[strongSwan] StrongSWAN and AVM Fritzbox - Help!
Daniel Mentz
danielml+mailinglists.strongswan at sent.com
Sun Feb 13 19:55:07 CET 2011
On 02/13/2011 08:49 AM, Rene Bartsch wrote:
> After removing "leftfirewall=yes" from ipsec.conf and adding the incoming
> FORWARD rule created by "leftfirewall=yes" to the INPUT chain manually, it
> seems to work.
That's strange. Can you save the output of "iptables-save" in both cases
and run a diff against both files to see what's the difference?
To avoid unsecured packets leaking the VPN gateway, I use the following
rules.
# IPsec
# Allow traffic from and to subnet 10.111.11.0/24 through the IPSec tunnel.
iptables -A FORWARD -s 10.111.11.0/24 -m policy --dir out --pol ipsec -j
ACCEPT
iptables -A FORWARD -d 10.111.11.0/24 -m policy --dir in --pol ipsec -j
ACCEPT
# Do not forward packets to private ip addresses to the internet
iptables -A FORWARD -d 192.168.0.0/255.255.0.0 -o ppp0 -j REJECT
--reject-with icmp-net-unreachable
iptables -A FORWARD -d 172.16.0.0/255.240.0.0 -o ppp0 -j REJECT
--reject-with icmp-net-unreachable
iptables -A FORWARD -d 10.0.0.0/255.0.0.0 -o ppp0 -j REJECT
--reject-with icmp-net-unreachable
The first rule permits traffic which is secured by IPsec. Rules 3
through 5 make sure that traffic that is not secured by IPsec and is
destined for private IP addresses will be rejected. This is important if
in case IPsec is down.
> -A INPUT -d xxx.xxx.xxx.102 -m policy --dir in --pol ipsec
> -m comment --comment "ACCEPT IPSec secured packets" -j ACCEPT
I believe that this rule does not make sense since the dest. addr (-d
a.b.c.d) should be the dest addr of the plaintext packet.
xxx.xxx.xxx.102 is probably your public IP address and the dest addr of
the ESP packet.
-Daniel
More information about the Users
mailing list