On 06.07.2009 06:27, Martin wrote: > 2009/7/4 Eray Aslan <eray.aslan@xxxxxxxxxx <mailto:eray.aslan@xxxxxxxxxx>> > > On 04.07.2009 03:21, Martin wrote: > [...] > > Any suggestions how to let connections on udp 1701 only to connections > > before authenticated by ipsec? > > On the openswan machine, mark the ESP packets and accept only marked > packets to l2tpd daemon: > > # iptables -t mangle -A PREROUTING -i $EXT_INT -p 50 -j MARK > --set-mark 1 > # iptables -A INPUT -i $EX_INT -m mark --mark 1 -j ACCEPT > # iptables -A INPUT -i $EX_INT -p udp --dport 1701 -j DROP > > Thanks for the reply Eray. > > Sadly, that doesn't seems to work, or at least I don't see any packet > been mark using "iptables -L -n -v -t mangle" > > Can be there something else or anything that I'm missing? Better to reply on-list. Others might help / correct the given advice. If counters do not increase, you need to figure out why esp packets do not match the marking line. Perhaps try logging all packets in mangle/PREROUTING for a short while and compare. -- Eray -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
