2008/6/16 Jan Engelhardt <jengelh@xxxxxxxxxx>: > > On Monday 2008-06-16 14:09, mathieu wrote: > >> Hi, >> >> You need to authorize traffic and masquerade/SNAT connections and allow >> forwarding. >> >> Authorize : >> >> iptables -A FORWARD -i eth1 -p udp -d $VPN_SERVER_IP -s $INTERNAL_CLIENT_IP >> --dport 500 -m state NEW, ESTABLISHED -j ACCEPT >> >> iptables -A FORWARD -i eth0 -p udp -s $VPN_SERVER_IP -d $INTERNAL_CLIENT_IP >> --sport 500 -m state ESTABLISHED -j ACCEPT >> >> SNAT (change internal adress by a public one) : > > But only if you have a NAT. A firewall is not a NAT, and vice-versa. > > As such -p udp 500 and -p esp will be needed for a firewall; > and only -p udp 4500 for a NAT. Thanks for your help. I made it work by adding "500" after -p udp in the first command. Does this make a security risk? - Gergely -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
