On Thu, Dec 02, 2004 at 10:22:27AM -0800, Helge Weissig wrote: > The iptable logs are not complete if you're not providing all the details, i'm not sure how we're supposed to be able to help. the information i was going on was: Chain PREROUTING (policy ACCEPT 1380 packets, 95540 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `all preroute: ' and the log entries: Dec 1 21:38:37 gollum kernel: all preroute: IN=eth1 OUT= MAC=00:c0:4f:22:05:03:00:30:65:1f:ed:0a:08:00 SRC=10.0.0.200 DST=(VPN SERVER IP) LEN=136 TOS=0x00 PREC=0x00 TTL=64 ID=8977 PROTO=ESP SPI=0x2e9dc0d2 your log rule in PREROUTING of the nat table should catch every single packet, before any filtering (or even routing) takes place (unless you have filter rules in mangle). the fact that every log entry you provided (like the above) shows ESP from client->server means: 1) there are zero ESP packets coming from server->client 2) you removed those log entries from your post 3) packets from server->client disappear somewhere between the pcap layer and the netfilter PREROUTING hook are you saying it's #2? > and as I mentioned, I may need help with > setting that up. I can see the packets coming from the server with tcpdump > as I showed in my original post but then an immediate reply is sent back > and nothing goes through to the internal interface. if you can see ESP packets hitting your external interface from the VPN server with tcpdump, but a log rule in PREROUTING of the nat table doesn't see them--you have something horribly, horribly wrong with your firewall machine. > The same thing happens > when I use nmap to scan ip protocols. Conversely, my internal ESP traffic > ends at the internal interface of my firewall. It never reaches the > external interface or the outside. TCP traffic works fine as you can see > from the ping logs from the internal client. Could this indicate that > there is a problem before anything gets to iptables? yes. if you use these rules: iptables -t nat -A PREROUTING -p 50 -j LOG \ --log-prefix "PREROUTE ESP: " iptables -A FORWARD -p 50 -j LOG --log-prefix "FWD ESP: " iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE you should get logs in both directions (client->server and server->client). if not...well, let's assume for now that you will... it would also greatly help if you made sure to post all the logs generated by the above, so as not to mislead us. -j -- "Ah, beer, my one weakness. My Achilles heel, if you will." --The Simpsons