Hosting Provided By

[Users] (Expired?) SA

From: <dlambeth(at)starmountain.com>
Date: Wed Feb 25 2004 - 08:17:24 EST

Hello,

When I used Linux SuSE 80. with Freeswan 1.95 I had no prolems with establishing and maintaining a tunnel. Now that I have moved to Gentoo, it seems I can establish a connection intially, but then it will drop off for no reason that I can find. I am guessing it has something to do with
(Expired?) SA, but I'm not sure. I have attached my IPSEC Barf output file
and after that my firewall script rules. Any help would be greatly appreciated.

PS I am using Freeswan 1.99 on Gentoo Kernel 2.4.20-xfs-sources

IPSEC BARF OUTPUT

drwxr-xr-x 4 root root 416 Jan 30 09:23 2.4.22_pre2-gss

+ _________________________ proc/ksyms-netif_rx

+ egrep netif_rx /proc/ksyms
c0223dac netif_rx_R764a9fac

+ _________________________ lib/modules-netif_rx

+ modulegoo kernel/net/ipv4/ipip.o netif_rx + set +x
2.4.22_pre2-gss: U netif_rx_R764a9fac

+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '11455,$p' /var/log/syslog.0

+ egrep -i 'ipsec|klips|pluto'
+ cat
Feb 24 15:49:49 ids ipsec_setup: Starting FreeS/WAN IPsec 1.99... Feb 24 15:49:50 ids ipsec_setup: Using
/lib/modules/2.4.22_pre2-gss/kernel/net/ipsec/ipsec.o Feb 24 15:49:50 ids kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: super-freeswan-1.99.7.3
Feb 24 15:49:50 ids kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0
(EALG_MAX=255, AALG_MAX=15)

Feb 24 15:49:50 ids kernel: klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
Feb 24 15:49:50 ids ipsec_setup: KLIPS debug `none' Feb 24 15:49:51 ids ipsec_setup: KLIPS ipsec0 on eth0 208.11.155.199/255.255.255.0 broadcast 208.11.155.255

Feb 24 15:49:51 ids ipsec_setup: ...FreeS/WAN IPsec started
Feb 24 15:50:00 ids kernel: ipsec0: no IPv6 routers present
Feb 24 15:51:04 ids ipsec__plutorun: 104 "darwins" #1: STATE_MAIN_I1:

initiate
Feb 24 15:51:04 ids ipsec__plutorun: 003 "darwins" #1: ignoring Vendor ID payload
Feb 24 15:51:04 ids ipsec__plutorun: 106 "darwins" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Feb 24 15:51:04 ids ipsec__plutorun: 108 "darwins" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Feb 24 15:51:04 ids ipsec__plutorun: 010 "darwins" #1: STATE_MAIN_I3: retransmission; will wait 20s for response Feb 24 15:51:04 ids ipsec__plutorun: 010 "darwins" #1: STATE_MAIN_I3: retransmission; will wait 40s for response Feb 24 15:51:04 ids ipsec__plutorun: 031 "darwins" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message Feb 24 15:51:05 ids ipsec__plutorun: 000 "darwins" #1: starting keying attempt 2 of at most 8, but releasing whack Feb 24 15:51:05 ids ipsec__plutorun: ...could not start conn "darwins"

+ _________________________ plog
+ sed -n '186,$p' /var/log/auth.log.0

+ egrep -i pluto
+ cat

Feb 24 15:49:51 ids ipsec__plutorun: Starting Pluto subsystem...
Feb 24 15:49:51 ids pluto[2128]: Starting Pluto (FreeS/WAN Version 1.99)
Feb 24 15:49:51 ids pluto[2128]:   including X.509 patch with traffic

selectors (Version 0.9.34)
Feb 24 15:49:51 ids pluto[2128]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Feb 24 15:49:51 ids pluto[2128]: Warning: empty directory Feb 24 15:49:51 ids pluto[2128]: Changing to directory '/etc/ipsec/ipsec.d/crls'
Feb 24 15:49:51 ids pluto[2128]: Warning: empty directory Feb 24 15:49:51 ids pluto[2128]: OpenPGP certificate file '/etc/pgpcert.pgp' not found

Feb 24 15:49:52 ids pluto[2128]: added connection description "darwins"
Feb 24 15:49:52 ids pluto[2128]: listening for IKE messages
Feb 24 15:49:52 ids pluto[2128]: adding interface ipsec0/eth0 208.11.155.199
Feb 24 15:49:52 ids pluto[2128]: loading secrets from

"/etc/ipsec/ipsec.secrets"

Feb 24 15:49:53 ids pluto[2128]: "darwins" #1: initiating Main Mode
Feb 24 15:49:53 ids pluto[2128]: "darwins" #1: ignoring Vendor ID payload
Feb 24 15:51:04 ids pluto[2128]: "darwins" #1: max number of retransmissions

(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Feb 24 15:51:04 ids pluto[2128]: "darwins" #1: starting keying attempt 2 of at most 8, but releasing whack
Feb 24 15:51:04 ids pluto[2128]: "darwins" #2: initiating Main Mode to replace #1
Feb 24 15:51:05 ids pluto[2128]: "darwins" #2: ignoring Vendor ID payload Feb 24 15:51:55 ids pluto[2128]: packet from 24.174.128.80:500: Informational Exchange is for an unknown (expired?) SA Feb 24 15:52:15 ids pluto[2128]: "darwins" #2: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Feb 24 15:52:15 ids pluto[2128]: "darwins" #2: starting keying attempt 3 of at most 8
Feb 24 15:52:15 ids pluto[2128]: "darwins" #3: initiating Main Mode to replace #2
Feb 24 15:52:15 ids pluto[2128]: "darwins" #3: ignoring Vendor ID payload Feb 24 15:52:40 ids pluto[2128]: packet from 24.174.128.80:500: Informational Exchange is for an unknown (expired?) SA Feb 24 15:52:59 ids pluto[2128]: ERROR: pfkey write() of SADB_X_DELFLOW message 7 for flow %hold failed. Errno 22: Invalid argument Feb 24 15:52:59 ids pluto[2128]: | 02 0f 00 0b 0f 00 00 00 07 00 00 00 50 08 00 00
Feb 24 15:52:59 ids pluto[2128]: | 03 00 15 00 00 00 00 00 02 00 04 0e 0a 0a 0f 02
Feb 24 15:52:59 ids pluto[2128]: | 00 00 00 00 00 00 00 00 03 00 16 00 00 00 00 00
Feb 24 15:52:59 ids pluto[2128]: | 02 00 00 35 c0 a8 01 02 00 00 00 00 00 00 00 00
Feb 24 15:52:59 ids pluto[2128]: | 03 00 17 00 00 00 00 00 02 00 ff ff ff ff ff ff
Feb 24 15:52:59 ids pluto[2128]: | fd f1 04 08 b4 e0 ff bf 03 00 18 00 00 00 00 00
Feb 24 15:52:59 ids pluto[2128]: | 02 00 ff ff ff ff ff ff a0 df ff bf 00 df ff bf
Feb 24 15:52:59 ids pluto[2128]: | 01 00 1a 00 11 20 00 00 Feb 24 15:53:26 ids pluto[2128]: "darwins" #3: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Feb 24 15:53:26 ids pluto[2128]: "darwins" #3: starting keying attempt 4 of at most 8
Feb 24 15:53:26 ids pluto[2128]: "darwins" #4: initiating Main Mode to replace #3
Feb 24 15:53:27 ids pluto[2128]: "darwins" #4: ignoring Vendor ID payload Feb 24 15:54:10 ids pluto[2128]: packet from 24.174.128.80:500: Informational Exchange is for an unknown (expired?) SA Feb 24 15:54:37 ids pluto[2128]: "darwins" #4: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Feb 24 15:54:37 ids pluto[2128]: "darwins" #4: starting keying attempt 5 of at most 8
Feb 24 15:54:37 ids pluto[2128]: "darwins" #5: initiating Main Mode to replace #4
Feb 24 15:54:37 ids pluto[2128]: "darwins" #5: ignoring Vendor ID payload Feb 24 15:55:40 ids pluto[2128]: packet from 24.174.128.80:500: Informational Exchange is for an unknown (expired?) SA Feb 24 15:55:47 ids pluto[2128]: "darwins" #5: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Feb 24 15:55:47 ids pluto[2128]: "darwins" #5: starting keying attempt 6 of at most 8
Feb 24 15:55:47 ids pluto[2128]: "darwins" #6: initiating Main Mode to replace #5
Feb 24 15:55:47 ids pluto[2128]: "darwins" #6: ignoring Vendor ID payload Feb 24 15:56:25 ids pluto[2128]: packet from 24.174.128.80:500: Informational Exchange is for an unknown (expired?) SA Feb 24 15:56:57 ids pluto[2128]: "darwins" #6: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Feb 24 15:56:57 ids pluto[2128]: "darwins" #6: starting keying attempt 7 of at most 8
Feb 24 15:56:57 ids pluto[2128]: "darwins" #7: initiating Main Mode to replace #6
Feb 24 15:56:57 ids pluto[2128]: "darwins" #7: ignoring Vendor ID payload Feb 24 15:57:55 ids pluto[2128]: packet from 24.174.128.80:500: Informational Exchange is for an unknown (expired?) SA Feb 24 15:58:07 ids pluto[2128]: "darwins" #7: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Feb 24 15:58:07 ids pluto[2128]: "darwins" #7: starting keying attempt 8 of at most 8
Feb 24 15:58:07 ids pluto[2128]: "darwins" #8: initiating Main Mode to replace #7
Feb 24 15:58:07 ids pluto[2128]: "darwins" #8: ignoring Vendor ID payload Feb 24 15:58:40 ids pluto[2128]: packet from 24.174.128.80:500: Informational Exchange is for an unknown (expired?) SA Feb 24 15:59:17 ids pluto[2128]: "darwins" #8: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Feb 24 16:00:10 ids pluto[2128]: packet from 24.174.128.80:500: Informational Exchange is for an unknown (expired?) SA

IPTABLES Firewall SCRIPT

# Specify the External Interfaces
EXT_IFACE="eth0"

# Specify the internal Interfaces
INT_IFACE="eth1"

# Specify the External IP Address
EXT_IP="208.11.155.199" # Specify the internal IP Adress
INT_IP="10.10.15.1" # Specify Internal Servers for NAT

SERVER0="10.10.15.1"
SERVER1="10.10.15.2"
SERVER2="10.10.15.3"

Do you need help?

# Local Trusted Networks
LOCALNET="10.10.15.0/24"
LOCALNET1="192.168.1.0/24" # Loopback Interface
LO_IFACE="lo"

# Flush Any Existing Rules or Chains

echo "Flushing Tables ..."

        # Reset Default Policies
        iptables -P INPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -P OUTPUT ACCEPT
        iptables -t nat -P PREROUTING ACCEPT
        iptables -t nat -P POSTROUTING ACCEPT
        iptables -t nat -P OUTPUT ACCEPT
        iptables -t mangle -P PREROUTING ACCEPT
        iptables -t mangle -P OUTPUT ACCEPT

        # Flush all rules
        iptables -F
        iptables -t nat -F
        iptables -t mangle -F 

       # Erase all non-default chains
        iptables -X
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
        iptables -t nat -X
        iptables -t mangle -X

# Specify the Naughty Ports like NetBios NBIOS="113:139"
DDE="445" # Specification of the high unprivileged IP ports UNPRIVPORTS="1024:65535" #Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Can we help you?

#Log martians (packets with impossible addresses) echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time

# Get rid of IP spoofing
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter # Enable Port Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Create logging chains-----#
iptables -A OUTPUT -m limit --limit 1/s -j LOG --log-prefix "fp=OUTPUT:85 a=DROP "
iptables -A INPUT -m limit --limit 1/s -j LOG --log-prefix "INPUT_DROP??: " #iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP!!: "

#----Create special User-Chains-----#

# Iptables allows creation of customized chains. The -l (log) flag no longer

Can't find what you're looking for?

# exists. This is a custom chain which allows logging of DROPped packets.

        iptables -N LnD                 # Define custom chain

        iptables -A LnD -p tcp -m limit --limit 1/s -j LOG --log-prefix
"[TCP drop] " --log-level=info
        iptables -A LnD -p udp -m limit --limit 1/s -j LOG --log-prefix
"[UDP drop] " --log-level=info
        iptables -A LnD -p icmp -m limit --limit 1/s -j LOG --log-prefix
"[ICMP drop] " --log-level=info
        iptables -A LnD -p esp -m limit --limit 1/s -j LOG --log-prefix
"[ESP drop] " --log-level=info
        iptables -A LnD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG
drop] " --log-level=info
        iptables -A LnD -j DROP

        #
        # This custom chain logs, then REJECTs packets.
        #

        iptables -N LnR                 # Define custom chain

        iptables -A LnR -p tcp -m limit --limit 1/s -j LOG --log-prefix
"[TCP reject] " --log-level=info
        iptables -A LnR -p udp -m limit --limit 1/s -j LOG --log-prefix
"[UDP reject] " --log-level=info
        iptables -A LnR -p icmp -m limit --limit 1/s -j LOG --log-prefix
"[ICMP reject] " --log-level=info
        iptables -A LnR -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG
reject] " --log-level=info
        iptables -A LnR -j REJECT

        #
        # This chain logs, then DROPs "Xmas" and Null packets which might
indicate a port-scan attempt
        #

        iptables -N ScanD               # Define custom chain

        iptables -A ScanD -p tcp -m limit --limit 1/s -j LOG --log-prefix
"[TCP Scan?] "
        iptables -A ScanD -p udp -m limit --limit 1/s -j LOG --log-prefix
"[UDP Scan?] "
        iptables -A ScanD -p icmp -m limit --limit 1/s -j LOG --log-prefix
"[ICMP Scan?] "
        iptables -A ScanD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
Scan?] "
        iptables -A ScanD -j DROP

        #
        # Disallow packets frequently used by port-scanners
        #

        # All of the bits are cleared
        iptables -A INPUT -p tcp --tcp-flags ALL NONE -j ScanD

        # SYN and FIN are both set
        iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j ScanD

        # SYN and RST are both set
        iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j ScanD

        # FIN and RST are both set
        iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j ScanD

        # FIN is the only bit set, without the expected accompanying ACK
        iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j ScanD

        # PSH is the only bit set, without the expected accompanying ACK
        iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j ScanD

        # URG is the only bit set, without the expected accompanying ACK
        iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j ScanD

###################### This Forwards LAN Packets for Lan to Lan #########

# Forward LAN Packets

iptables -A FORWARD -s $LOCALNET -j ACCEPT
iptables -A FORWARD -d $LOCALNET -j ACCEPT
iptables -A FORWARD -s $LOCALNET1 -j ACCEPT
iptables -A FORWARD -d $LOCALNET1 -j ACCEPT

####################### INPUT Chain ####################################

# Filtering on the firewall itself (Be very restrictive on what your # sources are)

# Drop

iptables -A INPUT -s ! $LOCALNET -p icmp -j DROP
iptables -A INPUT -s ! $LOCALNET -p tcp --destination-port $NBIOS -j DROP
iptables -A INPUT -s ! $LOCALNET -p tcp --destination-port $DDE -j DROP
iptables -A INPUT -s ! $LOCALNET -p tcp --destination-port 6000 -j DROP
iptables -A INPUT -s ! $LOCALNET -p tcp --destination-port 111 -j DROP

# Accept

iptables -A INPUT -s $LOCALNET1 -p icmp -j ACCEPT
iptables -A INPUT -s $LOCALNET1 -p tcp --destination-port $DDE -j ACCEPT
iptables -A INPUT -s $LOCALNET1 -p tcp --destination-port $NBIOS -j ACCEPT
Confused? Frustrated? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
iptables -A INPUT -s $LOCALNET1 -p tcp --destination-port 6000 -j ACCEPT
iptables -A INPUT -s $LOCALNET1 -p tcp --destination-port 111 -j ACCEPT

# SSH
iptables -A INPUT -s 24.174.128.80 -i $EXT_IFACE -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 208.34.95.0/24 -i $EXT_IFACE -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 208.11.155.0/24 -i $EXT_IFACE -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 0/0 -i $EXT_IFACE -p tcp --dport 22 -j DROP

# Webmin
iptables -A INPUT -s 24.174.128.80 -i $EXT_IFACE -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 208.34.95.0/24 -i $EXT_IFACE -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 208.11.155.0/24 -i $EXT_IFACE -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 0/0 -i $EXT_IFACE -p tcp --dport 10000 -j DROP

######################## END of INPUT CHAIN ###############################

######################## Special CHAINS ###################################

# IPSEC Connections

iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
######################## ENd of Special Chaines ##########################

######################## Prerouting CHAINS ###############################

# Prerouting for NAT (Port Forwarding Coming in) iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --destination-port 25 -i $EXT_IFACE -j DNAT --to $SERVER1
iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --destination-port 80 -i $EXT_IFACE -j DNAT --to $SERVER1

# Prerouting for PPTP nat to internal server iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to $SERVER1
iptables -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to $SERVER1 iptables -t nat -A PREROUTING -i eth0 -p udp --dport 500 -j DNAT --to $SERVER1
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4500 -j DNAT --to $SERVER1

######################## End of Prerouting CHAINS #######################

#######################  Postrouting CHAINS #############################

# Postrouting for NAT (Allow Internal Network Full Access to all Protocols going out)
iptables -A POSTROUTING -t nat -j MASQUERADE -o $EXT_IFACE

# Postrouting for NAT (Control what internal sources have access going out) # Use these rules if you want to restrict protocols from internal users to external interface.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

#iptables -A POSTROUTING -t nat -p tcp --dport 3389 -j MASQUERADE -o $EXT_IFACE
#iptables -A POSTROUTING -t nat -p icmp -j MASQUERADE -o $EXT_IFACE #iptables -A POSTROUTING -t nat -s $LOCALNET -p tcp --dport 22 -j MASQUERADE -o #$EXT_IFACE
#iptables -A POSTROUTING -t nat -s $SERVER1 -p tcp --dport 25 -j MASQUERADE -o #$EXT_IFACE
#iptables -A POSTROUTING -t nat -s $SERVER1 -p udp --dport 53 -j MASQUERADE -o #$EXT_IFACE
#iptables -A POSTROUTING -t nat -s $LOCALNET -p tcp --dport 80 -j MASQUERADE -o #$EXT_IFACE
#iptables -A POSTROUTING -t nat -s $LOCALNET -p tcp --dport 10000 -j MASQUERADE -o #$EXT_IFACE

# Postrouting for NAT (PPTP Outgoing calls) #iptables -A POSTROUTING -t nat -s $LOCALNET -p tcp --dport 1723 -j MASQUERADE
#iptables -A POSTROUTING -t nat -s $LOCALNET -p 47 -j MASQUERADE #iptables -A POSTROUTING -t nat -s $LOCALNET -p udp --dport 500 -j MASQUERADE
#iptables -A POSTROUTING -t nat -s $LOCALNET -p udp --dport 4500 -j MASQUERADE

######################### End of Postrouting CHAINS #######################

######################### Forward CHAINS ##################################

#Kill invalid packets (not ESTABLISHED, RELATED or NEW) iptables -A FORWARD -m state --state INVALID -j DROP

##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -s $LOCALNET -p tcp --sport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -s $LOCALNET -p udp --sport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -s $LOCALNET -p icmp -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -s $LOCALNET1 -p tcp --sport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -s $LOCALNET1 -p udp --sport $UNPRIVPORTS -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -s $LOCALNET1 -p icmp -j ACCEPT ##Filtering FROM EXTERNAL NET

##Allow replies coming in
iptables -A FORWARD -i $EXT_IFACE -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -i $EXT_IFACE -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
iptables -A FORWARD -i $EXT_IFACE -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
iptables -A FORWARD -i $EXT_IFACE -p icmp -m state --state RELATED -j ACCEPT

########################## End of Forward CHAINS
############################
____________________________________________________________________________
_______________________________

Darwin L. Lambeth
Network Administrator
FPMI/Star Mountain
dlambeth@starmountain.com
210-822-0770 EXT 246
FAX: 210-822-0785 Received on Wed Feb 25 08:25:14 2004

This message: [ Message body ]
Next message: Asesor Independiente: "[Users] Buenas tardes"
Previous message: Jorge Costa: "[Users] protocol/port in Phase 1 ID Payload must be 0/0 or 17/500"
In reply to Demba Traore: "[Users] connection's probleme"
Reply: Pieter Morrison: "[Users] Machine IP and "perceived" IP is different - getting "Main Mode message received .... but no connection has been authorized""

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:05 EDT