IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] iptables and freeswan

From: Simon Istvan (Istvan.Simon_at_apss.at)
Date: Wed Apr 10 2002 - 08:07:48 CEST

I have put the following rules into my
_updown script for experimenting:

iptables -I INPUT -i ipsec0 -j ACCEPT
iptables -I FORWARD -i ipsec0 -j ACCEPT
iptables -I FORWARD -o ipsec0 -j ACCEPT
iptables -I OUTPUT -o ipsec0 -j ACCEPT

It would be easier to see your problem
using the list of the iptables-save command.

-- Istvan
 

> -----Original Message-----
> From: Britt Ethan Houser [mailto:behouser_at_unity.ncsu.edu]
> Sent: Mittwoch, 10. April 2002 00:52
> To: users_at_lists.freeswan.org
> Subject: [Users] iptables and freeswan
>
>
> I am freeswan up and running on a couple machines, and I want
> to build a
> firewall which only allows ESP,AH,ISAKMP, or broadcast
> traffic in and out
> of my box, and logs any new connections being established (I
> know this is
> weird....but its what I need). I have setup the following ruleset:
>
> [root_at_laketahoe root]# /etc/init.d/iptables status
> Table: filter
> Chain INPUT (policy DROP)
> target prot opt source destination
> ipsec all -- anywhere anywhere
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> ipsec all -- anywhere anywhere
>
> Chain ipsec (2 references)
> target prot opt source destination
> ACCEPT ipv6-crypt-- anywhere anywhere
> ACCEPT ipv6-auth-- anywhere anywhere
> ACCEPT all -- anywhere 255.255.255.255
> LOG all -- anywhere anywhere
> state NEW LOG
> level warning
> ACCEPT udp -- anywhere anywhere
> udp spt:isakmp
> dpt:isakmp
> Table: nat
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> Table: mangle
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root_at_laketahoe root]#
>
> With this firewall in place, I can setup the ipsec
> connection, and ping
> the broadcast address. However, I cannot ping from one side
> to the other.
> I get the following when I am trying to ping:
>
> root_at_laketahoe root]# ping 192.168.1.107
> PING 192.168.1.107 (192.168.1.107) from 192.168.1.108 :
> 56(84) bytes of
> data.
> ping: sendto: Operation not permitted
> ping: sendto: Operation not permitted
> ping: sendto: Operation not permitted
> ping: sendto: Operation not permitted
>
> .107 is the other side of my ipsec tunnel. If I turn the
> firewall off
> on this side, I can ping out, but get nothing in return. Its
> as if the
> filters are being applied before the packet is encrypted. Is
> this correct
> behavior? Am I missing something here?
>
> thx,
> britt
>
>
>
> --
> I therefore, a prisoner for the Lord, beg you to lead a life
> worthy of the
> calling to which you have been called, with all lowliness and
> meekness, with
> patience, forbearing one another in love, eager to maintain
> the unity of the
> Spirit in the bond of peace. Eph 4:1-3
>
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:50 CEST