[strongSwan] connecting Linux Centos Box to Amazon VPC

Edvinas Kairys edvinas.email at gmail.com
Sat May 1 22:06:15 CEST 2021


as I digged more - it could be due to the marking configured not on the
PREROUTING, but on INPUT chain. On Monday i will try to change the marking
to PREROUTING chain.

Also, it's interesting why the connection works if INPUT chain marking
doesnt..

On Sat, May 1, 2021 at 10:39 PM Edvinas Kairys <edvinas.email at gmail.com>
wrote:

> Hello,  (sorry, resend to all)
>
> Thanks for opportunity to remind myself the processing order of Linux
> iptables. The tables are here, i;'ve bolded the places where 37.37.37.37
> (my linux host) can be matched. As the theory says - Linux firstly consults
> mange input chain, and only after that the filter table.
>
> So in mangle input we have that set-xmark thing where no matching occurs.
> Later in filter table i've had made some 'protection' entries to allow only
> Ipsec traffic to that IP address. Do you think that those entries on filter
> table can be the reason that mangle table entries is not matched ? As i
> understand it shouldnt be the case - because that filter table rulles just
> accepts the packet.
>
> Anyhow, how it supposes to work if no match is occuring ?
>
> Thanks !
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *# Generated by iptables-save v1.4.21 on Sat May  1 20:43:46
> 2021*raw:PREROUTING ACCEPT [8243685689:8795975227546]:OUTPUT ACCEPT
> [2553871359:2092598753320]COMMIT# Completed on Sat May  1 20:43:46 2021#
> Generated by iptables-save v1.4.21 on Sat May  1 20:43:46
> 2021*security:INPUT ACCEPT [5496114822:5333472174263]:FORWARD ACCEPT
> [2747543338:3462497328147]:OUTPUT ACCEPT [2553871359:2092598753320]COMMIT#
> Completed on Sat May  1 20:43:46 2021# Generated by iptables-save v1.4.21
> on Sat May  1 20:43:46 2021*mangle:PREROUTING ACCEPT
> [8243685131:8795975030291]:INPUT ACCEPT [5496114395:5333471981784]:FORWARD
> ACCEPT [2747543338:3462497328147]:OUTPUT ACCEPT
> [2553870669:2092598540842]:POSTROUTING ACCEPT [5354687244:5605322818820]-A
> INPUT -s 18.138.204.63/32 <http://18.138.204.63/32> -d 37.37.37.37/32
> <http://37.37.37.37/32> -p esp -j MARK --set-xmark 0x64/0xffffffff-A INPUT
> -s 54.169.121.249/32 <http://54.169.121.249/32> -d 37.37.37.37/32
> <http://37.37.37.37/32> -p esp -j MARK --set-xmark 0xc8/0xffffffff-A
> FORWARD -o VTI_awssg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu-A FORWARD -o VTI_awssg2 -p tcp -m tcp --tcp-flags
> SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtuCOMMIT# Completed on Sat May  1
> 20:43:46 2021# Generated by iptables-save v1.4.21 on Sat May  1 20:43:46
> 2021*nat:PREROUTING ACCEPT [2301275:280879334]:INPUT ACCEPT
> [10207:14377342]:OUTPUT ACCEPT [6610:19206827]:POSTROUTING ACCEPT
> [2292533:266606871]-A PREROUTING -p tcp -m tcp --dport 1266 -j DNAT
> --to-destination 169.254.0.1:443 <http://169.254.0.1:443>-A POSTROUTING -s
> 10.130.0.0/16 <http://10.130.0.0/16> -d 10.130.0.0/16
> <http://10.130.0.0/16> -o GRE_+ -m comment --comment
> 400_exclude_change_dc_source -j ACCEPT-A POSTROUTING -s 10.130.0.0/16
> <http://10.130.0.0/16> -d 10.0.0.0/8 <http://10.0.0.0/8> -o GRE_+ -m
> comment --comment 450_change_dc_source -j SNAT --to-source 10.254.2.252-A
> POSTROUTING -d 169.254.0.1/32 <http://169.254.0.1/32> -p tcp -m tcp --dport
> 443 -j SNAT --to-source 169.254.0.2COMMIT# Completed on Sat May  1 20:43:46
> 2021# Generated by iptables-save v1.4.21 on Sat May  1 20:43:46
> 2021*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT
> [304442349:255435349641]:OS2iDRAC - [0:0]-A INPUT -d 37.37.37.37/32
> <http://37.37.37.37/32> -m comment --comment 000 -m policy --dir in --pol
> ipsec -j ACCEPT-A INPUT -d 37.37.37.37/32 <http://37.37.37.37/32> -p esp -m
> comment --comment 001 -j ACCEPT-A INPUT -d 37.37.37.37/32
> <http://37.37.37.37/32> -p udp -m multiport --sports 500 -m multiport
> --dports 500 -m comment --comment 002 -j ACCEPT-A INPUT -d 37.37.37.37/32
> <http://37.37.37.37/32> -p udp -m multiport --sports 4500 -m multiport
> --dports 4500 -m comment --comment 003 -j ACCEPT-A INPUT -d 37.37.37.37/32
> <http://37.37.37.37/32> -p icmp -m comment --comment 004 -j ACCEPT-A INPUT
> -d 37.37.37.37/32 <http://37.37.37.37/32> -m comment --comment 005 -j
> DROP-A INPUT -m comment --comment 006 -j ACCEPT-A FORWARD -o GRE_+ -p tcp
> -m tcp --tcp-flags SYN,RST SYN -m comment --comment "6.5_set_tcp_mss" -m
> tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360-A FORWARD -m comment
> --comment 007 -j ACCEPTCOMMIT# Completed on Sat May  1 20:43:46 2021*
>
>
>
> On Sat, May 1, 2021 at 1:51 PM Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
>> Hi,
>>
>> Provide output of iptables-save please.
>>
>> Kind regards
>> Noel
>>
>> Am 01.05.21 um 12:43 schrieb Edvinas Kairys:
>> > Hello,
>> >
>> > I've established BGP connection from my Centos Linux box to Amazon VPC
>> - using this guide:
>> https://www.edge-cloud.net/2019/07/18/aws-site-2-site-vpn-with-strongswan-frrouting/#strongswan-setup
>> <
>> https://www.edge-cloud.net/2019/07/18/aws-site-2-site-vpn-with-strongswan-frrouting/#strongswan-setup
>> >
>> >
>> > The only strange thing is that on IPtables mangle table - I don't see
>> any matches on MARK f-ction which should set a MARK on incomming traffic.
>> But IPSEC is still working (at least for now) don't know is it something i
>> need to take care of or no.:
>> >
>> > |pkts bytes target prot opt in out source destination Chain INPUT
>> (policy ACCEPT 207M packets, 207G bytes) pkts bytes target prot opt in out
>> source destination ||*_0 0 MARK_*||__ esp -- * * xx.xx.204.63 xx.xx.xx.251
>> MARK set 0x64 __||*_0 0 MARK _*||esp -- * * xx.xx.121.249 xx.xx.xx.251 MARK
>> set 0xc8 Chain FORWARD (policy ACCEPT 100M packets, 131G bytes) pkts bytes
>> target prot opt in out source destination 78389 4702K TCPMSS tcp -- *
>> VTI_awssg1 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp
>> flags:0x06/0x02 TCPMSS clamp to PMTU 807 48404 TCPMSS tcp -- * VTI_awssg2
>> 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp
>> flags:0x06/0x02 TCPMSS clamp to PMTU Chain OUTPUT (policy ACCEPT 90M
>> packets, 73G bytes) pkts bytes target prot opt in out source destination
>> Chain POSTROUTING (policy ACCEPT 192M packets, 205G bytes) pkts bytes
>> target prot opt in
>> out source destination |
>> >
>> > Any ideas ? Thanks.
>> >
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210501/1da332cd/attachment.html>


More information about the Users mailing list