[TriLUG] Iptables script...

Michael Thompson thompson at easternrad.com
Wed Jan 8 16:33:11 EST 2003 

Thanks!  That will probably help with my freeswan troubleshooting! 
BTW:  I am using RH 8.0 and doing service iptables save so the rules are
active at boot, the script is just for changing rules (to answer a
previous message :))

I have actually opened a port udp 500 (plus allowing protocols 50,51)
for freeswan, but one of the machines I want to connect from is on a Cox
High Speed internet account.  It appears that ports <8000 are blocked by
the ISP.  (BTW: I love my Time Warner cable at home)  Is there a way to
configure ipsec to listen on a diferent port?  I figure I could
re-compile from source but the guys on the freeswan irc have informed me
that it is a pain to compile on newer RH kernels..  I've tried some
redirection using iptables but I think changing the packets at the
firewall breaks the rsa authentication.

TIA!

--mike

> 
> - You're correct that REJECT is not a valid policy. You can get the effect,
> though, by just putting "-j REJECT" as the last rule in your chain.
> Actually, to do a REJECT right, create a chain that does:
> 
> iptables -N dropandlog
> iptables -A dropandlog -m limit -j LOG --log-prefix "Dropped a packet: "
> iptables -A dropandlog -p tcp -j REJECT --reject-with tcp-reset
> iptables -A dropandlog -p udp -j REJECT
> iptables -A dropandlog -j DROP (this one covers ICMP etc.)
> 
> Then when you drop packets, just do a "-j dropandlog" then this will all get 
> invoked.
> 
> - I recommend starting out by logging any packets that you drop, so that you
> can figure out what's breaking what :-) There will be some, though,
> that you'll get so many of that you'll want to drop without logging
> (identd requests from other systems, DHCP replies to others, etc.) To
> do this, you will want to add explicit "-j dropandlog" to the end of
> each of the three chains.  
> 
> - The OUTPUT rules for connection-state tracking are probably not necessary,
> assuming you want to allow this machine to connect to anywhere.
> 
> - If you want to allow machines on the internal network to freely connect
> to services (other than ssh) on this box, then move the "allow all
> from internal net" rule above the connection-state-tracking rules. 
> 
> Corey
> 
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>

More information about the TriLUG mailing list