From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Tue Aug 06 2002 - 15:34:58 CEST
As an example for an iptables updown script which supports both
reaching the subnet behind the VPN gateway (up-/down-client) using
FORWARD rules as well as accessing the VPN gateway itself (up-/down-host)
using INPUT/OUTPUT rules I append the _updown.x509 template packaged
with the X.509 distribution. Due to the DHCP-over-IPsec support
the script also supports port/protocol filtering. With normal
IPsec SAs just all IP protocols will be passed.
As an additional goodie the template contains a sample implementation
how VPN connections could be logged in a concise format using a special
syslog file e.g. /var/log/vpn.
Regards
Andreas
Michael P. Blinn wrote:
> ----- Original Message -----
> Subject: Re: [Users] iptables and _updown
>
>
>>Given the simple situation you describe, you shouldn't need a custom
>
> _updown
>
>>script. Have static rules that exempt all traffic destined for opposite
>>subnets from MASQUERADEing. The gateway-subnet traffic should take care of
>>itself as well.
>
>
> Wait, are you saying I can get by with only one tunnel? Please clarify, as
> I'm currently using four in my 2.2 kernel setup.
>
> Without the custom updown script, what changes do I make to my ipsec.conf to
> enable subnet-to-gateway and subnet-to-subnet traffic? Currently of course I
> have right & leftfirewall, leftsubnet defined for the conns that require it,
> but I know this isn't correct with kernel 2.4.
>
>
>>Custom _updown scripts are useful for more complex firewall environments,
>>where sysadmins may need more flexibility for security reasons. However, I
>>would be interested to see people's submissions. :)
>
>
> Well I certainly will need to change my default policy for this tree to DENY
> at some point, I'm simply opening it up until I can get the tunnels working
> with iptables, so I too would be interested in others' submissions.
> Currently I have FreeS/WAN running on 2.2 kernel with ipchains policy DENY
> and I can open up traffic asneeded.
>
> Thanks Sam et al,
> -Michael Blinn
>
> -----
> There's nothing remarkable about it. All one has to do is hit the right
> keys at the right time and the instrument plays itself. - J.S. Bach
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]==_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Tue Aug 06 2002 - 18:19:29 CEST