Allowing IPSec/L2TP in Iptables
Hi all I had configured IPSEC/L2Tp on my Centos 5.4 gateway machine .For testing i had disabled firewall and Ipsec is working fine.I am able to connect from client etc...Now i want to allow Ipsec and l2tp throught Firewall.here is my Current Working Firewall.Only Openvpn is allowed and is Redirected.
#######################################################################
eth0=XXXSTATICIPXXX
eth1=192.168.1.81
OpenVpn IP Range = 172.24.0.16/4
Ipsec Ip Range = 192.168.1.0/24
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -o eth0 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -s 172.24.0.0/16 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -o eth1 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -s XXXSTATICIPXXX -j ACCEPT
iptables -A FORWARD -p icmp -d XXXSTATICIPXXX -j ACCEPT
iptables -A FORWARD -s XXXSTATICIPXXX -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source XXXSTATICIPXXX
iptables -t nat -A POSTROUTING -s 172.24.0.0/16 -o eth0 -j SNAT --to-source XXXSTATICIPXXX
iptables -t nat -A PREROUTING -i eth1 -d XXXSTATICIPXXX -j ACCEPT
iptables -t nat -A PREROUTING -i tun0 -d XXXSTATICIPXXX -j ACCEPT
iptables -t nat -A PREROUTING -i lo -d XXXSTATICIPXXX -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to 192.168.1.120
iptables -A FORWARD -s 192.168.1.120 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -o eth0 -j ACCEPT
iptables -A OUTPUT -s XXXSTATICIPXXX -o eth0 -j ACCEPT
iptables -A OUTPUT -s 172.24.0.0/16 -o eth0 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
iptables -A INPUT -j LOGDROP
########################################################################
Now i had added the following rules to allow IPSec/L2TP Access.
iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A OUTPUT -o ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A INPUT -i ppp+ -j ACCEPT
But i am not able to Connect to IPSec/L2TP.Even i cant Connect IPSec though.How can i resolve the Issue.
Advance Thanks.
Ajayan
Last edited by ajayan; 06-04-2010 at 06:50 PM.
|