On Tuesday 2010-03-30 21:01, Peter Kaagman wrote: ># Some vars >ext_if="eth1" >int_if="eth0" >lo_if="lo" > ># Init commands ># flush en clear all rules and reset counters > >iptables -F >iptables -X >iptables -Z >iptables -t nat -F >iptables -t nat -X >iptables -t nat -Z Use iptables-save, which is a lot faster than running through all of this. ># Allow esp, ah and key exchange In practice you don't need AH when you already have ESP. >iptables -A INPUT -i $ext_if -p esp -s $remote -j ACCEPT >iptables -A INPUT -i $ext_if -p ah -s $remote -j ACCEPT >iptables -A OUTPUT -o $ext_if -p esp -d $remote -j ACCEPT >iptables -A OUTPUT -o $ext_if -p ah -d $remote -j ACCEPT >iptables -A INPUT -i $ext_if -p udp --sport 500 --dport 500 \ > -s $remote -j ACCEPT >iptables -A OUTPUT -o $ext_if -p udp --sport 500 --dport 500 \ > -d $remote -j ACCEPT IKE is on 4500 too. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
