[Openswan Users] L2TP packets being dropped at server
Paul Wouters
paul at xelerance.com
Fri Feb 26 15:11:15 EST 2010
On Fri, 26 Feb 2010, Will Roberts wrote:
> iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
> iptables -A ironwall -i eth0 -p udp --dport 1701 -j DROP
that's wrong. use:
iptables -t mangle -A PREROUTING -i eth1 -p 50 -j MARK --set-mark 50
iptables -t mangle -A PREROUTING -i eth1 -p udp --dport 500 -j MARK --set-mark 50
iptables -t mangle -A PREROUTING -i eth1 -p udp --dport 4500 -j MARK --set-mark 50
iptables -A INPUT --mark 50 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j DROP
(mark number is arbitrarilly. openswan tends to use "50" because IPsec ESP is
protocol number 50)
The mark stays on the packet after decryption, so anything that survives
decrypting is allowed onwards. Your above rule will not work because
NETKEY puts the decrypted packet back in the kernel and it passes the
rules again and you then drop it based on the destination port.
Paul
More information about the Users
mailing list