On Mon, Nov 22, 2004 at 08:32:54PM +0100, Björn Schmidt wrote: > Jason Opperisano wrote: > >alright--let's reset here. this is how i understand the situation: > > > >you have two machines: > > > >192.168.1.1 (skyron) > >192.168.1.2 (gigabyte) > > Yes. > > >there's an IPSec tunnel setup between the two machines to encrypt all > >traffic between them. > > No, not a tunnel. IPsec in transport mode: > > http://www.ipsec-howto.org/x247.html > > >you are trying to initiate an SSH connection from 192.168.1.1 to > >192.168.1.2. > > No, from 192.168.1.2 to 192.168.1.1 > > >192.168.1.2 is running iptables. > > Yes. > > >with no rules loaded on 192.168.1.2, the SSH connection from 192.168.1.1 > >succeeds. > > No, but: > > with no rules loaded on 192.168.1.2, the SSH connection from 192.168.1.2 > to 192.168.1.1 succeeds. > > >once you load a basic ruleset on 192.168.1.2--the ACK packets from > >192.168.1.2 to 192.168.1.1 get dropped in the OUTPUT chain which allows > >"-m state --state ESTABLISHED" packets. > > Yes. would you be so kind as to humor me by loading the following rule set on 192.168.1.2? essentially--it is the minimal ruleset you can load on 192.168.1.2 to allow bi-directional, IPSec-only communications between the two machines. if 192.168.1.2 needs to communicate outbound to other hosts, or if other hosts need to communicate to 192.168.1.2--this rule set DOES NOT take that into account (you've been warned). you'll also probably have to re-establish the VPN after the firewall rules are loaded (i.e. load firewall rules first, then initiate VPN). if you choose to load it--let us know what happens. ---BEGIN SCRIPT--- VPNPEER="192.168.1.1" for table in mangle nat filter; do iptables -t $table -F iptables -t $table -X iptables -t $table -Z done iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -t mangle -A PREROUTING -p 50 -s $VPNPEER -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -p 51 -s $VPNPEER -j MARK --set-mark 1 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m mark --mark 1 -m state --state NEW -j ACCEPT iptables -A INPUT -p 50 -s $VPNPEER -j ACCEPT iptables -A INPUT -p 51 -s $VPNPEER -j ACCEPT iptables -A INPUT -p udp -s $VPNPEER --sport 500 --dport 500 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j LOG --log-prefix "INPUT DROP: " iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p 50 -d $VPNPEER -j ACCEPT iptables -A OUTPUT -p 51 -d $VPNPEER -j ACCEPT iptables -A OUTPUT -p udp -d $VPNPEER --sport 500 --dport 500 -j ACCEPT iptables -A OUTPUT -m state --state NEW -d $VPNPEER -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: " --- END SCRIPT --- -j -- "Ah, beer, my one weakness. My achilles heel, if you will." --The Simpsons
