LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-09-2009, 04:07 PM   #1
rustyscott
LQ Newbie
 
Registered: Jan 2009
Posts: 5

Rep: Reputation: 0
Problem with iptables and policy based IPSec tunnel.


I have connected a home office network to an office network using IPSec in tunnel mode with policy based routing using setkey. Office network is firewalled/gatewayed through a NetScreen 5gt and home network is through a Linux router using ipsec-tools. Office network is 192.168.1.0/24 and Home network is 10.0.0.0/24. The IPSec tunnel establishes both phase1 AND phase2 and with iptables disabled on the Linux box at the Home network everything works as expected:
1) From 192.168.1.60(office) I can ping 10.0.0.2(home)
2) From 192.168.1.60(office) I can ssh to 10.0.0.2(home)
3) From 10.0.0.2(home) I can ping 192.168.1.60(office)
4) From 10.0.0.2(home) I can ssh to 192.168.1.60(office)
Both 10.0.0.2 and 192.168.1.60 are machines inside the home and office networks. They are not the gateway machines.

The problem comes when iptables is activated on the linux gateway. With the firewall on I get the following behavior:
1) From 192.168.1.60(office) I can ping 10.0.0.2(home)
2) From 192.168.1.60(office) I can ssh to 10.0.0.2(home)
3) From 10.0.0.2(home) ping fails with "Destination Host Unreachable"
4) From 10.0.0.2(home) ssh fails with "No route to host"

here is my /etc/sysconfig/iptables after running service iptables save:
# Generated by iptables-save v1.4.1.1 on Thu Jan 8 13:33:47 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [420453:322899972]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
-A INPUT -j LOG --log-prefix REJECTEDINPUT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
-A FORWARD -j LOG --log-prefix REJECTEDFORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -p udp --sport 500 -j ACCEPT
-A OUTPUT -p udp --sport 4500 -j ACCEPT
-A OUTPUT -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
COMMIT
# Completed on Thu Jan 8 13:33:47 2009
# Generated by iptables-save v1.4.1.1 on Thu Jan 8 13:33:47 2009
*nat
:PREROUTING ACCEPT [180037:54564759]
:POSTROUTING ACCEPT [149:12428]
:OUTPUT ACCEPT [12263:921919]
-I POSTROUTING 1 -p 50 -j ACCEPT
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Jan 8 13:33:47 2009

There are some lines in there that are probably not necessary but I was trying various suggestions from other web sources. The log lines on the FORWARD and INPUT chains show no rejected packets on the FORWARD chain and only rejected connection attempts from unrelated external IP addresses on the INPUT chain.

Any ideas or suggestions for debugging what is happening to my packets with iptables turned on?

Thanks,

Rusty
 
Old 01-13-2009, 11:13 PM   #2
rustyscott
LQ Newbie
 
Registered: Jan 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Well since no one else responded to my question, and I discovered the problem I was having, I will answer my question here for the benefit of anyone else looking to solve a similar problem.

The problem I was having was caused by the last line in the nat table:

-A POSTROUTING -o eth1 -j MASQUERADE

This line masquerades ALL packets going out interface eth1. With the IPSec tunnel established, I do not want packets destined for my tunnel to be NAT'ed. So I needed to change the last line to read:

-A POSTROUTING -o eth1 -d ! 192.168.1.0/24 -j MASQUERADE

Which tells iptables to masquerade everything going out eth1 that doesn't have a destination matching the tunneled network.
 
  


Reply

Tags
ipsec, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables drop policy problem Dakkar Linux - General 5 10-18-2006 02:38 PM
IPsec fails to open tunnel KaMakani Linux - Networking 0 10-12-2005 11:54 PM
Problems after IPsec tunnel establishment bkankur Linux - Security 1 03-24-2005 05:42 AM
IPSEC Tunnel behind NAT pssst_yeah_you Linux - Networking 0 06-23-2004 04:54 PM
2.6 IPSEC Tunnel mode gateway mhiggins Linux - Networking 1 02-28-2004 01:50 PM


All times are GMT -5. The time now is 04:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration