<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Replying to my own post, the ClearOS kernel upgrade broke their
firewall application which they did not update until yesterday.<br>
<br>
FWIW, ClearOS appear to use an interesting alternative rule which
shows in the iptables listing as:<br>
<br>
<small><font face="Courier New">Chain POSTROUTING (policy ACCEPT
71323 packets, 7903K bytes)<br>
pkts bytes target prot opt in out
source destination <br>
316 26328 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 policy match dir out
pol ipsec </font></small><br>
<br>
I think this translates to something like:<br>
<br>
<small><font face="Courier New">iptables -t nat -I POSTROUTING -m
policy --dir out --pol ipsec -j ACCEPT</font></small><br>
<br>
This seems to have the advantage over the rule often quoted below
that you don't need to know either the source or destination LAN
addresses and is therefore totally generic. Linux experts may have
another view on this.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
On 23/04/2012 09:48, Nick Howitt wrote:
<blockquote cite="mid:4F951755.9030607@gmail.com" type="cite">Hi,
<br>
<br>
I've been running openswan 2.6.38 since it was released in ClearOS
5.2 using kernel 2.6.18-194.8.1.v5 with no problem. There was a
recent kernel update to ClearOS to 2.6.18-308.1.1.v5 so I rebooted
my server today to apply the update. I then lost all communication
with my remote router (Draytek 2900). Just to be sure I recompiled
Openswan and reinstalled it but got nowhere. I can see the IPSec
SA being established in /var/log/secure but no traffic goes
through the tunnel. I added a firewall rule " iptables -t nat -I
POSTROUTING -s 192.168.2.0/24 -d 192.168.10.0/24 -j RETURN" and
suddenly everything returned to normal. I've been using this set
up for a few years now without any such firewall rule in place.
Have you any idea what has changed and where I can look?
<br>
<br>
Thanks,
<br>
<br>
Nick
<br>
_______________________________________________
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
<br>
Micropayments:
<a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
<br>
Building and Integrating Virtual Private Networks with Openswan:
<br>
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
<br>
</blockquote>
</body>
</html>