First of all, please email the list your ipsec config for this conn. It
sounds as if you have not set it up correctly.
As for when packets are processed, Packets get filtered before they hit the
ipsec transport system. Linux goes "Oh, I have a packet, I must filter it
NOW!"
It also looks as if your filtering at all times (input, output, forwarding)
in the filter table. You should most likely be filtering incoming packets
at input (permitting... ip-proto-50 and 500/udp), and I would assume, that
you would permit all forwarding.
If you want to send us your firewall script, please do.
BTW, If you want to get with somebody to sort this out in person, I would be
more then happy to help out. I'm in Greensboro.
-----Original Message-----
From: Britt Ethan Houser [mailto:behouser_at_unity.ncsu.edu]
Sent: Tuesday, April 09, 2002 6:52 PM
To: users_at_lists.freeswan.org
Subject: [Users] iptables and freeswan
I am freeswan up and running on a couple machines, and I want to build a
firewall which only allows ESP,AH,ISAKMP, or broadcast traffic in and out
of my box, and logs any new connections being established (I know this is
weird....but its what I need). I have setup the following ruleset:
[root_at_laketahoe root]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy DROP)
target prot opt source destination
ipsec all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ipsec all -- anywhere anywhere
Chain ipsec (2 references)
target prot opt source destination
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere 255.255.255.255
LOG all -- anywhere anywhere state NEW LOG
level warning
ACCEPT udp -- anywhere anywhere udp spt:isakmp
dpt:isakmp
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root_at_laketahoe root]#
With this firewall in place, I can setup the ipsec connection, and ping
the broadcast address. However, I cannot ping from one side to the other.
I get the following when I am trying to ping:
root_at_laketahoe root]# ping 192.168.1.107
PING 192.168.1.107 (192.168.1.107) from 192.168.1.108 : 56(84) bytes of
data.
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
.107 is the other side of my ipsec tunnel. If I turn the firewall off
on this side, I can ping out, but get nothing in return. Its as if the
filters are being applied before the packet is encrypted. Is this correct
behavior? Am I missing something here?
thx,
britt
-- I therefore, a prisoner for the Lord, beg you to lead a life worthy of the calling to which you have been called, with all lowliness and meekness, with patience, forbearing one another in love, eager to maintain the unity of the Spirit in the bond of peace. Eph 4:1-3_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:50 CEST