[Openswan Users] ipsec gatway firewal guidance
neal.p.murphy at alum.wpi.edu
Fri Mar 22 21:09:23 UTC 2013
On Friday, March 22, 2013 03:37:42 PM sibu wrote:
> I am trying to configure IPtables on a ppp gateway (ppp1 ipaddress =
> $pppIP). I have tunnelled ssh packets to FORWARD to a host (
> of address $SOMEHOST_IP}, On the gateway firewall, do I need rules
> like these?
> And ALSO because the packets are to be fowarded do I need prerouting rules
> and if I do what might this be to preroute tunneled ssh to $SOMEHOST_IP
If you are using KLIPS and:
- you have configured the IPSEC tunnel correctly,
- the local Openswan (pluto) runs on the gateway, and
- you are connecting a remote SSH session through the VPN to an SSH server
on a host behind your gateway
you should only need to enable forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward"
which the gateway should already do. Openswan should take care of the routing
for you. The remote SSH client should be able to connect directly to the local
internal SSH server's IP address.
The gateway already knows where to send packets to your internal SSH server.
Once the VPN is up, the gateway also knows where to send packets to the
remote's IP address. It is simple routing; all packets are sent through the
There's one caveat. If you have netfilter rules controlling packets traversing
between your internal LAN and the VPN, you'll need to ACCEPT NEW,ESTABLISHED
conns on your SSH port from the remote IP on the ipsecN: interface when the
packets arrive from the VPN, and you'll need to ACCEPT ESTABLISHED conns from
your internal SSH server to the remote's IP.
If you aren't using KLIPS, things are probably a little different.
More information about the Users