[Openswan Users] anything wrong with these iptables?

Tuomo Soini tis at foobar.fi
Mon Jul 19 05:32:16 EDT 2010

Paul Wouters wrote:
> On Thu, 15 Jul 2010, Ryan McLeod wrote:
>> I'm having some minor problems when a vpn re-establishes after one of the vpn devices are rebooted. It's an ASA to openswan setup. I just
>> want to know if these iptable settings are proper.
>> $IPTABLES -A INPUT -p udp  --dport 500 -j ACCEPT
>> $IPTABLES -A OUTPUT -p udp  --dport 500 -j ACCEPT
>> $IPTABLES -A INPUT -p udp  --dport 4500 -j ACCEPT
>> $IPTABLES -A OUTPUT -p udp  --dport 4500 -j ACCEPT
> This is not complete. the 4500 connection usually comes in from a random high port
> $IPTABLES -A OUTPUT -p udp  --sport 4500 -j ACCEPT

And for nat-t initial nat-t connection to udp 500 comes from random high
port too...

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Users mailing list