Hey guys I have a problem trying to use iptables on a machine that has an
GRE tunnel over IPSec Transport mode VPN to another host. I am using
Shorewall to configure iptables but the problem I am having isn't strictly
Shorewall specific. Using built-in Kernel 2.6.18 ipsec in transport mode
and GRE tunneling on top of that.
Shorewall makes rule in INPUT for each interface and each of those rules
points at an interface specific chain:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
367 32973 eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
4 336 vpn1_in all -- vpn1 * 0.0.0.0/0
0.0.0.0/0
70 9768 vlan4_in all -- vlan4 * 0.0.0.0/0
0.0.0.0/0
32 3482 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
29 3248 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
29 3248 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Then the interface specific chain has a rule for any "zones" that it has
configurations for:
Chain vlan4_in (1 references)
pkts bytes target prot opt in out source
destination
31 3512 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
37 6072 inet2fw all -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
This shows that interface vlan4 has a configuration to match traffic from
the internet "zone" to the firewall "zone". And that chain has the rules
that corresponds to that configuration:
Chain inet2fw (2 references)
pkts bytes target prot opt in out source
destination
40 6520 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
1 152 ACCEPT esp -- * * 67.42.31.242
0.0.0.0/0
0 0 ACCEPT udp -- * * 67.42.31.242
0.0.0.0/0 udp dpt:500
1 112 ACCEPT 47 -- * * 67.42.31.242
0.0.0.0/0
0 0 inet2all all -- * * 0.0.0.0/0
0.0.0.0/0
Ok so the problem I have is that in the interface chain for the interface
that is connected to the internet Shorewall puts a policy match filter "--m
policy --dir in --pol none" When the ESP packets come in it matches that
policy because it is inbound. The GRE packet that gets excised from the ESP
begins again at INPUT but that packet does not match that rule for some
reason. At first I wasn't sure if this was by design or not so I manually
put in a jump rule without the policy match which worked good.
Once the actual data packet is then excised from the GRE packet it starts at
INPUT again but on the GRE tunnel virtual interface "vpn1". The "zone" rule
for this interface has the same policy match filter, but this time the
packet matches the "--m policy --dir in --pol none" match:
Chain vpn1_in (1 references)
pkts bytes target prot opt in out source
destination
4 336 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
4 336 evl2fw all -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
Chain evl2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Does this seem a little inconsistent or is this how it is supposed to work?
The only difference I see is that the ESP packet and the GRE packet that is
removed from it have the same inbound interface in common, and the data
packet in the GRE packet then switches to the vpn1 virtual interface.
Any input appreciated,
Josh
