From: Matthew Schumacher <matt.s@aptalaska.net>
To: Robert Borger <bborger@navcorp.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: SegFault on flush + IPSec and Nat on 2.6.10 fails
Date: Thu, 03 Mar 2005 08:26:01 -0900 [thread overview]
Message-ID: <422748A9.50105@aptalaska.net> (raw)
In-Reply-To: <DB15CAD558452949A35006D66C5C5A99010F7C@nav-post.navcorp.com>
Robert Borger wrote:
> Hi,
> I have two, likely related, problems using iptables.
>
> 1) I sometimes get a segmentation fault from iptables -F.
> For example:
>
> ~/bin # iptables -A INPUT -s 192.168.3.2/32 -j ACCEPT
> ~/bin # iptables -A INPUT -s 192.168.3.3/32 -j ACCEPT
> ~/bin # iptables -A INPUT -s 192.168.3.4/32 -j ACCEPT
> ~/bin # iptables -A INPUT -s 192.168.3.5/32 -j ACCEPT
> ~/bin # iptables -F OUTPUT
> ~/bin # iptables -F FORWARD
> ~/bin # iptables -F INPUT
> Segmentation fault
> ~/bin #
>
> If I leave out any one of the INPUT rules, there is no error.
> I saw the same thing with OUTPUT rules, but I think that it
> only required 3 OUTPUT rule statements to segmentation fault.
I don't know how much I can help, but I'll try:
I may be misunderstanding what your doing but I don't see anywhere where
you are omitting the esp packets from nat. So you need to do this with
the public ip addresses of your tunnel gateways, one in each direction:
iptables -t nat -A POSTROUTING -p ESP -s <srcip> -d <destip> -j ACCEPT
iptables -t nat -A POSTROUTING -p ESP -s <srcip> -d <destip> -j ACCEPT
If you haven't already, allow ipsec packets for phase 1 isakmp and esp
packets. If you don't you may only be able to build a tunnel in one
direction.
iptables -A INPUT -s <srcip> -p ESP -j ACCEPT
iptables -A INPUT -s <srcip> -p UDP --dport 500 -j ACCEPT
After these rules are in place, your tunnel should come up and
everything though the tunnel matches the rules in the FORWARD table. So
I use conntrack to control everything that goes though the tunnel. A
rule like this would give the appearance of NAT because new sessions
from one side are rejected, while new sessions from the other are
allowed. In this example, port 80 is allowed in one direction,
everything else is dropped:
iptables -A FORWARD -p tcp -s 0/0 -d <remotenet> --dport 80 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 0/0 -d <localnet> -p all -m state --state
ESTABLISHED,RELATED -j ACCEPT
Also, make sure you upgrade to kernel 2.6.11, 2.6.10 has a nasty
ip_conntrack issue that will cause problems with your tables getting
full and your machine dropping packets.
Hope that helps,
schu
next prev parent reply other threads:[~2005-03-03 17:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-02 23:21 SegFault on flush + IPSec and Nat on 2.6.10 fails Robert Borger
2005-03-03 17:26 ` Matthew Schumacher [this message]
2005-07-15 18:36 ` Trevor Cordes
-- strict thread matches above, loose matches on Subject: below --
2005-03-03 21:15 Robert Borger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=422748A9.50105@aptalaska.net \
--to=matt.s@aptalaska.net \
--cc=bborger@navcorp.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.