LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Problem with iptables and policy based IPSec tunnel. (https://www.linuxquestions.org/questions/linux-networking-3/problem-with-iptables-and-policy-based-ipsec-tunnel-696173/)

rustyscott 01-09-2009 04:07 PM

Problem with iptables and policy based IPSec tunnel.
 
I have connected a home office network to an office network using IPSec in tunnel mode with policy based routing using setkey. Office network is firewalled/gatewayed through a NetScreen 5gt and home network is through a Linux router using ipsec-tools. Office network is 192.168.1.0/24 and Home network is 10.0.0.0/24. The IPSec tunnel establishes both phase1 AND phase2 and with iptables disabled on the Linux box at the Home network everything works as expected:
1) From 192.168.1.60(office) I can ping 10.0.0.2(home)
2) From 192.168.1.60(office) I can ssh to 10.0.0.2(home)
3) From 10.0.0.2(home) I can ping 192.168.1.60(office)
4) From 10.0.0.2(home) I can ssh to 192.168.1.60(office)
Both 10.0.0.2 and 192.168.1.60 are machines inside the home and office networks. They are not the gateway machines.

The problem comes when iptables is activated on the linux gateway. With the firewall on I get the following behavior:
1) From 192.168.1.60(office) I can ping 10.0.0.2(home)
2) From 192.168.1.60(office) I can ssh to 10.0.0.2(home)
3) From 10.0.0.2(home) ping fails with "Destination Host Unreachable"
4) From 10.0.0.2(home) ssh fails with "No route to host"

here is my /etc/sysconfig/iptables after running service iptables save:
# Generated by iptables-save v1.4.1.1 on Thu Jan 8 13:33:47 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [420453:322899972]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
-A INPUT -j LOG --log-prefix REJECTEDINPUT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
-A FORWARD -j LOG --log-prefix REJECTEDFORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -p udp --sport 500 -j ACCEPT
-A OUTPUT -p udp --sport 4500 -j ACCEPT
-A OUTPUT -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
COMMIT
# Completed on Thu Jan 8 13:33:47 2009
# Generated by iptables-save v1.4.1.1 on Thu Jan 8 13:33:47 2009
*nat
:PREROUTING ACCEPT [180037:54564759]
:POSTROUTING ACCEPT [149:12428]
:OUTPUT ACCEPT [12263:921919]
-I POSTROUTING 1 -p 50 -j ACCEPT
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Jan 8 13:33:47 2009

There are some lines in there that are probably not necessary but I was trying various suggestions from other web sources. The log lines on the FORWARD and INPUT chains show no rejected packets on the FORWARD chain and only rejected connection attempts from unrelated external IP addresses on the INPUT chain.

Any ideas or suggestions for debugging what is happening to my packets with iptables turned on?

Thanks,

Rusty

rustyscott 01-13-2009 11:13 PM

Well since no one else responded to my question, and I discovered the problem I was having, I will answer my question here for the benefit of anyone else looking to solve a similar problem.

The problem I was having was caused by the last line in the nat table:

-A POSTROUTING -o eth1 -j MASQUERADE

This line masquerades ALL packets going out interface eth1. With the IPSec tunnel established, I do not want packets destined for my tunnel to be NAT'ed. So I needed to change the last line to read:

-A POSTROUTING -o eth1 -d ! 192.168.1.0/24 -j MASQUERADE

Which tells iptables to masquerade everything going out eth1 that doesn't have a destination matching the tunneled network.


All times are GMT -5. The time now is 01:59 AM.