rowdy wrote:
On Tuesday 15 February 2005 09:15, Ola Nilsson wrote:
I've got problems with getting IPSec (using NAT-T) traffic through my Linux 2.6.10 based firewall. I've now changed my iptables script to something rather simple:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I've been struggling with this as well. Take a look at http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/firewall.html .
I used this query to find this link and a number of others that could be helpful: "esp ipsec firewall rule"
I added rules like the following (but to user chains that I then added to the input, output and forward chains) to solve my hassles (clipped from the freeswan link above):
# allow IPsec # # IKE negotiations iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT # ESP encryption and authentication iptables -I INPUT -p 50 -j ACCEPT iptables -I OUTPUT -p 50 -j ACCEPT
Good luck.
hello,
that's more than pointless as he has INPUT, OUTPUT and FORWARD policies set to ACCEPT and no other rules.
regards, Georgi Alexandrov
