Hello Harald,
> Maybe I am too blind to see, but I haven't found this in
> the wiki. This is the code I added to the forward chain:
>
> iptables -A FORWARD -s ${right_lan} -d ${left_lan} -i eth0 -m policy --dir
> in --pol ipsec --proto esp -j ACCEPT
> iptables -A FORWARD -s ${left_lan} -d ${right_lan} -o eth0 -m policy --dir
> out --pol ipsec --proto esp -j ACCEPT
Correct, that is not explicitely written on the wiki, but I wrote something
similiar in "SecurityRecommendations".
> iptables -A FORWARD -d 10.0.0.0/8 -m policy --pol none --dir out -j REJECT
> --reject-with icmp-admin-prohibited
So the module should be known to anyone actually caring about understanding
what it does, instead of blindly copying
and pasting rules.
Your rule looks fine, if your routing table routes ${right_lan} over eth0. But
please use iptables-save and -restore.
--
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
