This is a multi-part message in MIME format. ------=_NextPart_000_5b71_3652_1b89 Content-Type: text/plain; format=flowed I have IPTables version 1.2.6a running on my VPN (FreeS/Wan 1.98b) gateway. I have configured (or so I thought) it to accept incoming and outgoing IPSEC, ESP, and AH traffic. When I try to connect from my remote client, I keep getting a "not permitted" error. Could someone please check my iptables chains and tell me exactly what I'm doing wrong. The IPTables list is attached to this document as a text file. Niel Harper, CISA Information Security Engineer Institute of Electrical and Electronic Engineers IEEE Information Assurance Task Force Tel: (246) 424-3809 Fax: (246) 425-6076 Email: niel.harper@ieee.org _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ------=_NextPart_000_5b71_3652_1b89 Content-Type: text/plain; name="iptables.txt"; format=flowed Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="iptables.txt" Chain INPUT (policy DROP) target prot opt source destination loopback_in all -- anywhere anywhere interface0_in all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:isakmp dpt:isakmp ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere LOG all -- anywhere anywhere LOG level warning prefix `giptables-end-of-firewall: ' Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `giptables-end-of-firewall: ' Chain OUTPUT (policy DROP) target prot opt source destination loopback_out all -- anywhere anywhere interface0_out all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:isakmp dpt:isakmp ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT all -- 192.168.10.1 localhost.localdomain LOG all -- anywhere anywhere LOG level warning prefix `giptables-end-of-firewall: ' Chain interface0_in (1 references) target prot opt source destination syn_flood_interface0_in tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW limit: avg 5/min burst 7 LOG level warning prefix `giptables-new-no-syn: ' DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW LOG all -f anywhere anywhere limit: avg 5/min burst 7 LOG level warning prefix `giptables-fragments: ' DROP all -f anywhere anywhere LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 5/min burst 7 LOG level warning prefix `giptables-malformed-xmas: ' DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 5/min burst 7 LOG level warning prefix `giptables-malformed-null: ' DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG all -- 192.168.10.2 anywhere limit: avg 5/min burst 7 LOG level warning prefix `giptables-drop-src-spoof: ' DROP all -- 192.168.10.2 anywhere LOG all -- 0.0.0.0/8 anywhere limit: avg 5/min burst 7 LOG level warning prefix `giptables-drop-src-spoof: ' DROP all -- 0.0.0.0/8 anywhere LOG all -- 127.0.0.0/8 anywhere limit: avg 5/min burst 7 LOG level warning prefix `giptables-drop-src-spoof: ' DROP all -- 127.0.0.0/8 anywhere LOG all -- 10.0.0.0/8 anywhere limit: avg 5/min burst 7 LOG level warning prefix `giptables-drop-src-spoof: ' DROP all -- 10.0.0.0/8 anywhere LOG all -- 172.16.0.0/12 anywhere limit: avg 5/min burst 7 LOG level warning prefix `giptables-drop-src-spoof: ' DROP all -- 172.16.0.0/12 anywhere LOG all -- 192.168.0.0/16 anywhere limit: avg 5/min burst 7 LOG level warning prefix `giptables-drop-src-spoof: ' DROP all -- 192.168.0.0/16 anywhere LOG all -- 224.0.0.0/3 anywhere limit: avg 5/min burst 7 LOG level warning prefix `giptables-drop-src-spoof: ' DROP all -- 224.0.0.0/3 anywhere ACCEPT udp -- 205.214.192.201 192.168.10.2 udp spt:domain dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- 205.214.192.201 192.168.10.2 tcp spt:domain dpts:1024:65535 state ESTABLISHED ACCEPT udp -- 205.214.192.202 192.168.10.2 udp spt:domain dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- 205.214.192.202 192.168.10.2 tcp spt:domain dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:ftp dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:ssh dpts:login:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spts:login:65535 dpt:ssh state NEW,ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:telnet dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:smtp dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spts:1024:65535 dpt:smtp state NEW,ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:pop3 dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:imap dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:http dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:https dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:webcache dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- anywhere 192.168.10.2 tcp spt:nntp dpts:1024:65535 state ESTABLISHED ACCEPT udp -- anywhere 192.168.10.2 udp spt:ldap dpts:1024:65535 state ESTABLISHED ACCEPT icmp -- anywhere 192.168.10.2 state RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 5/min burst 7 LOG level warning prefix `giptables-drop-src-norule: ' DROP all -- anywhere anywhere Chain interface0_out (1 references) target prot opt source destination ACCEPT udp -- 192.168.10.2 205.214.192.201 udp spts:1024:65535 dpt:domain state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 205.214.192.201 tcp spts:1024:65535 dpt:domain state NEW,ESTABLISHED ACCEPT udp -- 192.168.10.2 205.214.192.202 udp spts:1024:65535 dpt:domain state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 205.214.192.202 tcp spts:1024:65535 dpt:domain state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spt:ftp dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:login:65535 dpt:ssh state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spt:ssh dpts:login:65535 state ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpt:telnet state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpt:smtp state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spt:smtp dpts:1024:65535 state ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpt:pop3 state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpt:imap state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpt:http state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpt:https state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpt:webcache state NEW,ESTABLISHED ACCEPT tcp -- 192.168.10.2 anywhere tcp spts:1024:65535 dpt:nntp state NEW,ESTABLISHED ACCEPT udp -- 192.168.10.2 anywhere udp spts:1024:65535 dpt:ldap state NEW,ESTABLISHED ACCEPT udp -- 192.168.10.2 anywhere udp spts:1024:65535 dpts:traceroute:33523 state NEW ACCEPT icmp -- 192.168.10.2 anywhere state NEW,RELATED,ESTABLISHED Chain loopback_in (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain loopback_out (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain syn_flood_interface0_in (1 references) target prot opt source destination RETURN all -- anywhere anywhere limit: avg 1/sec burst 3 DROP all -- anywhere anywhere ------=_NextPart_000_5b71_3652_1b89--