Hi everybody, I'm using openswan for site to site vpns. It creates an ipsec0 interface with a public ip address bound to it (xx.xx.xx.254), and private subnets are routed, encrypted, through it. I then have OpenVPN running on tun0, with a private ip, and OpenVPN's dhcp server gives connecting clients addresses in the same range. Before I apply my netfilter rules, packets are forwarded from one private subnet to another, like so: client(in 172.23.23.0/24) --openvpn--> tun0 -ip_forward-> ipsec0 --openswan--> destination private net (10.1.182.1/32). Everything works. Recently, however, the admin of the other side (10.1.182.1) told me I had to use a different range on my end, as another client of his was using 172.23.*. I said fine, I can change my clients to 172.25.25.0/24 -- but I have vpns to multiple places and I don't really want to change the client IPs, I want to nat them again if their destination is 10.1.182.1. I picked up the bulk of these rules from a simple script that's been working for me for a long time off some site. The only thing I've really added that makes it not work is: -A POSTROUTING -s 10.1.182.1/32 -j SNAT --to 172.25.25.2 So I added the line to the rules I already had -- now I can still do most things, but I can't ping any network that goes out the ipsec0 interface (even nets like 10.10.10.0/24 that have no rules on this firewall!). What am I doing wrong? My rules: #The NAT portion of the ruleset. Used for Network Address Transalation. #Usually not needed on a typical web server, but it's there if you need it. *nat :PREROUTING ACCEPT [127173:7033011] :POSTROUTING ACCEPT [31583:2332178] :OUTPUT ACCEPT [32021:2375633] #Change source of packets to site1 -A POSTROUTING -s 10.1.182.1/32 -j SNAT --to 172.25.25.2 COMMIT #The Mangle portion of the ruleset. Here is where unwanted packet types get dropped. #This helps in making port scans against your server a bit more time consuming and difficult, but not impossible. *mangle :PREROUTING ACCEPT [444:43563] :INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [402:144198] :POSTROUTING ACCEPT [402:144198] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT #The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports. #We will also enable logging of all dropped requests. *filter :INPUT DROP [1:242] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :LOG_DROP - [0:0] :LOG_ACCEPT - [0:0] :icmp_packets - [0:0] #INPUT RULES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #SSH SECTION -A INPUT -p tcp -m tcp --dport 65324 -j LOG_ACCEPT #OPENSWAN IPSEC site-to-site VPN ports -A INPUT -p udp -m udp -d xx.xx.xx.254 --dport 500 -j LOG_ACCEPT -A INPUT -p udp -m udp -d xx.xx.xx.254 --dport 4500 -j LOG_ACCEPT -A INPUT -p 50 -d xx.xx.xx.254 -j LOG_ACCEPT #OPENVPN -A INPUT -p udp -m udp -d xx.xx.xx.254 --dport 1194 -j LOG_ACCEPT #allow * on loopback -A INPUT -s 127.0.0.1 -j ACCEPT -A INPUT -p icmp -j icmp_packets # Now drop everything we didn't allow in -A INPUT -j LOG_DROP #Next, we cover the OUTPUT rules, or the rules for all outgoing traffic. #Note how at the end we log any outbound packets that are not accepted. -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 26 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --sport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 90 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT -A OUTPUT -p udp -m udp --dport 500 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT -A OUTPUT -p 50 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 1025:65535 -j ACCEPT -A OUTPUT -p udp -m udp --dport 1025:65535 -j ACCEPT # Allow shell traceroutes to anywhere (replies come in as ICMP) -A OUTPUT -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT # Allow all loopback -A OUTPUT -d 127.0.0.1 -j ACCEPT -A OUTPUT -p icmp -j icmp_packets -A OUTPUT -j LOG_DROP #Here we have 2 sets of logging rules. One for dropped packets to log all dropped requests and one for accepted packets, # should we wish to log any accepted requesets. -A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options -A LOG_DROP -j DROP -A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options -A LOG_ACCEPT -j ACCEPT #And finally, a rule to deal with ICMP requests. We drop all ping requests except from our own server. # 0 = echo reply, 3 = dest unreachable, 8 = echo request, 11 = timeout, 30 = traceroute reply -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 8 -m limit --limit 2/second -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 30 -j ACCEPT -A icmp_packets -p icmp -m icmp -j LOG_DROP COMMIT ----- Thanks for anyone who helps me out
