On 02/13/2011 08:49 AM, Rene Bartsch wrote: > After removing "leftfirewall=yes" from ipsec.conf and adding the incoming > FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually, it > seems to work.
That's strange. Can you save the output of "iptables-save" in both cases and run a diff against both files to see what's the difference? To avoid unsecured packets leaking the VPN gateway, I use the following rules. # IPsec # Allow traffic from and to subnet 10.111.11.0/24 through the IPSec tunnel. iptables -A FORWARD -s 10.111.11.0/24 -m policy --dir out --pol ipsec -j ACCEPT iptables -A FORWARD -d 10.111.11.0/24 -m policy --dir in --pol ipsec -j ACCEPT # Do not forward packets to private ip addresses to the internet iptables -A FORWARD -d 192.168.0.0/255.255.0.0 -o ppp0 -j REJECT --reject-with icmp-net-unreachable iptables -A FORWARD -d 172.16.0.0/255.240.0.0 -o ppp0 -j REJECT --reject-with icmp-net-unreachable iptables -A FORWARD -d 10.0.0.0/255.0.0.0 -o ppp0 -j REJECT --reject-with icmp-net-unreachable The first rule permits traffic which is secured by IPsec. Rules 3 through 5 make sure that traffic that is not secured by IPsec and is destined for private IP addresses will be rejected. This is important if in case IPsec is down. > -A INPUT -d xxx.xxx.xxx.102 -m policy --dir in --pol ipsec > -m comment --comment "ACCEPT IPSec secured packets" -j ACCEPT I believe that this rule does not make sense since the dest. addr (-d a.b.c.d) should be the dest addr of the plaintext packet. xxx.xxx.xxx.102 is probably your public IP address and the dest addr of the ESP packet. -Daniel _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
