I am trying to get a working version of an ipsec tunnel between two Dachstein CD 1.0.2 Gateways (Test1 and Test2) and their subnets. I have created a test system as suggested in the FreeSWAN documentation (see diagram below). A Security Association appears to be established between Test1 and Test2, however, no data will pass through the tunnel (i.e. the Windows browser cannot connect to the BOA httpd).
Included below are the contents of "/etc/ipsec.conf" (Test1 and Test2 are identical except for the values of eth0 and eth1). I have also included are the outputs of "ipsec look", "ipsec auto --status", "netstat -nr", "ifconfig", and "ipchains -L -n" for each system after the SA was established. Can anyone help me find my problem? Thanks in advance, Phil Faris --------------------- DATA ---------------------------- ------------------------- | Windows PC w/ Browser | 192.168.1.0/24 subnet | 192.168.1.230 | | ------------------------- | |____________________| | ------------------------- | eth1 -->192.168.1.250 | | Dachstein CD 1.0.2 | (Test1) | eth0--->10.0.1.1 | ------------------------- | | ------------------------- | eth0--->10.0.1.254 | | Dachstein CD 1.0.2 | (Router) | eth1--->10.0.2.254 | ------------------------- | | ------------------------- | eth0--->10.0.2.1 | | Dachstein CD 1.0.2 | (Test2) | eth1--->192.168.2.250 | ------------------------- |____________________ | | ------------------------- | | eth1--->192.168.2.10 | | | Eigerstein w/BOA | 192.168.2.0/24 subnet ------------------------- (working BOA httpd) *************** /etc/ipsec.conf (identical for Test1 and Test2) *************** # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. #uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. #authby=rsasig #leftrsasigkey=%dns #rightrsasigkey=%dns # connection description for (experimental!) opportunistic encryption # (requires KEY record in your DNS reverse map; see doc/opportunism.howto) #conn me-to-anyone #left=%defaultroute #right=%opportunistic # uncomment to enable incoming; change to auto=route for outgoing #auto=add # sample VPN connection conn vpntest type=tunnel # Left security gateway, subnet behind it, next hop toward right. left=10.0.1.1 leftsubnet=192.168.1.0/24 leftnexthop=10.0.1.254 leftfirewall=yes # Right security gateway, subnet behind it, next hop toward left. right=10.0.2.1 rightsubnet=192.168.2.0/24 rightnexthop=10.0.2.254 rightfirewall=yes # To authorize this connection, but not actually start it, at startup, auto=start authby=secret ****************** ipsec look (Test1) ****************** Test1 Mon Jan 28 12:00:05 UTC 2002 192.168.1.0/24 -> 192.168.2.0/24 => [EMAIL PROTECTED] [EMAIL PROTECTED] (0) ipsec0->eth0 mtu=16260(1500)->1500 [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=10.0.2.1 iv_bits=64bits iv=0x8e28acf0eb8ca96c ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(1977,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=10.0.2.1 iv_bits=64bits iv=0xfaed8c6c0453e7db ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(1964,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=10.0.1.1 iv_bits=64bits iv=0x18fe4c10d44f02c9 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(1977,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=10.0.1.1 iv_bits=64bits iv=0x6bbfd723ad45c6b9 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(1964,0,0) [EMAIL PROTECTED] IPIP: dir=in src=10.0.2.1 life(c,s,h)=add(1977,0,0) [EMAIL PROTECTED] IPIP: dir=out src=10.0.1.1 life(c,s,h)=add(1977,0,0) [EMAIL PROTECTED] IPIP: dir=in src=10.0.2.1 life(c,s,h)=add(1964,0,0) [EMAIL PROTECTED] IPIP: dir=out src=10.0.1.1 life(c,s,h)=add(1964,0,0) Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.1.254 0.0.0.0 UG 0 0 0 eth0 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.2.0 10.0.1.254 255.255.255.0 UG 0 0 0 ipsec0 ****************** ipsec look (Test2) ****************** Test2 Mon Jan 28 11:43:57 UTC 2002 192.168.2.0/24 -> 192.168.1.0/24 => [EMAIL PROTECTED] [EMAIL PROTECTED] (0) ipsec0->eth0 mtu=16260(1500)->1500 [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=10.0.2.1 iv_bits=64bits iv=0x4204f73025065792 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(1018,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=10.0.2.1 iv_bits=64bits iv=0x0e8c02f2a43ad0f7 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(1004,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=10.0.1.1 iv_bits=64bits iv=0x8c7c041f0837e6ba ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(1018,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=10.0.1.1 iv_bits=64bits iv=0xb45b371314481270 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(1004,0,0) [EMAIL PROTECTED] IPIP: dir=in src=10.0.1.1 life(c,s,h)=add(1018,0,0) [EMAIL PROTECTED] IPIP: dir=out src=10.0.2.1 life(c,s,h)=add(1018,0,0) [EMAIL PROTECTED] IPIP: dir=in src=10.0.1.1 life(c,s,h)=add(1004,0,0) [EMAIL PROTECTED] IPIP: dir=out src=10.0.2.1 life(c,s,h)=add(1004,0,0) Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.254 0.0.0.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.1.0 10.0.2.254 255.255.255.0 UG 0 0 0 ipsec0 *************************** ipsec auto --status (Test1) *************************** 000 interface ipsec0/eth0 10.0.1.1 000 000 "vpntest": 192.168.1.0/24===10.0.1.1---10.0.1.254... 000 "vpntest": ...10.0.2.254---10.0.2.1===192.168.2.0/24 000 "vpntest": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "vpntest": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted 000 "vpntest": newest ISAKMP SA: #3; newest IPsec SA: #4; eroute owner: #4 000 000 #2: "vpntest" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26089s 000 #2: "vpntest" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #1: "vpntest" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 647s 000 #4: "vpntest" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 26584s; newest IPSEC; eroute owner 000 #4: "vpntest" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #3: "vpntest" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 1384s; newest ISAKMP *************************** ipsec auto --status (Test2) *************************** 000 interface ipsec0/eth0 10.0.2.1 000 000 "vpntest": 192.168.2.0/24===10.0.2.1---10.0.2.254... 000 "vpntest": ...10.0.1.254---10.0.1.1===192.168.1.0/24 000 "vpntest": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "vpntest": policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted 000 "vpntest": newest ISAKMP SA: #1; newest IPsec SA: #4; eroute owner: #4 000 000 #3: "vpntest" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27540s 000 #3: "vpntest" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #2: "vpntest" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2340s 000 #4: "vpntest" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27072s; newest IPSEC; eroute owner 000 #4: "vpntest" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #1: "vpntest" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1630s; newest ISAKMP ******************* netstat -nr (Test1) ******************* Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.2.0 10.0.1.254 255.255.255.0 UG 0 0 0 ipsec0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 10.0.1.254 0.0.0.0 UG 0 0 0 eth0 ******************* netstst -nr (Test2) ******************* Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.1.0 10.0.2.254 255.255.255.0 UG 0 0 0 ipsec0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 0.0.0.0 10.0.2.254 0.0.0.0 UG 0 0 0 eth0 **************** ifconfig (Test1) **************** lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 ipsec0 Link encap:Ethernet HWaddr 00:04:76:CD:01:E0 inet addr:10.0.1.1 Mask:255.255.255.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 eth0 Link encap:Ethernet HWaddr 00:04:76:CD:01:E0 inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10 errors:0 dropped:0 overruns:0 frame:0 TX packets:11 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 Interrupt:10 Base address:0xd000 eth1 Link encap:Ethernet HWaddr 00:04:76:73:2A:98 inet addr:192.168.1.250 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 Interrupt:11 Base address:0xb800 **************** ifconfig (Test2) **************** lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:21 errors:0 dropped:0 overruns:0 frame:0 TX packets:21 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 ipsec0 Link encap:Ethernet HWaddr 00:60:08:04:66:E4 inet addr:10.0.2.1 Mask:255.255.255.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 eth0 Link encap:Ethernet HWaddr 00:60:08:04:66:E4 inet addr:10.0.2.1 Bcast:10.0.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:559 errors:0 dropped:0 overruns:0 frame:0 TX packets:586 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 Interrupt:10 Base address:0xfe80 eth1 Link encap:Ethernet HWaddr 00:60:08:53:8B:F9 inet addr:192.168.2.250 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 Interrupt:11 Base address:0xfd80 ********************** ipchains -L -n (Test1) ********************** Chain input (policy DENY): target prot opt source destination ports ACCEPT 51 ------ 10.0.2.1 10.0.1.1 n/a ACCEPT 50 ------ 10.0.2.1 10.0.1.1 n/a ACCEPT 51 ------ 10.0.2.1 10.0.1.1 n/a ACCEPT 50 ------ 10.0.2.1 10.0.1.1 n/a ACCEPT 51 ------ 0.0.0.0/0 10.0.1.1 n/a ACCEPT 50 ------ 0.0.0.0/0 10.0.1.1 n/a ACCEPT udp ------ 0.0.0.0/0 10.0.1.1 500 -> 500 DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5 -> * DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 13 -> * DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 14 -> * DENY all ----l- 0.0.0.0 0.0.0.0/0 n/a DENY all ----l- 255.255.255.255 0.0.0.0/0 n/a DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a DENY all ----l- 224.0.0.0/4 0.0.0.0/0 n/a DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a DENY all ----l- 0.0.0.0/8 0.0.0.0/0 n/a DENY all ----l- 128.0.0.0/16 0.0.0.0/0 n/a DENY all ----l- 191.255.0.0/16 0.0.0.0/0 n/a DENY all ----l- 192.0.0.0/24 0.0.0.0/0 n/a DENY all ----l- 223.255.255.0/24 0.0.0.0/0 n/a DENY all ----l- 240.0.0.0/4 0.0.0.0/0 n/a DENY all ----l- 192.168.1.0/24 0.0.0.0/0 n/a DENY all ----l- 10.0.1.1 0.0.0.0/0 n/a REJECT all ----l- 0.0.0.0/0 127.0.0.0/8 n/a REJECT all ----l- 0.0.0.0/0 192.168.1.0/24 n/a REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137 REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135 REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138:139 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 137:138 -> * REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 135 -> * REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 137:139 -> * REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 135 -> * REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 113 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535 REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 161:162 ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53 ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 68 DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 67 ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535 ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> * ACCEPT ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a ACCEPT 50 ------ 0.0.0.0/0 10.0.1.1 n/a DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 161:162 REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 161:162 -> * ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a Chain forward (policy DENY): target prot opt source destination ports ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a MASQ 51 ------ 0.0.0.0/0 0.0.0.0/0 n/a MASQ 50 ------ 0.0.0.0/0 0.0.0.0/0 n/a MASQ udp ------ 0.0.0.0/0 0.0.0.0/0 500 -> 500 DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5 -> * MASQ all ------ 192.168.1.0/24 0.0.0.0/0 n/a DENY all ------ 0.0.0.0/0 0.0.0.0/0 n/a Chain output (policy DENY): target prot opt source destination ports ACCEPT 51 ------ 10.0.1.1 0.0.0.0/0 n/a ACCEPT 50 ------ 10.0.1.1 0.0.0.0/0 n/a ACCEPT udp ------ 10.0.1.1 0.0.0.0/0 500 -> 500 fairq all ------ 0.0.0.0/0 0.0.0.0/0 n/a DENY all ----l- 0.0.0.0 0.0.0.0/0 n/a DENY all ----l- 255.255.255.255 0.0.0.0/0 n/a DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a DENY all ----l- 224.0.0.0/4 0.0.0.0/0 n/a DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a DENY all ----l- 0.0.0.0/8 0.0.0.0/0 n/a DENY all ----l- 128.0.0.0/16 0.0.0.0/0 n/a DENY all ----l- 191.255.0.0/16 0.0.0.0/0 n/a DENY all ----l- 192.0.0.0/24 0.0.0.0/0 n/a DENY all ----l- 223.255.255.0/24 0.0.0.0/0 n/a DENY all ----l- 240.0.0.0/4 0.0.0.0/0 n/a DENY all ------ 192.168.1.0/24 0.0.0.0/0 n/a REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137 REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135 REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138:139 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 137:138 -> * REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 135 -> * REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 137:139 -> * REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 135 -> * ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a Chain fairq (1 references): target prot opt source destination ports RETURN ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a RETURN ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 520 RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 520 -> * RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 179 RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 179 -> * RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53 RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 53 -> * RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53 RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 53 -> * RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 23 RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 23 -> * RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 22 RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 22 -> * ********************** ipchains -L -n (Test2) ********************** Chain input (policy DENY): target prot opt source destination ports ACCEPT 51 ------ 10.0.1.1 10.0.2.1 n/a ACCEPT 50 ------ 10.0.1.1 10.0.2.1 n/a ACCEPT 51 ------ 10.0.1.1 10.0.2.1 n/a ACCEPT 50 ------ 10.0.1.1 10.0.2.1 n/a ACCEPT 51 ------ 0.0.0.0/0 10.0.2.1 n/a ACCEPT 50 ------ 0.0.0.0/0 10.0.2.1 n/a ACCEPT udp ------ 0.0.0.0/0 10.0.2.1 500 -> 500 DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5 -> * DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 13 -> * DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 14 -> * DENY all ----l- 0.0.0.0 0.0.0.0/0 n/a DENY all ----l- 255.255.255.255 0.0.0.0/0 n/a DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a DENY all ----l- 224.0.0.0/4 0.0.0.0/0 n/a DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a DENY all ----l- 0.0.0.0/8 0.0.0.0/0 n/a DENY all ----l- 128.0.0.0/16 0.0.0.0/0 n/a DENY all ----l- 191.255.0.0/16 0.0.0.0/0 n/a DENY all ----l- 192.0.0.0/24 0.0.0.0/0 n/a DENY all ----l- 223.255.255.0/24 0.0.0.0/0 n/a DENY all ----l- 240.0.0.0/4 0.0.0.0/0 n/a DENY all ----l- 192.168.2.0/24 0.0.0.0/0 n/a DENY all ----l- 10.0.2.1 0.0.0.0/0 n/a REJECT all ----l- 0.0.0.0/0 127.0.0.0/8 n/a REJECT all ----l- 0.0.0.0/0 192.168.2.0/24 n/a REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137 REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135 REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138:139 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 137:138 -> * REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 135 -> * REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 137:139 -> * REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 135 -> * REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 113 ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535 REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 161:162 ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53 ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 68 ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 500 DENY udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 67 ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535 ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> * ACCEPT ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a ACCEPT 50 ------ 0.0.0.0/0 10.0.2.1 n/a DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 161:162 REJECT udp ----l- 0.0.0.0/0 0.0.0.0/0 161:162 -> * ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a Chain forward (policy DENY): target prot opt source destination ports ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a ACCEPT all ------ 192.168.1.0/24 192.168.2.0/24 n/a ACCEPT all ------ 192.168.2.0/24 192.168.1.0/24 n/a MASQ 51 ------ 0.0.0.0/0 0.0.0.0/0 n/a MASQ 50 ------ 0.0.0.0/0 0.0.0.0/0 n/a MASQ udp ------ 0.0.0.0/0 0.0.0.0/0 500 -> 500 DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5 -> * MASQ all ------ 192.168.2.0/24 0.0.0.0/0 n/a DENY all ------ 0.0.0.0/0 0.0.0.0/0 n/a Chain output (policy DENY): target prot opt source destination ports ACCEPT 51 ------ 10.0.2.1 0.0.0.0/0 n/a ACCEPT 50 ------ 10.0.2.1 0.0.0.0/0 n/a ACCEPT udp ------ 10.0.2.1 0.0.0.0/0 500 -> 500 fairq all ------ 0.0.0.0/0 0.0.0.0/0 n/a DENY all ----l- 0.0.0.0 0.0.0.0/0 n/a DENY all ----l- 255.255.255.255 0.0.0.0/0 n/a DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a DENY all ----l- 224.0.0.0/4 0.0.0.0/0 n/a DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a DENY all ----l- 0.0.0.0/8 0.0.0.0/0 n/a DENY all ----l- 128.0.0.0/16 0.0.0.0/0 n/a DENY all ----l- 191.255.0.0/16 0.0.0.0/0 n/a DENY all ----l- 192.0.0.0/24 0.0.0.0/0 n/a DENY all ----l- 223.255.255.0/24 0.0.0.0/0 n/a DENY all ----l- 240.0.0.0/4 0.0.0.0/0 n/a DENY all ------ 192.168.2.0/24 0.0.0.0/0 n/a REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137 REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 137 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 135 REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138:139 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 138 REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 137:138 -> * REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 135 -> * REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 137:139 -> * REJECT tcp ------ 0.0.0.0/0 0.0.0.0/0 135 -> * ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a Chain fairq (1 references): target prot opt source destination ports RETURN ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a RETURN ospf ------ 0.0.0.0/0 0.0.0.0/0 n/a RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 520 RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 520 -> * RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 179 RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 179 -> * RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53 RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 53 -> * RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53 RETURN udp ------ 0.0.0.0/0 0.0.0.0/0 53 -> * RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 23 RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 23 -> * RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> 22 RETURN tcp ------ 0.0.0.0/0 0.0.0.0/0 22 -> * _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user