[strongSwan] issue connecting strongswan from EC2 instance to Cisco device
Hello, I'm trying to connect a Strongswan Client hosted on Amazon EC2 public (not VPC) to a Cisco device over ikev1. Since we are hosted on EC2, we have the EC2 gateway NAT in front of our instance. I have done a Virtuabox simulation setup using 4 Linux VM and Strongswan, ie Linux1 /my EC2 <--> Linux 2 / 1:1 NAT <---> Linux 3 / Cisco VPN <--> Linux 4 / remote server to access. Using this, I have validated my "Linux1/EC2" is should be to communicate over IPSec with NAT-T over a 1:1 NAT. It works... with Strongswan as server. However, it does not work with the Cisco VPN device we're trying to connect to the Strongswan clients keeps rekeying phase 1 (ie ipsec status all keps looping between CONNECTING/ESTABLISHED continuously) Adding modeconfig=push as suggested by the documentation makes the Security Association stable, however the connections get stuck trying to negociate phase 2, in tasks queued: QUICK_MODE I can see with tcpdump that NAT-T packets are sent, I see the first response from the Cisco device over NAT-T but nothing more. 16:56:28.391047 IP ip-10-104-164-139.eu-west-1.compute.internal.isakmp > vpn_cisco_gateway.isakmp: isakmp: phase 1 I ident 16:56:28.470397 IP vpn_cisco_gateway.isakmp > ip-10-104-164-139.eu-west-1.compute.internal.isakmp: isakmp: phase 1 R ident 16:56:28.485469 IP ip-10-104-164-139.eu-west-1.compute.internal.isakmp > vpn_cisco_gateway.isakmp: isakmp: phase 1 I ident 16:56:28.566259 IP vpn_cisco_gateway.isakmp > ip-10-104-164-139.eu-west-1.compute.internal.isakmp: isakmp: phase 1 R ident 16:56:28.648297 IP ip-10-104-164-139.eu-west-1.compute.internal.ipsec-nat-t > vpn_cisco_gateway.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E] 16:56:28.731272 IP vpn_cisco_gateway.ipsec-nat-t > ip-10-104-164-139.eu-west-1.compute.internal.ipsec-nat-t: NONESP-encap: isakmp: phase 1 R ident[E] 16:56:52.596800 IP ip-10-104-164-139.eu-west-1.compute.internal.ipsec-nat-t > vpn_cisco_gateway.ipsec-nat-t: isakmp-nat-keep-alive and nothing more exept keepalives Any help or suggestion to help how to troubleshoot further the issue are welcome. regards J.G the local and remote configurations are, with context: 123.123.22.22: using some public ip address for the internal network, on purpose to avoid collision with VPN provider PUBLIC_EC2_IP_ADDRESS is our public EC2 elastic IP address. VPN_GATEWAY_PUBLIC_IP the public IP address of the remote VPN Cisco device VPN_GATEWAY_INTERNAL_IP internal IP address of the remote VPN Cisco device SERVER_IP_BEHIND_VPN_GATEWAY is the address of remote server we want to access from our EC2 instance over the IPSEC Tunnel VPN_REMOTE_NETWORK the remote network & mask that includes the two previous hosts OUR_VPN_PROVIDER_GATEWAY is the next hop gateway for the Cisco VPN to reach the internet config setup charondebug="knl 3, ike 4,esp 4,cfg 4, mgr 4, net4" conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn test left=%any leftsourceip=123.123.22.22 leftid=PUBLIC_EC2_IP_ADDRESS leftfirewall=yes right=VPN_GATEWAY_PUBLIC_IP rightid=VPN_GATEWAY_PUBLIC_IP rightsubnet=VPN_REMOTE_NETWORK / 27 auto=add modeconfig=push #or disable ike=3des-md5-modp1024! esp=aes-sha1! the Cisco device configuration is : crypto keyring keyring_customer pre-shared-key address PUBLIC_EC2_IP_ADDRESS key THE_SECRET_PSK ! crypto isakmp profile profile_customer vrf vrf_customer keyring keyring_customer match identity address PUBLIC_EC2_IP_ADDRESS 255.255.255.255 ! crypto map cmallserv1 130 ipsec-isakmp description customer_vpn set peer PUBLIC_EC2_IP_ADDRESS set transform-set ts-esp-aes256-esp-sha-hmac set isakmp-profile profile_customer match address access_list_customer ! ip route PUBLIC_EC2_IP_ADDRESS 255.255.255.255 TenGigabitEthernet0/1/0.1300 OUR_VPN_PROVIDER_GATEWAY ip route vrf vrf_customer 123.123.22.22 255.255.255.255 TenGigabitEthernet0/1/0.1300 OUR_VPN_PROVIDER_GATEWAY global ! ip access-list extended access_list_customer permit ip host VPN_GATEWAY_INTERNAL_IP host 123.123.22.22 permit ip host SERVER_IP_BEHIND_VPN_GATEWAY host 123.123.22.22 ! router bgp 6000 scope vrf icssmsc:vrf_customer address-family ipv4 redistribute static ! end ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Empty CRL cache
Hi Fabrice,
I don't know what your problem might be. In our KVM scenario running
strongswan 5.5.0 under Debian 8, the CRL is written to a file:
https://www.strongswan.org/testing/testresults/ikev2/crl-to-cache/
Best regards
Andreas
On 13.09.2016 14:15, Fabrice Barconnière wrote:
> Hello,
>
> I still have problem with CRL cache with strongSwan 5.3.5 and Ubuntu 16.04.
>
> Certificates status are checked with CRL as we can see in log file.
> ipsec listcrls output command gives:
>
> List of X.509 CRLs:
>
> issuer: "C=FR, O=Education Nationale, OU=0002 110043015, CN=AC EN
> Scolarite et Formation"
> serial:09:43
> revoked: 13 certificates
> updates: this Sep 13 00:00:06 2016
> next Sep 20 00:00:06 2016, ok (expires in 6 days)
> authkey: cc:2e:37:0f:06:b2:b9:b5:e9:2d:ff:be:52:37:c6:1d:b4:b7:07:17
>
> But ll /etc/ipsec.d/crls/ gives :
> total 8
> drwxr-xr-x 2 root root 4096 avril 5 15:44 ./
> drwxr-xr-x 11 root root 4096 août 30 21:01 ../
>
> With ubuntu 14.04 and strongSwan 5.1.2 (after apparmor profile correction)
>
> ll /etc/ipsec.d/crls/ gives :
> total 12
> drwxr-xr-x 2 root root 4096 sept. 13 09:18 ./
> drwxr-xr-x 11 root root 4096 sept. 10 01:04 ../
> -rw-r--r-- 1 root root 1307 sept. 13 09:18
> cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl
>
> What can i check other ?
>
>
>
> Le 09/09/2016 à 14:50, Fabrice Barconnière a écrit :
>> Hi all,
>>
>> /etc/ipsec.d/crls directory is still empty after established connections.
>>
>> OS: Ubuntu 16.04
>> Version: 5.3.5-1ubuntu3
>>
>>
>> * ipsec.conf :
>>
>> config setup
>> uniqueids = yes
>> cachecrls = yes
>> strictcrlpolicy = no
>> ...
>> ...
>>
>>
>> * ipsec statusall :
>>
>> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic,
>> x86_64):
>> uptime: 17 minutes, since Sep 09 14:13:12 2016
>> malloc: sbrk 5275648, mmap 532480, used 1125024, free 4150624
>> worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 6
>> loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1
>> sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1
>> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg
>> fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql
>> sqlite attr kernel-netlink resolve socket-default farp stroke updown
>> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
>> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
>> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
>> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
>> tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr
>> addrblock unity
>> Listening IP addresses:
>> 192.168.0.11
>> 172.30.101.11
>> Connections:
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
>> 192.168.0.11...192.168.0.31 IKEv1/2, dpddelay=120s
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
>> local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015,
>> CN=sphynx.ac-test.fr] uses public key authentication
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
>> cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015,
>> CN=sphynx.ac-test.fr"
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
>> remote: [C=FR, L=Toulouse, O=Education Nationale, OU=ac-toulouse,
>> OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr] uses public key
>> authentication
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
>> child: 172.30.101.0/24 === 10.1.1.0/24 TUNNEL, dpdaction=clear
>> Security Associations (1 up, 0 connecting):
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
>> ESTABLISHED 10 minutes ago, 192.168.0.11[C=FR, L=Dijon, O=Education
>> Nationale, OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
>> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
>> CN=0120101V-01-TEST.ac-toulouse.fr]
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
>> IKEv2 SPIs: b858dddc617a4ac3_i d7697a226ce94911_r*, public key
>> reauthentication in 2 hours
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
>> IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
>> INSTALLED, TUNNEL, reqid 2, ESP SPIs: c84807a5_i c234d7e7_o
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
>> AES_GCM_16_128, 336 bytes_i (4 pkts, 6s ago), 336 bytes_o (4 pkts, 6s
>> ago), rekeying in 32 minutes
>> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
>> 172.30.101.0/24 === 10.1.1.0/24
>>
>>
>> * Logs :
>>
>> 2016-09-09T14:35:48.169931+02:00 sphynx.ac-test.lan charon: 00[DMN]
>> Starting IKE charon daemon (strongSwan 5.3.5, Linux
Re: [strongSwan] Empty CRL cache
Hello,
I still have problem with CRL cache with strongSwan 5.3.5 and Ubuntu 16.04.
Certificates status are checked with CRL as we can see in log file.
ipsec listcrls output command gives:
List of X.509 CRLs:
issuer: "C=FR, O=Education Nationale, OU=0002 110043015, CN=AC EN
Scolarite et Formation"
serial:09:43
revoked: 13 certificates
updates: this Sep 13 00:00:06 2016
next Sep 20 00:00:06 2016, ok (expires in 6 days)
authkey: cc:2e:37:0f:06:b2:b9:b5:e9:2d:ff:be:52:37:c6:1d:b4:b7:07:17
But ll /etc/ipsec.d/crls/ gives :
total 8
drwxr-xr-x 2 root root 4096 avril 5 15:44 ./
drwxr-xr-x 11 root root 4096 août 30 21:01 ../
With ubuntu 14.04 and strongSwan 5.1.2 (after apparmor profile correction)
ll /etc/ipsec.d/crls/ gives :
total 12
drwxr-xr-x 2 root root 4096 sept. 13 09:18 ./
drwxr-xr-x 11 root root 4096 sept. 10 01:04 ../
-rw-r--r-- 1 root root 1307 sept. 13 09:18
cc2e370f06b2b9b5e92dffbe5237c61db4b70717.crl
What can i check other ?
Le 09/09/2016 à 14:50, Fabrice Barconnière a écrit :
> Hi all,
>
> /etc/ipsec.d/crls directory is still empty after established connections.
>
> OS: Ubuntu 16.04
> Version: 5.3.5-1ubuntu3
>
>
> * ipsec.conf :
>
> config setup
> uniqueids = yes
> cachecrls = yes
> strictcrlpolicy = no
> ...
> ...
>
>
> * ipsec statusall :
>
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic,
> x86_64):
> uptime: 17 minutes, since Sep 09 14:13:12 2016
> malloc: sbrk 5275648, mmap 532480, used 1125024, free 4150624
> worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 6
> loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1
> sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1
> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg
> fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql
> sqlite attr kernel-netlink resolve socket-default farp stroke updown
> eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
> eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
> eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
> xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
> tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr
> addrblock unity
> Listening IP addresses:
> 192.168.0.11
> 172.30.101.11
> Connections:
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
> 192.168.0.11...192.168.0.31 IKEv1/2, dpddelay=120s
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
> local: [C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015,
> CN=sphynx.ac-test.fr] uses public key authentication
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
> cert: "C=FR, L=Dijon, O=Education Nationale, OU=0002 110043015,
> CN=sphynx.ac-test.fr"
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
> remote: [C=FR, L=Toulouse, O=Education Nationale, OU=ac-toulouse,
> OU=0002 110043015, CN=0120101V-01-TEST.ac-toulouse.fr] uses public key
> authentication
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1:
> child: 172.30.101.0/24 === 10.1.1.0/24 TUNNEL, dpdaction=clear
> Security Associations (1 up, 0 connecting):
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
> ESTABLISHED 10 minutes ago, 192.168.0.11[C=FR, L=Dijon, O=Education
> Nationale, OU=0002 110043015, CN=sphynx.ac-test.fr]...192.168.0.31[C=FR,
> L=Toulouse, O=Education Nationale, OU=ac-toulouse, OU=0002 110043015,
> CN=0120101V-01-TEST.ac-toulouse.fr]
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
> IKEv2 SPIs: b858dddc617a4ac3_i d7697a226ce94911_r*, public key
> reauthentication in 2 hours
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1[2]:
> IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
> INSTALLED, TUNNEL, reqid 2, ESP SPIs: c84807a5_i c234d7e7_o
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
> AES_GCM_16_128, 336 bytes_i (4 pkts, 6s ago), 336 bytes_o (4 pkts, 6s
> ago), rekeying in 32 minutes
> aca.sphynx-default-2.6.0-etb1.amon-default-2.5.2_1-admin-reseau_eth1{2}:
> 172.30.101.0/24 === 10.1.1.0/24
>
>
> * Logs :
>
> 2016-09-09T14:35:48.169931+02:00 sphynx.ac-test.lan charon: 00[DMN]
> Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-36-generic,
> x86_64)
> 2016-09-09T14:35:48.220738+02:00 sphynx.ac-test.lan charon: 00[CFG]
> disabling load-tester plugin, not configured
> 2016-09-09T14:35:48.221002+02:00 sphynx.ac-test.lan charon: 00[LIB]
> plugin 'load-tester': failed to load - load_tester_plugin_create
> returned NULL
> 2016-09-09T14:35:48.229358+02:00 sphynx.ac-test.lan charon: 00[CFG]
> dnscert plugin is disabled
> 2016-09-09T14:35:48.229716+02:00 sphynx.ac-test.lan
[strongSwan] successful ipsec link but no traffic with strongswan 5.5.0 and kernel 4.4.20
Hello,
I am in need of some help. I had a perfectly fine (and simpleish) strongswan
setup on my home server: a router with a pppoe connection to the ISP which
provides me with a dynamic non-NAT-ed IP and a DDNS setup with my domain
provider.
On top of this I set up a basic roadwarrior IKEv2 VPN with strongswan.
Everything was running an ARCHLINUX with kernel 3.18.
After updating the kernel to 4.4.20 the VPN stopped working. I get the
connection established, but no traffic goes through it. If I roll back to
kernel 3.18 everything works fine again. Is anyone aware of any changes
related to IPSEC/VPN/TUNNELS or ROUTING that might have changed.
Please see my logs below:
/>ipsec statusall
---
Status of IKE charon daemon (strongSwan 5.5.0, Linux 4.4.20, armv7l):
uptime: 5 minutes, since Sep 13 12:37:32 2016
malloc: sbrk 1339392, mmap 0, used 355624, free 983768
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf gmp chapoly xcbc cmac hmac curl sqlite attr kernel-netlink
resolve socket-default connmark forecast farp stroke vici updown
eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym
eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius
eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth
dhcp radattr unity
Virtual IP pools (size/online/offline):
10.0.1.0/24: 254/1/0
Listening IP addresses:
192.168.2.10
192.168.7.1
90.203.141.93
Connections:
windows: %any...%any IKEv2, dpddelay=300s
windows: local: [mihaiordean.com] uses public key authentication
windows:cert: "C=GB, O=mihaiordean.com, CN=mihaiordean.com"
windows: remote: uses EAP_MSCHAPV2 authentication with EAP identity
'%any'
windows: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
android: %any...%any IKEv2, dpddelay=300s
android: local: [mihaiordean.com] uses public key authentication
android:cert: "C=GB, O=mihaiordean.com, CN=mihaiordean.com"
android: remote: [C=GB, O=mihaiordean.com, CN=vpn-client] uses public
key authentication
android:cert: "C=GB, O=mihaiordean.com, CN=vpn-client"
android: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
android[10]: ESTABLISHED 24 seconds ago,
90.203.141.93[mihaiordean.com]...147.188.254.72[C=GB, O=mihaiordean.com,
CN=vpn-client]
android[10]: IKEv2 SPIs: 446cfc0fce52fc90_i 95cc24497fefd7b9_r*,
rekeying disabled
android[10]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
android{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cde084f3_i
1c5743ef_o
android{1}: AES_CBC_128/HMAC_SHA2_256_128, 1570 bytes_i, 0 bytes_o,
rekeying disabled
android{1}: 0.0.0.0/0 === 10.0.1.1/32
/>ip route show table 220
--
10.0.1.1 via 147.188.254.72 dev ppp64 proto static
/>iptables -L
---
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.7.0/24 anywhere
REJECT all -- 192.168.7.0/24 anywhere reject-with
icmp-port-unreachable
ACCEPT icmp -- anywhere 5acb8d5d.bb.sky.com
ACCEPT all -- anywhere 5acb8d5d.bb.sky.com ctstate
RELATED,ESTABLISHED
ACCEPT udp -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED udp dpt:isakmp
ACCEPT udp -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED udp dpt:ipsec-nat-t
ACCEPT ah -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere policy match
dir in pol ipsec proto esp
ACCEPT tcp -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED tcp dpt:http
ACCEPT tcp -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED tcp dpt:https
ACCEPT tcp -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED tcp dpt:telnet
ACCEPT tcp -- anywhere ironbox.meehien.lan ctstate
NEW,RELATED,ESTABLISHED tcp dpt:51413
ACCEPT udp -- anywhere ironbox.meehien.lan ctstate
NEW,RELATED,ESTABLISHED udp dpt:51413
ACCEPT tcp -- anywhere anywhere tcp spt:bootpc
dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootpc
dpt:bootps
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS
