On Fri, May 18, 2007 at 12:34:42AM -0000, pnjiiri2000 wrote: > Thanks for the reply,sorry for taking long to reply. Well, the gateway > is receiving packets on port 500 from the roadwarrior but it seems the > VPN server is not receiving them despite the routes created: > > iptables -A INPUT -i eth0 -p 50 -m state --state NEW -j ACCEPT > iptables -A INPUT -i eth0 -p UDP -m state --state NEW --dport 500 > --sport 500 -j ACCEPT > iptables -A INPUT -i eth0 -p UDP -m state --state NEW --dport 4500 > --sport 4500 -j ACCEPT > iptables -t nat -A PREROUTING -i eth0 -p udp --sport 500 -j DNAT > --to-destination 10.0.0.1:500 > iptables -t nat -A PREROUTING -i eth0 -p udp --sport 50 -j DNAT > --to-destination 10.0.0.1:50
If those are the rules for the box you labelled earlier "Gateway performs NAT" then the packets will run through "PREROUTING" table first. As you want to FORWARD them to the VPN gateway, you need to add the other rules to the FORWARD table instead of INPUT (which is for the local host). BTW: It's always handy to have a '-j LOG' rule just before the end of the table in INPUT, FORWARD and OUTPUT. You can disable it if the tons of messages bug you, once you consider you firewall configuration working. Dirk. -- The truth is an offense, but not a sin
