On Sat, 12 Feb 2011 16:42:42 -0800, Daniel Mentz <[email protected]> wrote: > On 02/12/2011 12:30 PM, Rene Bartsch wrote: >> My IPTables rules: >> >> *filter >> :INPUT DROP [0:0] >> :FORWARD DROP [0:0] >> :OUTPUT ACCEPT [86:9176] > > Hi Rene, > > not sure if this is relevant, but I think you're missing some iptables > rules that allow the decrypted packets through. Your FORWARD chain is > empty plus the default policy is DROP. Doesn't that mean that your box > will decrypt the ESP packets but drop the payload shorty after? > > Take a look at my setup > > # IPsec > # Allow traffic from and to subnet 10.110.11.0/24 through the IPSec tunnel. > iptables -A FORWARD -s 10.110.11.0/24 -m policy --dir out --pol ipsec -j
> ACCEPT > iptables -A FORWARD -d 10.110.11.0/24 -m policy --dir in --pol ipsec -j > ACCEPT The "leftfirewall=yes" option adds rules to FORWARD chain automatically at IPSec handshake: Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 192.168.177.0/24 192.168.176.0/24 policy match dir in pol ipsec reqid 16385 proto esp ACCEPT all -- 192.168.176.0/24 192.168.177.0/24 policy match dir out pol ipsec reqid 16385 proto esp > # Accept traffic secured by ipsec > iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT Allows Ping, but no other packets like HTTP, ... > # Allow traffic through the IPSec tunnel. > iptables -A OUTPUT -m policy --dir out --pol ipsec -j ACCEPT Default policy "ACCEPT". > # Do not mess with packets comming over IPSec > iptables -t nat -A PREROUTING -m policy --dir in --pol ipsec -j ACCEPT > iptables -t nat -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT Fritzbox and Ubuntu server use public IPs for the IPSec daemons, NAT-T may not be necessary. > What were the results when troubleshooting using tcpdump? Can you > configure iptables in a way such that it logs every dropped packet? I added a LOG target as last rule in INPUT and FORWARD chains. Trying a HTTP request with wget dropped the following packets: Feb 13 16:15:30 www kernel: [155830.694973] DROP INPUT: IN=eth0 OUT= MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10640 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 13 16:15:33 www kernel: [155833.701026] DROP INPUT: IN=eth0 OUT= MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10641 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 13 16:15:39 www kernel: [155839.716271] DROP INPUT: IN=eth0 OUT= MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10642 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 13 16:15:51 www kernel: [155851.749182] DROP INPUT: IN=eth0 OUT= MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10643 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 13 16:16:15 www kernel: [155875.813376] DROP INPUT: IN=eth0 OUT= MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10644 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 13 16:17:03 www kernel: [155923.877838] DROP INPUT: IN=eth0 OUT= MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10645 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 13 16:18:41 www kernel: [156021.008584] DROP INPUT: IN=eth0 OUT= MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=22169 DF PROTO=TCP SPT=53494 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 13 16:18:44 www kernel: [156024.015461] DROP INPUT: IN=eth0 OUT= MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=22170 DF PROTO=TCP SPT=53494 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 13 16:18:50 www kernel: [156030.023666] DROP INPUT: IN=eth0 OUT= MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=22171 DF PROTO=TCP SPT=53494 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 But why in INPUT chain? Best regards, Renne _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
