[Openswan Users] L2TP packets being dropped at server

Paul Wouters paul at xelerance.com
Fri Feb 26 15:11:15 EST 2010

On Fri, 26 Feb 2010, Will Roberts wrote:

> iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
> iptables -A ironwall -i eth0 -p udp --dport 1701 -j DROP

that's wrong. use:

iptables -t mangle -A PREROUTING -i eth1 -p 50 -j MARK --set-mark 50
iptables -t mangle -A PREROUTING -i eth1 -p udp --dport 500 -j MARK --set-mark 50
iptables -t mangle -A PREROUTING -i eth1 -p udp --dport 4500 -j MARK --set-mark 50

iptables -A INPUT --mark 50 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j DROP

(mark number is arbitrarilly. openswan tends to use "50" because IPsec ESP is
  protocol number 50)

The mark stays on the packet after decryption, so anything that survives
decrypting is allowed onwards. Your above rule will not work because
NETKEY puts the decrypted packet back in the kernel and it passes the
rules again and you then drop it based on the destination port.


More information about the Users mailing list