[strongSwan] Help with setup
Michael Deignan
michael.p.deignan at gmail.com
Tue Feb 1 21:27:29 CET 2022
Hello Rajiv, thanks for the suggestions.
I added your suggested rules at the start of each chain. I also opted to
add another rule at the bottom of the chain, so I could see if in fact
anything was being rejected.
-A INPUT -j LOG --log-prefix "IPv4-In-Drop: "
-A INPUT -j DROP
Once I added the log statement, I can see packets being dropped in my
syslog:
Feb 1 15:13:23 WorkRouter kernel: IPv4-In-Drop: IN=Internet OUT=
MAC=bc:30:5b:e3:9f:28:20:b3:99:cc:c2:24:08:00 SRC=192.168.127.254
DST=192.168.126.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37930 DF PROTO=ICMP
TYPE=8 CODE=0 ID=23320 SEQ=25
At this point I added similar logging rules to both the OUTPUT and FORWARD
chains so I could see any forward or output drops.
I also added
-A INPUT -s 192.168.127.0/24 -d 192.168.126.0/24 -j ACCEPT
to the input chain. I also added a similar rules on the home router for
logging and the reverse traffic flow.
Sadly, this had the effect of making the input reject logging messages
disappear on the ping, but no further logging messages about rejected
packets despite the fact of still not being able to ping or ssh, etc. from
one subnet to the other.
I think I am getting closer, but obviously I am still missing something,
somewhere to tie it all together.
>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220201/cb9a8707/attachment.html>
More information about the Users
mailing list