|
Home > Archive > VPN > November 2006 > OpenSWAN vs. iptables
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
OpenSWAN vs. iptables
|
|
| Heruan 2006-11-04, 7:13 pm |
| I have two Ubuntu-server boxes, as gateways on two different networks:
each one has two NIC, eth0 to the LAN, eth1 to the Internet.
I set up OpenSWAN on both machines and iptables like this:
iptables -A INPUT -p esp -i eth1 -j ACCEPT
iptables -A OUTPUT -p esp -o eth1 -j ACCEPT
iptables -A INPUT -p udp -m udp -i eth1 --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp -i eth1 --dport 4500 -j ACCEPT
The tunnel is established correctly, but I cannot ping.
I guess it is because a drop all ping requests from the Internet on
eth1, so I wonder if I can tell OpenSWAN to create a virtual interface
to use for the tunnel and use that interface to make iptables rules and
accept traffic.
I tried to set on "conn setup":
interfaces="ipsec0=eth1"
but I can no see a ipsec0 interface on my machine...
| |
| Joe Beasley 2006-11-04, 7:13 pm |
| Assuming you have a default block any at the end, you need
to allow the pings in your iptables rules.
--
jbeasley@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org
| |
| Heruan 2006-11-04, 7:13 pm |
| Joe Beasley wrote:
> Assuming you have a default block any at the end, you need
> to allow the pings in your iptables rules.
>
Ok, but can I make a virtual interfaces to distinguish eth1 -->
Internet, ipsec0 --> tunnel?
| |
| Joe Beasley 2006-11-13, 8:16 am |
| You should not need the virtual interfaces....
Just use the source/destination.
--
jbeasley@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org
| |
| Heruan 2006-11-13, 8:16 am |
| Joe Beasley wrote:
> You should not need the virtual interfaces....
>
> Just use the source/destination.
Ok, thank you!
I added to my rules:
iptables -A INPUT -p esp -i eth1 -j ACCEPT
iptables -A OUTPUT -p esp -o eth1 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 500 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
to establish the tunnel and permit communication from the subnet
192.168.0.0/24 but I still cannot ping or telnet to any services.
It is not less secure using source/destination instead virtual
interface? From virtual interface I know that those packets are coming
from the other end of the tunnel, accepting traffic from a subnet source
I feel a little less secure... isn't it?
|
|
|
|
|