[strongSwan] IPtables settings
cristiant at newro.co
cristiant at newro.co
Mon Jan 13 15:25:28 CET 2020
These are the outputs:
ip address show:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UP group default qlen 1000
link/ether 90:1b:0e:cd:02:38 brd ff:ff:ff:ff:ff:ff
inet 111.111.111.45/32 scope global enp0s31f6
valid_lft forever preferred_lft forever
inet6 2a01:4f8:10b:1e52::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::921b:eff:fecd:238/64 scope link
valid_lft forever preferred_lft forever
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
link/ether 52:54:00:93:0a:59 brd ff:ff:ff:ff:ff:ff
inet 172.16.11.1/24 brd 172.16.11.255 scope global virbr0
valid_lft forever preferred_lft forever
6: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master
virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:93:0a:59 brd ff:ff:ff:ff:ff:ff
15: vnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:8c:00:b0 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe8c:b0/64 scope link
valid_lft forever preferred_lft forever
17: vnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:77:97:da brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe77:97da/64 scope link
valid_lft forever preferred_lft forever
18: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:2f:da:f7 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe2f:daf7/64 scope link
valid_lft forever preferred_lft forever
20: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:d8:6b:9c brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fed8:6b9c/64 scope link
valid_lft forever preferred_lft forever
24: vnet4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:8b:11:01 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe8b:1101/64 scope link
valid_lft forever preferred_lft forever
ip rule show:
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
ip route show:
default via 94.130.33.1 dev enp0s31f6 proto static onlink
172.16.11.0/24 dev virbr0 proto kernel scope link src 172.16.11.1
ip xfrm policy:
src 172.16.11.0/24 dst 172.16.15.0/24
dir out priority 375423
tmpl src 111.111.111.45 dst 222.222.222.210
proto esp spi 0xcf7a5c82 reqid 155 mode tunnel
src 172.16.15.0/24 dst 172.16.11.0/24
dir fwd priority 375423
tmpl src 222.222.22.210 dst 111.111.111.45
proto esp reqid 155 mode tunnel
src 172.16.15.0/24 dst 172.16.11.0/24
dir in priority 375423
tmpl src 222.222.222.210 dst 111.111.111.45
proto esp reqid 155 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
iptables-save:
# Generated by iptables-save v1.6.1 on Mon Jan 13 15:22:08 2020
*mangle
:PREROUTING ACCEPT [179637:49105461]
:INPUT ACCEPT [60133:4534295]
:FORWARD ACCEPT [119504:44571166]
:OUTPUT ACCEPT [59024:4496161]
:POSTROUTING ACCEPT [178528:49067327]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill
COMMIT
# Completed on Mon Jan 13 15:22:08 2020
# Generated by iptables-save v1.6.1 on Mon Jan 13 15:22:08 2020
*nat
:PREROUTING ACCEPT [19436:1165101]
:INPUT ACCEPT [10882:651597]
:OUTPUT ACCEPT [428:29825]
:POSTROUTING ACCEPT [1036:65961]
-A PREROUTING -d 94.130.33.45/32 -p tcp -m tcp --dport 443 -j DNAT
--to-destination 172.16.11.10:443
-A PREROUTING -d 94.130.33.45/32 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 172.16.11.10:80
-A PREROUTING -d 94.130.33.45/32 -p tcp -m tcp --dport 10051 -j DNAT
--to-destination 172.16.11.11:10051
-A PREROUTING -d 94.130.33.45/32 -p tcp -m tcp --dport 10050 -j DNAT
--to-destination 172.16.11.11:10050
-A POSTROUTING -s 172.16.11.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 172.16.11.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 172.16.11.0/24 ! -d 172.16.11.0/24 -p tcp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 172.16.11.0/24 ! -d 172.16.11.0/24 -p udp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 172.16.11.0/24 ! -d 172.16.11.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Jan 13 15:22:08 2020
# Generated by iptables-save v1.6.1 on Mon Jan 13 15:22:08 2020
*filter
:INPUT ACCEPT [52012:3906961]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [51589:3926124]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -d 94.130.33.45/32 -p icmp -m icmp --icmp-type 8 -m state
--state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 172.16.11.0/24 -m state --state NEW,RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD -d 172.16.11.0/24 -o virbr0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 172.16.11.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -s 94.130.33.45/32 -p icmp -m icmp --icmp-type 0 -m state
--state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
strongswan.conf:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
On 1/13/20 4:15 PM, Felipe Arturo Polanco wrote:
> ip address show
More information about the Users
mailing list