[strongSwan] Fwd: connecting Linux Centos Box to Amazon VPC

Edvinas Kairys edvinas.email at gmail.com
Sat May 1 21:39:35 CEST 2021


Hello,  (sorry, resend to all)

Thanks for opportunity to remind myself the processing order of Linux
iptables. The tables are here, i;'ve bolded the places where 37.37.37.37
(my linux host) can be matched. As the theory says - Linux firstly consults
mange input chain, and only after that the filter table.

So in mangle input we have that set-xmark thing where no matching occurs.
Later in filter table i've had made some 'protection' entries to allow only
Ipsec traffic to that IP address. Do you think that those entries on filter
table can be the reason that mangle table entries is not matched ? As i
understand it shouldnt be the case - because that filter table rulles just
accepts the packet.

Anyhow, how it supposes to work if no match is occuring ?

Thanks !
























































*# Generated by iptables-save v1.4.21 on Sat May  1 20:43:46
2021*raw:PREROUTING ACCEPT [8243685689:8795975227546]:OUTPUT ACCEPT
[2553871359:2092598753320]COMMIT# Completed on Sat May  1 20:43:46 2021#
Generated by iptables-save v1.4.21 on Sat May  1 20:43:46
2021*security:INPUT ACCEPT [5496114822:5333472174263]:FORWARD ACCEPT
[2747543338:3462497328147]:OUTPUT ACCEPT [2553871359:2092598753320]COMMIT#
Completed on Sat May  1 20:43:46 2021# Generated by iptables-save v1.4.21
on Sat May  1 20:43:46 2021*mangle:PREROUTING ACCEPT
[8243685131:8795975030291]:INPUT ACCEPT [5496114395:5333471981784]:FORWARD
ACCEPT [2747543338:3462497328147]:OUTPUT ACCEPT
[2553870669:2092598540842]:POSTROUTING ACCEPT [5354687244:5605322818820]-A
INPUT -s 18.138.204.63/32 <http://18.138.204.63/32> -d 37.37.37.37/32
<http://37.37.37.37/32> -p esp -j MARK --set-xmark 0x64/0xffffffff-A INPUT
-s 54.169.121.249/32 <http://54.169.121.249/32> -d 37.37.37.37/32
<http://37.37.37.37/32> -p esp -j MARK --set-xmark 0xc8/0xffffffff-A
FORWARD -o VTI_awssg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu-A FORWARD -o VTI_awssg2 -p tcp -m tcp --tcp-flags
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtuCOMMIT# Completed on Sat May  1
20:43:46 2021# Generated by iptables-save v1.4.21 on Sat May  1 20:43:46
2021*nat:PREROUTING ACCEPT [2301275:280879334]:INPUT ACCEPT
[10207:14377342]:OUTPUT ACCEPT [6610:19206827]:POSTROUTING ACCEPT
[2292533:266606871]-A PREROUTING -p tcp -m tcp --dport 1266 -j DNAT
--to-destination 169.254.0.1:443 <http://169.254.0.1:443>-A POSTROUTING -s
10.130.0.0/16 <http://10.130.0.0/16> -d 10.130.0.0/16
<http://10.130.0.0/16> -o GRE_+ -m comment --comment
400_exclude_change_dc_source -j ACCEPT-A POSTROUTING -s 10.130.0.0/16
<http://10.130.0.0/16> -d 10.0.0.0/8 <http://10.0.0.0/8> -o GRE_+ -m
comment --comment 450_change_dc_source -j SNAT --to-source 10.254.2.252-A
POSTROUTING -d 169.254.0.1/32 <http://169.254.0.1/32> -p tcp -m tcp --dport
443 -j SNAT --to-source 169.254.0.2COMMIT# Completed on Sat May  1 20:43:46
2021# Generated by iptables-save v1.4.21 on Sat May  1 20:43:46
2021*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT
[304442349:255435349641]:OS2iDRAC - [0:0]-A INPUT -d 37.37.37.37/32
<http://37.37.37.37/32> -m comment --comment 000 -m policy --dir in --pol
ipsec -j ACCEPT-A INPUT -d 37.37.37.37/32 <http://37.37.37.37/32> -p esp -m
comment --comment 001 -j ACCEPT-A INPUT -d 37.37.37.37/32
<http://37.37.37.37/32> -p udp -m multiport --sports 500 -m multiport
--dports 500 -m comment --comment 002 -j ACCEPT-A INPUT -d 37.37.37.37/32
<http://37.37.37.37/32> -p udp -m multiport --sports 4500 -m multiport
--dports 4500 -m comment --comment 003 -j ACCEPT-A INPUT -d 37.37.37.37/32
<http://37.37.37.37/32> -p icmp -m comment --comment 004 -j ACCEPT-A INPUT
-d 37.37.37.37/32 <http://37.37.37.37/32> -m comment --comment 005 -j
DROP-A INPUT -m comment --comment 006 -j ACCEPT-A FORWARD -o GRE_+ -p tcp
-m tcp --tcp-flags SYN,RST SYN -m comment --comment "6.5_set_tcp_mss" -m
tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360-A FORWARD -m comment
--comment 007 -j ACCEPTCOMMIT# Completed on Sat May  1 20:43:46 2021*



On Sat, May 1, 2021 at 1:51 PM Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hi,
>
> Provide output of iptables-save please.
>
> Kind regards
> Noel
>
> Am 01.05.21 um 12:43 schrieb Edvinas Kairys:
> > Hello,
> >
> > I've established BGP connection from my Centos Linux box to Amazon VPC -
> using this guide:
> https://www.edge-cloud.net/2019/07/18/aws-site-2-site-vpn-with-strongswan-frrouting/#strongswan-setup
> <
> https://www.edge-cloud.net/2019/07/18/aws-site-2-site-vpn-with-strongswan-frrouting/#strongswan-setup
> >
> >
> > The only strange thing is that on IPtables mangle table - I don't see
> any matches on MARK f-ction which should set a MARK on incomming traffic.
> But IPSEC is still working (at least for now) don't know is it something i
> need to take care of or no.:
> >
> > |pkts bytes target prot opt in out source destination Chain INPUT
> (policy ACCEPT 207M packets, 207G bytes) pkts bytes target prot opt in out
> source destination ||*_0 0 MARK_*||__ esp -- * * xx.xx.204.63 xx.xx.xx.251
> MARK set 0x64 __||*_0 0 MARK _*||esp -- * * xx.xx.121.249 xx.xx.xx.251 MARK
> set 0xc8 Chain FORWARD (policy ACCEPT 100M packets, 131G bytes) pkts bytes
> target prot opt in out source destination 78389 4702K TCPMSS tcp -- *
> VTI_awssg1 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp
> flags:0x06/0x02 TCPMSS clamp to PMTU 807 48404 TCPMSS tcp -- * VTI_awssg2
> 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp
> flags:0x06/0x02 TCPMSS clamp to PMTU Chain OUTPUT (policy ACCEPT 90M
> packets, 73G bytes) pkts bytes target prot opt in out source destination
> Chain POSTROUTING (policy ACCEPT 192M packets, 205G bytes) pkts bytes
> target prot opt in
> out source destination |
> >
> > Any ideas ? Thanks.
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210501/75adf129/attachment-0001.html>


More information about the Users mailing list