-   Linux - Networking (
-   -   iptables and VPN connections (

lucifercipher 03-31-2005 07:25 AM

iptables and VPN connections

Does someone have to set iptables to accept VPN connections or they are handled by kernel routing automatically?

Nathanael 04-02-2005 04:19 AM

vpn's are run over layer 3 - in that case they most likley will need to pass through iptables!
(that's what i think!)

fr_laz 04-05-2005 10:43 AM


yes you definitely have to.

There's a trick since when you, as an exemple, tunnel port http 80, your Linux box will first see an ESP packet ; then your vpn software will decrypt traffic, and the Linux box will see an incomming http packet. Best way to see what's happening is to play a bit with ethereal.

Thus, so as to allow http incomming through vpn, you need both

iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -dport 80 -j ACCEPT

But the second line is quite uncool !! So here's the trick :

iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -t mangle -I INPUT -p esp -j MARK --set-mark 1
iptables -I FORWARD -m mark --mark 1 -j ACCEPT

All times are GMT -5. The time now is 01:47 AM.