ipsec+iptables+2.4x
Martin Dvorak
martin.dvorak na jasnet.cz
Úterý Červen 22 15:54:23 CEST 2004
ahoj,
mam na firewallu openswan 2.1.2 a na druhe strane cisco, ktere neovlivnim.
konfigurace je :
config setup
interfaces="ipsec0=eth1"
klipsdebug=all
plutodebug=all
conn office
type=tunnel
left=213.226.240.xxx
leftsubnet=192.168.0.1/24
leftfirewall=yes
right=213.237.228.yyy
rightsubnet=10.44.0.0/24
esp=3des-md5-96
keyexchange=ike
pfs=yes
authby=secret
auto=add
eth1 - 213.226.240.xxx
eth0 - 192.168.0.1
hlasi mi toto :
STATE_MAIN_I4: ISAKMP SA established
002 "office" #23: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using
isakmp#22}
112 "office" #23: STATE_QUICK_I1: initiate
003 "office" #23: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
002 "office" #23: up-client output: Generic IP Firewall Chains not in
this kernel
003 "office" #23: up-client command exited with status 1
testovaci iptables :
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --source-port 500 -j ACCEPT
iptables -A INPUT -p 50 -i eth1 -j ACCEPT
iptables -A INPUT -p 51 -i eth1 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ipsec0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -i ipsec0 --source-port 500 -j ACCEPT
iptables -A INPUT -p 50 -i ipsec0 -j ACCEPT
iptables -A INPUT -p 51 -i ipsec0 -j ACCEPT
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 213.226.240.xxx -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ipsec0 -o eth0 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
snazim se vygooglovat nejakou kloudnou informaci, ted uz si nejsem
jisty, zda mam pravidla dobre.
nema nekdo nejakou kloudnou myslenku? uz se v tom docela topim. diky
martik
Další informace o konferenci Linux