[Openswan Users] L2TP packets being dropped at server
Paul Wouters
paul at xelerance.com
Sat Feb 27 00:11:30 EST 2010
On Fri, 26 Feb 2010, Will Roberts wrote:
> On Fri, Feb 26, 2010 at 3:11 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Fri, 26 Feb 2010, Will Roberts wrote:
>
> iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
> iptables -A ironwall -i eth0 -p udp --dport 1701 -j DROP
>
>
> that's wrong.
>
>
> I've never used netfliter's IPsec policy matching before, but from what I read on the man page that rule should match all incoming packets that were
> decrypted by IPsec.
That's not how I read it:
--pol {none|ipsec}
Matches if the packet is subject to IPsec processing.
However, after decrypting such a matched packet, the decrypted packet is put bak into the
table and processing happens against from the start. On that run, --pol ipsec will not
match. And your DROP rule will match.
> Those rules do seem to work as they are; have I misunderstood what that rule is actually matching?
Maybe there is another reason it is ACCEPT'ed?
Paul
More information about the Users
mailing list