Re: [leaf-user] Bering IPSEC Configuration

Wed, 01 Jan 2003 15:56:23 -0800



--On Wednesday, January 01, 2003 4:27 PM -0700 Steve Fink <[EMAIL PROTECTED]> wrote:

I tried to determine whether or not the ports were
open in Shorewall but an iptables -C INPUT -p udp -s 65.114.248.6/24 -d
65.114.249.131:500, only gives me a "Will be implemented real soon ;)"
And it wouldn't have told you anything anyway since Shorewall is a little smarter than to place ALL input rules in the INPUT chain where they have to be executed sequentially. Nevertheless, from the "iptables -L -n -v" later (In the future, please post the output of "shorewall status" -- it's much more complete):

Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1 40 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT 51 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
6459 258K net2all ah -- * * 0.0.0.0/0
0.0.0.0/0

So Protocols 50 and 51 are open as is UDP 500. If the remote host is behind a NAT firewall however, you should have defined your tunnel type as 'ipsecnat' so that Shorewall wouldn't insist on SPT=500.

Similarly:

Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
2 80 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT 51 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0

So UDP port 500 is open on output as are protocols 50 and 51.

I notice though that there are no gw2loc and loc2gw chains -- what kind of tunnel are you trying to set up here? Host->Host? If you want Host->Subnet, you need to set the gw->loc and loc->gw policies to ACCEPT.

-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.sf.net
Washington USA \ [EMAIL PROTECTED]



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to