Just to muddy the waters, through experimentation, I have found that using
Checkpoint SecuRemote (on windows) behind a Linux netfilter firewall, I can
achieve an IPSEC connection using just:
iptables -A FORWARD -s $INTERNAL_NET -j ACCEPT
iptables -A FORWARD -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED \
-j ACCEPT
I.e. explicit per-protocol forwarding seems unnecessary. (Though you might
want to be explicit for security/control reasons.) [Note, no UDP
encapsulation, either]
I do experience weird time-outs occasionally, apparently connected to
incoming IKE packets (UDP port 500) that aren't recognized as connected,
but I can get around this by just accepting them to the firewall, which
does nothing as there is nothing running on that port. (I'm trying
variations of reject/drop to see if there is a better way to reply.)
Regards,
David
At 09:00 AM 10/15/2002, Antony Stone wrote:
>On Tuesday 15 October 2002 12:09 pm, George Agnelli wrote:
>
> > I'm having a similar problem and am not very experienced yet with iptables.
> >
> > > Make sure you are forwarding (both ways :-) protocol 50 (ESP), protocol
> > > 51 (AH) and UDP sport 500 / dport 500 (IKE).
> >
> > Could you show me the best way to write this in iptables syntax?
>
>iptables -A FORWARD -p esp -j ACCEPT
>iptables -A FORWARD -p ah -j ACCEPT
>iptables -A FORWARD -p udp --sport 500 --dport 500 -j ACCEPT
>
>You may wish to add some -s and/or -d source & destination address
>restrictions on the above rules, eg:
>
>iptables -A FORWARD -p esp -s a.b.c.d -d w.x.y.z -j ACCEPT
>iptables -A FORWARD -p esp -s w.x.y.z -d a.b.c.d -j ACCEPT
>
>where a.b.c.d and w.x.y.z are the two IPsec gateways which need to
>communicate.
>
>Antony.
