iptables and VPN connections

lucifercipher · 03-31-2005, 06:25 AM

Hi,

Does someone have to set iptables to accept VPN connections or they are handled by kernel routing automatically?

Nathanael · 04-02-2005, 03:19 AM

vpn's are run over layer 3 - in that case they most likley will need to pass through iptables!
(that's what i think!)

fr_laz · 04-05-2005, 09:43 AM

Hi,

yes you definitely have to.

There's a trick since when you, as an exemple, tunnel port http 80, your Linux box will first see an ESP packet ; then your vpn software will decrypt traffic, and the Linux box will see an incomming http packet. Best way to see what's happening is to play a bit with ethereal.

Thus, so as to allow http incomming through vpn, you need both

Code:

iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -dport 80 -j ACCEPT

But the second line is quite uncool !! So here's the trick :

Code:

iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -t mangle -I INPUT -p esp -j MARK --set-mark 1
iptables -I FORWARD -m mark --mark 1 -j ACCEPT