hi
my network:
internet & ipsec gateway has 2 interfaces:
eth0 -> external interface (internet)
eth1 -> internal interface (LAN)
LAN:
LOCAL_LAN="192.168.115.0/24"
remote networks:
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"
ipsec works without problems and I can reach remote networks from any LAN machine,
but cannot access the Internet from the LAN machines
what's wrong ?
I'm using this firewall script:
Code:
#!/bin/sh
EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"
IPTABLES="/sbin/iptables"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,53,80,443 -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT # DNS per udp
# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN
$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT
# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT
Code:
# iptables -V
iptables v1.2.11
Code:
# uname -a
Linux sarge.stable 2.6.8-2-686 #1 Tue Aug 16 13:22:48 UTC 2005 i686 GNU/Linux