Re: firehol and openswan

Wed, 25 May 2005 03:18:48 -0700 

Quoting Ari�n Huisken <[EMAIL PROTECTED]>:


I'm trying to setup a test VPN connection between two
networks using OpenSWAN with FireHol to generate my
iptables.  I'm stuck with this problem:  I need to
accomplish the command in FrieHol:

iptables -t nat -A POSTROUTING -o eth0 -d !
192.0.2.128/29 -j MASQUERADE

I tried the setting:

router lan2anywhere inface eth1 outface eth0
masquerade eth0 dst not 192.0.2.128/29
route all accept

But this resulted in all packets being sent to
192.0.2.128/29 to be rejected because the resulting
entries (via iptables -t nat -n -L) is:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
POSTROUTING.1  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING.1 (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0
192.0.2.128/29
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0


The second to the last line I think rejects all
traffic to 192.0.2.128/29.

If any, I looking for the correct setting to avoid
firehol putting the RETURN entry and the last line
should reflect:

MASQUERADE  all  --  0.0.0.0/0
!192.0.2.128/29

Any help would be greatly appreciated.


Hey Mike,

You could just put the iptables command in your firehol.conf.

Don't know if it helps, but I use freeswan on two TSL 2.0 boxes to tunnel all
traffic from internal eth0 to external eth1 (becomes ipsec0) to connect two
private LAN's over the internet, with the following setting in firehol.conf:

# IPSEC interface for tunneling
interface ipsec0 tunnel
       policy accept

router IPSECsend inface eth0 outface ipsec0
       route all accept

router IPSECreturn inface ipsec0 outface eth0
       route all accept



Sorry, forgot the line to accept the ipsec traffic:

# Interface for internet traffic
interface eth1 internet src not "${UNROUTABLE_IPS}"
       protection strong 10/sec
       server "isakmp AH ESP" accept
       server ident reject with tcp-reset
       client all accept

# Route traffic for the clients on the LAN
router myrouter inface eth1 outface eth0
       masquerade reverse
       client all accept


--
Ari�n Huisken
Xilay Software


_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss

Reply via email to