[Openswan Users] ipsec gatway firewal guidance

Neal Murphy neal.p.murphy at alum.wpi.edu
Fri Mar 22 21:09:23 UTC 2013

On Friday, March 22, 2013 03:37:42 PM sibu wrote:
> Greetings
> I am trying to configure IPtables on a  ppp gateway (ppp1  ipaddress =
> $pppIP).  I have tunnelled ssh packets  to  FORWARD to a host (
>  of address   $SOMEHOST_IP},  On the gateway firewall,  do I need rules
> like these?

> And ALSO  because the packets are to be fowarded do I need prerouting rules
> and if I do  what might this be to preroute  tunneled ssh to $SOMEHOST_IP

If you are using KLIPS and:
  - you have configured the IPSEC tunnel correctly,
  - the local Openswan (pluto) runs on the gateway, and
  - you are connecting a remote SSH session through the VPN to an SSH server
    on a host behind your gateway
you should only need to enable forwarding:
  echo 1 > /proc/sys/net/ipv4/ip_forward"
which the gateway should already do. Openswan should take care of the routing 
for you. The remote SSH client should be able to connect directly to the local 
internal SSH server's IP address.

The gateway already knows where to send packets to your internal SSH server. 
Once the VPN is up, the gateway also knows where to send packets to the 
remote's IP address. It is simple routing; all packets are sent through the 
FORWARD chain.

There's one caveat. If you have netfilter rules controlling packets traversing 
between your internal LAN and the VPN, you'll need to ACCEPT NEW,ESTABLISHED 
conns on your SSH port from the remote IP on the ipsecN: interface when the 
packets arrive from the VPN, and you'll need to ACCEPT ESTABLISHED conns from 
your internal SSH server to the remote's IP.

If you aren't using KLIPS, things are probably a little different.

More information about the Users mailing list