[strongSwan] StrongSWAN and AVM Fritzbox - Help!
Rene Bartsch
ml at bartschnet.de
Sun Feb 13 16:34:13 CET 2011
On Sat, 12 Feb 2011 16:42:42 -0800, Daniel Mentz
<danielml+mailinglists.strongswan at sent.com> wrote:
> On 02/12/2011 12:30 PM, Rene Bartsch wrote:
>> My IPTables rules:
>>
>> *filter
>> :INPUT DROP [0:0]
>> :FORWARD DROP [0:0]
>> :OUTPUT ACCEPT [86:9176]
>
> Hi Rene,
>
> not sure if this is relevant, but I think you're missing some iptables
> rules that allow the decrypted packets through. Your FORWARD chain is
> empty plus the default policy is DROP. Doesn't that mean that your box
> will decrypt the ESP packets but drop the payload shorty after?
>
> Take a look at my setup
>
> # IPsec
> # Allow traffic from and to subnet 10.110.11.0/24 through the IPSec
tunnel.
> iptables -A FORWARD -s 10.110.11.0/24 -m policy --dir out --pol ipsec -j
> ACCEPT
> iptables -A FORWARD -d 10.110.11.0/24 -m policy --dir in --pol ipsec -j
> ACCEPT
The "leftfirewall=yes" option adds rules to FORWARD chain automatically at
IPSec handshake:
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.177.0/24 192.168.176.0/24 policy match
dir in pol ipsec reqid 16385 proto esp
ACCEPT all -- 192.168.176.0/24 192.168.177.0/24 policy match
dir out pol ipsec reqid 16385 proto esp
> # Accept traffic secured by ipsec
> iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
Allows Ping, but no other packets like HTTP, ...
> # Allow traffic through the IPSec tunnel.
> iptables -A OUTPUT -m policy --dir out --pol ipsec -j ACCEPT
Default policy "ACCEPT".
> # Do not mess with packets comming over IPSec
> iptables -t nat -A PREROUTING -m policy --dir in --pol ipsec -j ACCEPT
> iptables -t nat -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
Fritzbox and Ubuntu server use public IPs for the IPSec daemons, NAT-T may
not be necessary.
> What were the results when troubleshooting using tcpdump? Can you
> configure iptables in a way such that it logs every dropped packet?
I added a LOG target as last rule in INPUT and FORWARD chains. Trying a
HTTP request with wget dropped the following packets:
Feb 13 16:15:30 www kernel: [155830.694973] DROP INPUT: IN=eth0 OUT=
MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=10640 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0
Feb 13 16:15:33 www kernel: [155833.701026] DROP INPUT: IN=eth0 OUT=
MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=10641 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0
Feb 13 16:15:39 www kernel: [155839.716271] DROP INPUT: IN=eth0 OUT=
MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=10642 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0
Feb 13 16:15:51 www kernel: [155851.749182] DROP INPUT: IN=eth0 OUT=
MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=10643 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0
Feb 13 16:16:15 www kernel: [155875.813376] DROP INPUT: IN=eth0 OUT=
MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=10644 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0
Feb 13 16:17:03 www kernel: [155923.877838] DROP INPUT: IN=eth0 OUT=
MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=10645 DF PROTO=TCP SPT=39744 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0
Feb 13 16:18:41 www kernel: [156021.008584] DROP INPUT: IN=eth0 OUT=
MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=22169 DF PROTO=TCP SPT=53494 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0
Feb 13 16:18:44 www kernel: [156024.015461] DROP INPUT: IN=eth0 OUT=
MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=22170 DF PROTO=TCP SPT=53494 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0
Feb 13 16:18:50 www kernel: [156030.023666] DROP INPUT: IN=eth0 OUT=
MAC=<myMAC> SRC=192.168.177.23 DST=192.168.176.1 LEN=60 TOS=0x00 PREC=0x00
TTL=63 ID=22171 DF PROTO=TCP SPT=53494 DPT=80 WINDOW=5840 RES=0x00 SYN
URGP=0
But why in INPUT chain?
Best regards,
Renne
More information about the Users
mailing list