, but the match is never found in the filter/INPUT table at the 3rd
rule.  eth1 is my external facing interface with a public ip addr by the
way.

Any feedback is appreciated.
Sincerely,
Dennison Williams

Kernel: 2.6.26-2-486
Distro: Debian 5.0.4
iptables: v1.4.2
iptables-save output:
# Completed on Thu Apr  1 19:46:09 2010
# Generated by iptables-save v1.4.2 on Thu Apr  1 19:46:09 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8424:1975530]
:Accounting - [0:0]
-A INPUT -d 127.0.0.0/8 -i ! lo -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -j Accounting
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m mark --mark 0x1 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j
ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
--name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5667 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1701 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A Accounting -o eth1
-A Accounting -i eth1
-A Accounting -p tcp -m multiport --ports 22
-A Accounting -p tcp -m multiport --ports 25
-A Accounting -p tcp -m multiport --ports 9001
-A Accounting -p tcp -m multiport --ports 9030
-A Accounting -p tcp -m multiport --ports 80
-A Accounting -p tcp -m multiport --ports 443
-A Accounting -p tcp -m multiport --ports 5667
-A Accounting -p esp
-A Accounting -p udp -m multiport --ports 500,4500
-A Accounting -p tcp -m multiport --ports 5038,2000
-A Accounting -p udp -m multiport --ports 2727,5060,5060,4569,4569
COMMIT
# Completed on Thu Apr  1 19:46:09 2010
# Generated by iptables-save v1.4.2 on Thu Apr  1 19:46:09 2010
*mangle
:PREROUTING ACCEPT [10062:4459588]
:INPUT ACCEPT [10062:4459588]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8637:1986276]
:POSTROUTING ACCEPT [8640:1986501]
-A PREROUTING -i eth1 -p udp -m udp --dport 500 -j MARK --set-xmark
0x1/0xffffffff
-A PREROUTING -i eth1 -p udp -m udp --dport 4500 -j MARK --set-xmark
0x1/0xffffffff
-A PREROUTING -i eth1 -p esp -j MARK --set-xmark 0x1/0xffffffff
COMMIT
# Completed on Thu Apr  1 19:46:09 2010

I will post any other information if you think it will help debug this
issue, but since this isn't even getting to the xl2tpd server and the
ipsec link seems good.