Thanks Noel for the reply, There are two issue-
1) I cannot pass the normal traffic through the VPN tunnel and 2) I want
to redirect the all http traffic through the established tunnel.
Following is the current iptables status.
@cloud:~$ sudo iptables-save
[sudo] password for kencloud_mlx:
# Generated by iptables-save v1.6.0 on Fri Apr 6 15:36:00 2018
*filter
:INPUT ACCEPT [2373595:1217217340]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2358742:1592362700]
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
COMMIT
# Completed on Fri Apr 6 15:36:00 2018
# Generated by iptables-save v1.6.0 on Fri Apr 6 15:36:00 2018
*nat
:PREROUTING ACCEPT [343961:24571900]
:INPUT ACCEPT [53423:7217944]
:OUTPUT ACCEPT [12732:772316]
:POSTROUTING ACCEPT [12732:772316]
-A PREROUTING -p tcp -m tcp --dport 26 -j DNAT --to-destination
172.25.12.42:80
COMMIT
# Completed on Fri Apr 6 15:36:00 2018
Thanks
Sujoy
On Thursday 05 April 2018 10:15 PM, Noel Kuntze wrote:
Hello Sujoy,
Do you mean to block all traffic that uses TCP port 80 (0.0.0.0/0[tcp/80]), but
the traffic that is protected in an established tunnel?
Or do you mean to block everything but what is protected?
Kind regards
Noel
On 04.04.2018 10:58, Sujoy wrote:
Hi list members,
I am facing one issue with Strongswan for quite long time. I want to block
all the traffic(http) and pass only the traffic of connected network. But after
so many try, still I cannot do so. Bellow is the configuration status of the
Server which is having multiple connection. It will be a big help if someone
can provide any solution to this. Thanks for the support provide till now from
the members.
root@cloud:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64):
uptime: 19 hours, since Apr 03 18:02:13 2018
malloc: sbrk 2703360, mmap 0, used 570192, free 2133168
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 12
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
172.25.12.42
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (2 up, 0 connecting):
tunnel[6]: ESTABLISHED 66 minutes ago,
172.25.12.42[X.X.X.X]...223.227.10.138[192.168.1.100]
tunnel[6]: IKEv2 SPIs: 1e596ccc27d7939a_i c459f660671c3952_r*,
pre-shared key reauthentication in 101 minutes
tunnel[6]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{16}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cc167350_i
c722bb0f_o
tunnel{16}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
35 minutes
tunnel{16}: X.X.X.X/32 === 192.168.10.1/32
tunnel[5]: ESTABLISHED 76 minutes ago,
172.25.12.42[X.X.X.X]...27.59.17.206[192.168.2.100]
tunnel[5]: IKEv2 SPIs: 6bac8f644b19cf85_i 07c5f9254cda6720_r*,
pre-shared key reauthentication in 90 minutes
tunnel[5]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{17}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c3015f13_i
ce6ea6b8_o
tunnel{17}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
36 minutes
tunnel{17}: X.X.X.X/32 === 192.168.10.1/32