I am trying to get a working version of an ipsec tunnel between two
Dachstein CD 1.0.2 Gateways (Test1 and Test2) and their subnets. I have
created a test system as suggested in the FreeSWAN documentation (see
diagram below). A Security Association appears to be established between
Test1 and Test2, however, no data will pass through the tunnel (i.e. the
Windows browser cannot connect to the BOA httpd).
Included below are the contents of "/etc/ipsec.conf" (Test1 and Test2 are
identical except for the values of eth0 and eth1). I have also included
are the outputs of "ipsec look", "ipsec auto --status", "netstat -nr",
"ifconfig", and "ipchains -L -n" for each system after the SA was established.
Can anyone help me find my problem?
Thanks in advance,
Phil Faris
--------------------- DATA ----------------------------
-------------------------
| Windows PC w/ Browser | 192.168.1.0/24 subnet
| 192.168.1.230 | |
------------------------- |
|____________________|
|
-------------------------
| eth1 -->192.168.1.250 |
| Dachstein CD 1.0.2 | (Test1)
| eth0--->10.0.1.1 |
-------------------------
|
|
-------------------------
| eth0--->10.0.1.254 |
| Dachstein CD 1.0.2 | (Router)
| eth1--->10.0.2.254 |
-------------------------
|
|
-------------------------
| eth0--->10.0.2.1 |
| Dachstein CD 1.0.2 | (Test2)
| eth1--->192.168.2.250 |
-------------------------
|____________________
| |
------------------------- |
| eth1--->192.168.2.10 | |
| Eigerstein w/BOA | 192.168.2.0/24 subnet
-------------------------
(working BOA httpd)
***************
/etc/ipsec.conf (identical for Test1 and Test2)
***************
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
#uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
#authby=rsasig
#leftrsasigkey=%dns
#rightrsasigkey=%dns
# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
#conn me-to-anyone
#left=%defaultroute
#right=%opportunistic
# uncomment to enable incoming; change to auto=route for outgoing
#auto=add
# sample VPN connection
conn vpntest
type=tunnel
# Left security gateway, subnet behind it, next hop toward right.
left=10.0.1.1
leftsubnet=192.168.1.0/24
leftnexthop=10.0.1.254
leftfirewall=yes
# Right security gateway, subnet behind it, next hop toward left.
right=10.0.2.1
rightsubnet=192.168.2.0/24
rightnexthop=10.0.2.254
rightfirewall=yes
# To authorize this connection, but not actually start it, at startup,
auto=start
authby=secret
******************
ipsec look (Test1)
******************
Test1 Mon Jan 28 12:00:05 UTC 2002
192.168.1.0/24 -> 192.168.2.0/24 => [EMAIL PROTECTED]
[EMAIL PROTECTED] (0)
ipsec0->eth0 mtu=16260(1500)->1500
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=10.0.2.1
iv_bits=64bits iv=0x8e28acf0eb8ca96c ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(1977,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=10.0.2.1
iv_bits=64bits iv=0xfaed8c6c0453e7db ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(1964,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=10.0.1.1
iv_bits=64bits iv=0x18fe4c10d44f02c9 ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(1977,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=10.0.1.1
iv_bits=64bits iv=0x6bbfd723ad45c6b9 ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(1964,0,0)
[EMAIL PROTECTED] IPIP: dir=in src=10.0.2.1 life(c,s,h)=add(1977,0,0)
[EMAIL PROTECTED] IPIP: dir=out src=10.0.1.1 life(c,s,h)=add(1977,0,0)
[EMAIL PROTECTED] IPIP: dir=in src=10.0.2.1 life(c,s,h)=add(1964,0,0)
[EMAIL PROTECTED] IPIP: dir=out src=10.0.1.1 life(c,s,h)=add(1964,0,0)
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.1.254 0.0.0.0 UG 0 0 0 eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
192.168.2.0 10.0.1.254 255.255.255.0 UG 0 0 0 ipsec0
******************
ipsec look (Test2)
******************
Test2 Mon Jan 28 11:43:57 UTC 2002
192.168.2.0/24 -> 192.168.1.0/24 => [EMAIL PROTECTED]
[EMAIL PROTECTED] (0)
ipsec0->eth0 mtu=16260(1500)->1500
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=10.0.2.1
iv_bits=64bits iv=0x4204f73025065792 ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(1018,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=10.0.2.1
iv_bits=64bits iv=0x0e8c02f2a43ad0f7 ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(1004,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=10.0.1.1
iv_bits=64bits iv=0x8c7c041f0837e6ba ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(1018,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=10.0.1.1
iv_bits=64bits iv=0xb45b371314481270 ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(1004,0,0)
[EMAIL PROTECTED] IPIP: dir=in src=10.0.1.1 life(c,s,h)=add(1018,0,0)
[EMAIL PROTECTED] IPIP: dir=out src=10.0.2.1 life(c,s,h)=add(1018,0,0)
[EMAIL PROTECTED] IPIP: dir=in src=10.0.1.1 life(c,s,h)=add(1004,0,0)
[EMAIL PROTECTED] IPIP: dir=out src=10.0.2.1 life(c,s,h)=add(1004,0,0)
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.2.254 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
192.168.1.0 10.0.2.254 255.255.255.0 UG 0 0 0 ipsec0
***************************
ipsec auto --status (Test1)
***************************
000 interface ipsec0/eth0 10.0.1.1
000
000 "vpntest": 192.168.1.0/24===10.0.1.1---10.0.1.254...
000 "vpntest": ...10.0.2.254---10.0.2.1===192.168.2.0/24
000 "vpntest": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "vpntest": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted
000 "vpntest": newest ISAKMP SA: #3; newest IPsec SA: #4; eroute owner: #4
000
000 #2: "vpntest" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26089s
000 #2: "vpntest" [EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
000 #1: "vpntest" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 647s
000 #4: "vpntest" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
in 26584s; newest IPSEC; eroute owner
000 #4: "vpntest" [EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
000 #3: "vpntest" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 1384s; newest ISAKMP
***************************
ipsec auto --status (Test2)
***************************
000 interface ipsec0/eth0 10.0.2.1
000
000 "vpntest": 192.168.2.0/24===10.0.2.1---10.0.2.254...
000 "vpntest": ...10.0.1.254---10.0.1.1===192.168.1.0/24
000 "vpntest": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "vpntest": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted
000 "vpntest": newest ISAKMP SA: #1; newest IPsec SA: #4; eroute owner: #4
000
000 #3: "vpntest" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
in 27540s
000 #3: "vpntest" [EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
000 #2: "vpntest" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 2340s
000 #4: "vpntest" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27072s; newest IPSEC; eroute owner
000 #4: "vpntest" [EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
000 #1: "vpntest" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 1630s; newest ISAKMP
*******************
netstat -nr (Test1)
*******************
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
192.168.2.0 10.0.1.254 255.255.255.0 UG 0 0 0 ipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 10.0.1.254 0.0.0.0 UG 0 0 0 eth0
*******************
netstst -nr (Test2)
*******************
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 10.0.2.254 255.255.255.0 UG 0 0 0 ipsec0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
0.0.0.0 10.0.2.254 0.0.0.0 UG 0 0 0 eth0
****************
ifconfig (Test1)
****************
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec0 Link encap:Ethernet HWaddr 00:04:76:CD:01:E0
inet addr:10.0.1.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
eth0 Link encap:Ethernet HWaddr 00:04:76:CD:01:E0
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:10 Base address:0xd000
eth1 Link encap:Ethernet HWaddr 00:04:76:73:2A:98
inet addr:192.168.1.250 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:11 Base address:0xb800
****************
ifconfig (Test2)
****************
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:21 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec0 Link encap:Ethernet HWaddr 00:60:08:04:66:E4
inet addr:10.0.2.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
eth0 Link encap:Ethernet HWaddr 00:60:08:04:66:E4
inet addr:10.0.2.1 Bcast:10.0.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:559 errors:0 dropped:0 overruns:0 frame:0
TX packets:586 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:10 Base address:0xfe80
eth1 Link encap:Ethernet HWaddr 00:60:08:53:8B:F9
inet addr:192.168.2.250 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:11 Base address:0xfd80
**********************
ipchains -L -n (Test1)
**********************
Chain input (policy DENY):
target prot opt source destination ports
ACCEPT 51 ------ 10.0.2.1 10.0.1.1 n/a
ACCEPT 50 ------ 10.0.2.1 10.0.1.1 n/a
ACCEPT 51 ------ 10.0.2.1 10.0.1.1 n/a
ACCEPT 50 ------ 10.0.2.1 10.0.1.1 n/a
ACCEPT 51 ------ 0.0.0.0/0 10.0.1.1 n/a
ACCEPT 50 ------ 0.0.0.0/0 10.0.1.1 n/a
ACCEPT udp ------ 0.0.0.0/0 10.0.1.1 500 -> 500
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5 -> *
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 13 -> *
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 14 -> *
DENY all ----l- 0.0.0.0 0.0.0.0/0 n/a
DENY all ----l- 255.255.255.255 0.0.0.0/0 n/a
DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 224.0.0.0/4 0.0.0.0/0 n/a
DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 128.0.0.0/16 0.0.0.0/0 n/a
DENY all ----l- 191.255.0.0/16 0.0.0.0/0 n/a
DENY all ----l- 192.0.0.0/24 0.0.0.0/0 n/a
DENY all ----l- 223.255.255.0/24 0.0.0.0/0 n/a
DENY all ----l- 240.0.0.0/4 0.0.0.0/0 n/a
DENY all ----l- 192.168.1.0/24 0.0.0.0/0 n/a
DENY all ----l- 10.0.1.1 0.0.0.0/0 n/a
REJECT all ----l- 0.0.0.0/0 127.0.0.0/8 n/a
REJECT all ----l- 0.0.0.0/0 192.168.1.0/24 n/a
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 138:139
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 137:138
-> *
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 135 -> *
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 137:139
-> *
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 135 -> *
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 113
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 1024:65535
REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 *
-> 161:162
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 68
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 67
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 1024:65535
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
ACCEPT ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a
ACCEPT 50 ------ 0.0.0.0/0 10.0.1.1 n/a
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 *
-> 161:162
REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 161:162
-> *
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY):
target prot opt source destination ports
ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a
ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a
ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a
ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a
MASQ 51 ------ 0.0.0.0/0 0.0.0.0/0 n/a
MASQ 50 ------ 0.0.0.0/0 0.0.0.0/0 n/a
MASQ udp ------ 0.0.0.0/0 0.0.0.0/0 500 -> 500
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5 -> *
MASQ all ------ 192.168.1.0/24 0.0.0.0/0 n/a
DENY all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY):
target prot opt source destination ports
ACCEPT 51 ------ 10.0.1.1 0.0.0.0/0 n/a
ACCEPT 50 ------ 10.0.1.1 0.0.0.0/0 n/a
ACCEPT udp ------ 10.0.1.1 0.0.0.0/0 500 -> 500
fairq all ------ 0.0.0.0/0 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0 0.0.0.0/0 n/a
DENY all ----l- 255.255.255.255 0.0.0.0/0 n/a
DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 224.0.0.0/4 0.0.0.0/0 n/a
DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 128.0.0.0/16 0.0.0.0/0 n/a
DENY all ----l- 191.255.0.0/16 0.0.0.0/0 n/a
DENY all ----l- 192.0.0.0/24 0.0.0.0/0 n/a
DENY all ----l- 223.255.255.0/24 0.0.0.0/0 n/a
DENY all ----l- 240.0.0.0/4 0.0.0.0/0 n/a
DENY all ------ 192.168.1.0/24 0.0.0.0/0 n/a
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 138:139
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 137:138
-> *
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 135 -> *
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 137:139
-> *
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 135 -> *
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (1 references):
target prot opt source destination ports
RETURN ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a
RETURN ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a
RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 520
RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 520 -> *
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 179
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 179 -> *
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 53 -> *
RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53
RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 53 -> *
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 23
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 23 -> *
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 22
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 22 -> *
**********************
ipchains -L -n (Test2)
**********************
Chain input (policy DENY):
target prot opt source destination ports
ACCEPT 51 ------ 10.0.1.1 10.0.2.1 n/a
ACCEPT 50 ------ 10.0.1.1 10.0.2.1 n/a
ACCEPT 51 ------ 10.0.1.1 10.0.2.1 n/a
ACCEPT 50 ------ 10.0.1.1 10.0.2.1 n/a
ACCEPT 51 ------ 0.0.0.0/0 10.0.2.1 n/a
ACCEPT 50 ------ 0.0.0.0/0 10.0.2.1 n/a
ACCEPT udp ------ 0.0.0.0/0 10.0.2.1 500 -> 500
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5 -> *
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 13 -> *
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 14 -> *
DENY all ----l- 0.0.0.0 0.0.0.0/0 n/a
DENY all ----l- 255.255.255.255 0.0.0.0/0 n/a
DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 224.0.0.0/4 0.0.0.0/0 n/a
DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 128.0.0.0/16 0.0.0.0/0 n/a
DENY all ----l- 191.255.0.0/16 0.0.0.0/0 n/a
DENY all ----l- 192.0.0.0/24 0.0.0.0/0 n/a
DENY all ----l- 223.255.255.0/24 0.0.0.0/0 n/a
DENY all ----l- 240.0.0.0/4 0.0.0.0/0 n/a
DENY all ----l- 192.168.2.0/24 0.0.0.0/0 n/a
DENY all ----l- 10.0.2.1 0.0.0.0/0 n/a
REJECT all ----l- 0.0.0.0/0 127.0.0.0/8 n/a
REJECT all ----l- 0.0.0.0/0 192.168.2.0/24 n/a
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 138:139
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 137:138
-> *
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 135 -> *
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 137:139
-> *
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 135 -> *
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 113
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 1024:65535
REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 *
-> 161:162
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 68
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 500
DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 67
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 1024:65535
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
ACCEPT ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a
ACCEPT 50 ------ 0.0.0.0/0 10.0.2.1 n/a
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 *
-> 161:162
REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 161:162
-> *
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY):
target prot opt source destination ports
ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a
ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a
ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a
ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a
MASQ 51 ------ 0.0.0.0/0 0.0.0.0/0 n/a
MASQ 50 ------ 0.0.0.0/0 0.0.0.0/0 n/a
MASQ udp ------ 0.0.0.0/0 0.0.0.0/0 500 -> 500
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5 -> *
MASQ all ------ 192.168.2.0/24 0.0.0.0/0 n/a
DENY all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY):
target prot opt source destination ports
ACCEPT 51 ------ 10.0.2.1 0.0.0.0/0 n/a
ACCEPT 50 ------ 10.0.2.1 0.0.0.0/0 n/a
ACCEPT udp ------ 10.0.2.1 0.0.0.0/0 500 -> 500
fairq all ------ 0.0.0.0/0 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0 0.0.0.0/0 n/a
DENY all ----l- 255.255.255.255 0.0.0.0/0 n/a
DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 224.0.0.0/4 0.0.0.0/0 n/a
DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 128.0.0.0/16 0.0.0.0/0 n/a
DENY all ----l- 191.255.0.0/16 0.0.0.0/0 n/a
DENY all ----l- 192.0.0.0/24 0.0.0.0/0 n/a
DENY all ----l- 223.255.255.0/24 0.0.0.0/0 n/a
DENY all ----l- 240.0.0.0/4 0.0.0.0/0 n/a
DENY all ------ 192.168.2.0/24 0.0.0.0/0 n/a
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 *
-> 138:139
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 137:138
-> *
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 135 -> *
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 137:139
-> *
REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 135 -> *
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (1 references):
target prot opt source destination ports
RETURN ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a
RETURN ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a
RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 520
RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 520 -> *
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 179
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 179 -> *
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 53 -> *
RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53
RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 53 -> *
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 23
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 23 -> *
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 22
RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 22 -> *
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
