The command iptables -p 50 -j ACCEPT will not let the traffic from the ipsec server behind the firewall pass any traffic related to port 50 (tcp)
I suggest specifically issuing the following rule => Iptables -t nat -A PREROUTING -s ipsec_client -p tcp --dport fw_nat_conn_port -j DNAT --to ipsec_server Iptables -t nat -A POSTROUTING -s ipsec_server -d ipsec_client -j SNAT --to fw_ip Iptables -A INPUT -s ! ipsec_client -p tcp --dport fw_nat_conn_port -j DROP Iptables -A FORWARD -s ipsec_server -d ! ipsec_client -j DROP The traffic should occur on the ipsec0 or ipsecN respectively, interfaces. Martin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Stack Sent: 25. febru�ra 2002 22:23 To: Nate Eldredge Cc: [EMAIL PROTECTED] Subject: RE: ipsec and iptables No. Not yet. We're running iptables 1.2.2. Will this command work with that version of iptables? I've been hedging about upgrading as this particular server is also providing gateway services for two networks (inhouse and the one at an ancillary location via private line). Thanks, Charles -----Original Message----- From: Nate Eldredge [mailto:[EMAIL PROTECTED]] Sent: Monday, February 25, 2002 4:13 PM To: Charles Stack Cc: [EMAIL PROTECTED] Subject: Re: ipsec and iptables Charles Stack writes: > We're trying to connect a ipsec client to an ipsec server through an > iptables-based firewall. > It seems that the firewall is blocking protocol 50 traffic. > > Is it possible to get this traffic to pass through cleanly? > If so, how? Haven't tested this, but did you try iptables -p 50 -j ACCEPT ? -- Nate Eldredge [EMAIL PROTECTED]
