[strongSwan] firewall issue?

Noel Kuntze noel at familie-kuntze.de
Fri Jul 8 14:56:51 CEST 2016


Hello Harald,


> Maybe I am too blind to see, but I haven't found this in
> the wiki. This is the code I added to the forward chain:
>
> iptables -A FORWARD -s ${right_lan} -d ${left_lan}  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
> iptables -A FORWARD -s ${left_lan}  -d ${right_lan} -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
Correct, that is not explicitely written on the wiki, but I wrote something similiar in "SecurityRecommendations".

> iptables -A FORWARD -d 10.0.0.0/8 -m policy --pol none --dir out -j REJECT --reject-with icmp-admin-prohibited

So the module should be known to anyone actually caring about understanding what it does, instead of blindly copying

and pasting rules.

Your rule looks fine, if your routing table routes ${right_lan} over eth0. But please use iptables-save and -restore.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160708/fbd49be5/attachment-0001.sig>


More information about the Users mailing list