RE: [suse-security] IPTables and GRE Packets
Hi,
From: Drew J. Como [mailto:dcomo@bascom.com] All,
I am having a problem that I hope someone could shed some light on. I have a machine running 3COM VPN software behind a SuSE 7.3 system running the 2.4.20 kernel.
I am having a problem writing the appropriate rules that will allow this machine to talk to a VPN server that is sitting on the outside world.
I know I have to write a protocol 47 rule, but am not sure the exact syntax.
I tried the following: iptables -A FORWARD -i eth0 -o eth1 -p 47 -j ACCEPT
Shouldn't that read iptables -A INPUT -i eth0 -p 47 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p 47 -j ACCEPT iptables -A OUTPUT -o eth1 -p 47 -j ACCEPT And what about replies? I would not use -i for such a rule, I'd rather use --source and --destination Could you give some more details about your rules? Maybe the connection gets denied by an other rule.
However, running a tcpdump while trying the connection shows: 172.16.0.1 > 172.16.0.16: icmp: x.x.x.x protocol 47 port 34827 unreachable (x.x.x.x = outside address)
Do I need to add additional support rules, or is my syntax just incorrect?
Any assistance that can be offered is greatly appreciated.
Drew
cheers, Stefan
On Mon, Dec 01, 2003 at 05:15:21PM +0100, Peer Stefan wrote:
Shouldn't that read iptables -A INPUT -i eth0 -p 47 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p 47 -j ACCEPT iptables -A OUTPUT -o eth1 -p 47 -j ACCEPT
No, just use the FORWARD chain. For ascii art fans: packet-filtering-HOWTO-6.html
And what about replies?
Good question.
--
Stefan Tichy
hi !
Stefan Andreas Tichy
On Mon, Dec 01, 2003 at 05:15:21PM +0100, Peer Stefan wrote:
Shouldn't that read iptables -A INPUT -i eth0 -p 47 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p 47 -j ACCEPT iptables -A OUTPUT -o eth1 -p 47 -j ACCEPT
No, just use the FORWARD chain. For ascii art fans: packet-filtering-HOWTO-6.html
And what about replies?
Good question.
I'd suggest using -m state --state ESTABLISHED,RELATED ... wouldn't that work ?
-- Stefan Tichy
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (3)
-
BLeonhardt@analytek.de
-
Peer Stefan
-
Stefan Andreas Tichy