Allowing IPSec/L2TP in Iptables

ajayan · 06-04-2010, 06:48 PM

Hi all I had configured IPSEC/L2Tp on my Centos 5.4 gateway machine .For testing i had disabled firewall and Ipsec is working fine.I am able to connect from client etc...Now i want to allow Ipsec and l2tp throught Firewall.here is my Current Working Firewall.Only Openvpn is allowed and is Redirected.

#######################################################################
eth0=XXXSTATICIPXXX
eth1=192.168.1.81
OpenVpn IP Range = 172.24.0.16/4
Ipsec Ip Range = 192.168.1.0/24

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -o eth0 -j ACCEPT

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -s 172.24.0.0/16 -o eth0 -j ACCEPT

iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -o eth1 -d 192.168.1.0/24 -j ACCEPT

iptables -A FORWARD -i tun+ -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

iptables -A FORWARD -p icmp -s XXXSTATICIPXXX -j ACCEPT
iptables -A FORWARD -p icmp -d XXXSTATICIPXXX -j ACCEPT

iptables -A FORWARD -s XXXSTATICIPXXX -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source XXXSTATICIPXXX
iptables -t nat -A POSTROUTING -s 172.24.0.0/16 -o eth0 -j SNAT --to-source XXXSTATICIPXXX
iptables -t nat -A PREROUTING -i eth1 -d XXXSTATICIPXXX -j ACCEPT
iptables -t nat -A PREROUTING -i tun0 -d XXXSTATICIPXXX -j ACCEPT
iptables -t nat -A PREROUTING -i lo -d XXXSTATICIPXXX -j ACCEPT

iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to 192.168.1.120
iptables -A FORWARD -s 192.168.1.120 -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT

iptables -A OUTPUT -s 192.168.1.0/24 -o eth0 -j ACCEPT
iptables -A OUTPUT -s XXXSTATICIPXXX -o eth0 -j ACCEPT
iptables -A OUTPUT -s 172.24.0.0/16 -o eth0 -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
iptables -A INPUT -j LOGDROP
########################################################################

Now i had added the following rules to allow IPSec/L2TP Access.

iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A OUTPUT -o ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A INPUT -i ppp+ -j ACCEPT

But i am not able to Connect to IPSec/L2TP.Even i cant Connect IPSec though.How can i resolve the Issue.

Advance Thanks.
Ajayan

Jerre Cope · 06-05-2010, 09:21 AM

I use Shorewall to build my firewalls. It particularly handles ipsec tunnels in a way that is easy to read (better able to verify you didn't open more than you should). The perl version is very fast. I mostly use ssh tunneling now, but at one time I had 25 or more ipsec tunnels defined.