Traffic traverses OpenSwan tunnel, return traffic does not

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a box with a iptables on it (usually a good prerequisite for mailing this list) that has a public IP (munged) of 216.52.2.93.  I'm attempting to build an IPSEC tunnel between this box and a Fortinet 60C.  I can send traffic across the IPSEC link from the Fortigate (tcpdump shows it arriving properly), but the return packets (as well as anything else that I attempt to push over the tunnel) to 192.168.7.1 (the Fortigate) die at the default gateway (216.52.2.94)-- they're never entering the tunnel, and RFC1918 addresses don't route, obviously.

The iptables setup on this box is somewhat convoluted, hence my suspicions.  (I've stripped out a few rewrites that don't touch those networks and consistently munged the IPs for obvious reasons…)

Is this actually an iptables issue, or am I barking up the wrong tree?  iptables and routing table are below, please let me know if there's anything else I should provide.


root@bel:~# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  124.115.4.198        0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            1.2.3.4       state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            192.168.7.1         state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8822 
ACCEPT     udp  --  216.86.2.151       0.0.0.0/0           udp dpt:1194 
ACCEPT     udp  --  67.159.1.30        0.0.0.0/0           udp dpt:1194 
ACCEPT     udp  --  67.159.1.58        0.0.0.0/0           udp dpt:1194 
ACCEPT     udp  --  216.86.1.9         0.0.0.0/0           udp dpt:1194 
ACCEPT     udp  --  24.43.1.162        0.0.0.0/0           udp dpt:1194 
ACCEPT     all  --  0.0.0.0/0            192.168.7.0/24      
ACCEPT     all  --  0.0.0.0/0            192.168.7.1         
ACCEPT     udp  --  192.168.7.10         0.0.0.0/0           udp dpt:161 
ACCEPT     tcp  --  0.0.0.0/0            64.94.6.66        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            64.94.6.66        tcp dpt:443 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            10.8.0.0/24         
ACCEPT     all  --  0.0.0.0/0            192.168.7.0/24      
ACCEPT     all  --  0.0.0.0/0            192.168.8.0/24      state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            10.7.0.6            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 21,25,53,80,123,443,993 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 53,123 
ACCEPT     udp  --  0.0.0.0/0            192.168.7.10        multiport dports 53,123 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.10        multiport dports 53,123 
ACCEPT     all  --  192.168.7.10         0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            192.168.7.0/24      state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.10        multiport dports 80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.42        multiport dports 8051 
ACCEPT     tcp  --  192.168.7.42         0.0.0.0/0           multiport dports 8051 

ACCEPT     tcp  --  192.168.7.42         0.0.0.0/0           tcp spt:8051 
ACCEPT     all  --  192.168.11.0/24      0.0.0.0/0           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  216.52.2.94        0.0.0.0/0           state NEW,RELATED,ESTABLISHED 
ACCEPT     all  --  192.168.7.1          0.0.0.0/0           state NEW,RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            192.168.8.0/24      
ACCEPT     all  --  0.0.0.0/0            10.7.0.6            
ACCEPT     udp  --  0.0.0.0/0            192.168.7.10        udp spt:161 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.31        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.32        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.33        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.34        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.35        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.37        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.38        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.39        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.40        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.41        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.42        tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.31        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.32        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.33        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.34        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.35        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.37        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.38        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.39        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.40        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.41        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.42        tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            192.168.7.42        tcp dpt:8051 

root@bel:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.7.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.7.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
10.8.0.0        10.7.0.2        255.255.255.0   UG        0 0          0 tun0
216.52.2.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.11.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.7.0.0        10.7.0.2        255.255.255.0   UG        0 0          0 tun0
192.168.8.0     10.7.0.2        255.255.255.0   UG        0 0          0 tun0
0.0.0.0         216.52.2.93   0.0.0.0         UG        0 0          0 eth0

eth0 is the public interface, eth1 is the internal interface, and tun0 is an OpenVPN server that doesn't factor into these issues, but I've included it for clarity.

-- Corey / KB1JWQ

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux