IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] iptables and freeswan

From: Britt Ethan Houser (britthouser_at_mail.com)
Date: Fri Apr 12 2002 - 13:53:58 CEST

The following is my ipsec connection, and iptables-save. I have not
tried just filtering the ipsec0: interface. That maybe what I have todo
if iptables filters before ipsec encrypts. Seems like it'd be the other
way around. makes more sense to me that way.

conn hosttohost
        left=192.168.1.108
        right=192.168.1.107
        #auto=add
        keyingtries=0
        type=transport
        compress=yes
        leftrsasigkey=....
        rightrsasigkey=...

[root_at_montecarlo etc]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.3 on Fri Apr 5 17:11:23 2002
*nat
:PREROUTING ACCEPT [25:6423]
:POSTROUTING ACCEPT [25:1620]
:OUTPUT ACCEPT [37:2498]
COMMIT
# Completed on Fri Apr 5 17:11:23 2002
# Generated by iptables-save v1.2.3 on Fri Apr 5 17:11:23 2002
*mangle
:PREROUTING ACCEPT [195:79466]
:OUTPUT ACCEPT [196:19984]
COMMIT
# Completed on Fri Apr 5 17:11:23 2002
# Generated by iptables-save v1.2.3 on Fri Apr 5 17:11:23 2002
*filter
:INPUT DROP [6:456]
:FORWARD DROP [0:0]
:OUTPUT DROP [12:878]
:ipsec - [0:0]
[2:168] -A INPUT -j ipsec
[10:730] -A OUTPUT -j ipsec
[0:0] -A ipsec -p esp -j ACCEPT
[0:0] -A ipsec -p ah -j ACCEPT
[0:0] -A ipsec -d 255.255.255.255 -j ACCEPT
[12:898] -A ipsec -m state --state NEW -j LOG
[0:0] -A ipsec -p udp -m udp --sport 500 --dport 500 -j ACCEPT
COMMIT
# Completed on Fri Apr 5 17:11:23 2002

On Wed, 2002-04-10 at 02:07, Simon Istvan wrote:
> I have put the following rules into my
> _updown script for experimenting:
>
> iptables -I INPUT -i ipsec0 -j ACCEPT
> iptables -I FORWARD -i ipsec0 -j ACCEPT
> iptables -I FORWARD -o ipsec0 -j ACCEPT
> iptables -I OUTPUT -o ipsec0 -j ACCEPT
>
> It would be easier to see your problem
> using the list of the iptables-save command.
>
> -- Istvan
>
>
> > -----Original Message-----
> > From: Britt Ethan Houser [mailto:behouser_at_unity.ncsu.edu]
> > Sent: Mittwoch, 10. April 2002 00:52
> > To: users_at_lists.freeswan.org
> > Subject: [Users] iptables and freeswan
> >
> >
> > I am freeswan up and running on a couple machines, and I want
> > to build a
> > firewall which only allows ESP,AH,ISAKMP, or broadcast
> > traffic in and out
> > of my box, and logs any new connections being established (I
> > know this is
> > weird....but its what I need). I have setup the following ruleset:
> >
> > [root_at_laketahoe root]# /etc/init.d/iptables status
> > Table: filter
> > Chain INPUT (policy DROP)
> > target prot opt source destination
> > ipsec all -- anywhere anywhere
> >
> > Chain FORWARD (policy DROP)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy DROP)
> > target prot opt source destination
> > ipsec all -- anywhere anywhere
> >
> > Chain ipsec (2 references)
> > target prot opt source destination
> > ACCEPT ipv6-crypt-- anywhere anywhere
> > ACCEPT ipv6-auth-- anywhere anywhere
> > ACCEPT all -- anywhere 255.255.255.255
> > LOG all -- anywhere anywhere
> > state NEW LOG
> > level warning
> > ACCEPT udp -- anywhere anywhere
> > udp spt:isakmp
> > dpt:isakmp
> > Table: nat
> > Chain PREROUTING (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain POSTROUTING (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > Table: mangle
> > Chain PREROUTING (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > [root_at_laketahoe root]#
> >
> > With this firewall in place, I can setup the ipsec
> > connection, and ping
> > the broadcast address. However, I cannot ping from one side
> > to the other.
> > I get the following when I am trying to ping:
> >
> > root_at_laketahoe root]# ping 192.168.1.107
> > PING 192.168.1.107 (192.168.1.107) from 192.168.1.108 :
> > 56(84) bytes of
> > data.
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> > ping: sendto: Operation not permitted
> >
> > .107 is the other side of my ipsec tunnel. If I turn the
> > firewall off
> > on this side, I can ping out, but get nothing in return. Its
> > as if the
> > filters are being applied before the packet is encrypted. Is
> > this correct
> > behavior? Am I missing something here?
> >
> > thx,
> > britt
> >
> >
> >
> > --
> > I therefore, a prisoner for the Lord, beg you to lead a life
> > worthy of the
> > calling to which you have been called, with all lowliness and
> > meekness, with
> > patience, forbearing one another in love, eager to maintain
> > the unity of the
> > Spirit in the bond of peace. Eph 4:1-3
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users_at_lists.freeswan.org
> > http://lists.freeswan.org/mailman/listinfo/users
> >
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users 

-- 
I therefore, a prisoner for the Lord, beg you to lead a life worthy of
the
calling to which you have been called, with all lowliness and meekness,
with
patience, forbearing one another in love, eager to maintain the unity of
the
Spirit in the bond of peace.  Eph 4:1-3

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:51 CEST