* RE: Argh! I'm kicking myself
2003-12-19 20:42 Argh! I'm kicking myself Ian Hunter
@ 2003-12-19 20:59 ` Aldo S. Lagana
2003-12-19 21:33 ` pheusion
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Aldo S. Lagana @ 2003-12-19 20:59 UTC (permalink / raw)
To: 'Ian Hunter', netfilter
I KNOW you can have always used the PROTOCOL numbers but the names may have
been recently implemented...as far as where it is documented - in the
frees/wan docs - it talks about the types of rules which you will need in
iptables..
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ian Hunter
Sent: Friday, December 19, 2003 3:42 PM
To: netfilter@lists.netfilter.org
Subject: Argh! I'm kicking myself
For days now I've been trying to figure out how to recompile my Redhat
2.4.20-24.9 kernel to allow masquerading IPSec ESP traffic. I ran the
much-vaunted "grep -i masq /proc/ksyms" and to my chagrin got nothing back,
but on a lark decided I'd try "iptables -A FORWARD -t nat -i ppp0 -p esp -j
ACCEPT" just to see if it would fly and it did. Of course. And now you're
all laughing at me.
Where is this documented, that gre, esp, ah, and the like are acceptable
protocols? The docs mention icmp, tcp, and udp only.
Is there such a document, or have I discovered a particular cover of the
netfilter doc-hole?
Ian
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Argh! I'm kicking myself
2003-12-19 20:42 Argh! I'm kicking myself Ian Hunter
2003-12-19 20:59 ` Aldo S. Lagana
@ 2003-12-19 21:33 ` pheusion
2003-12-19 21:39 ` pheusion
2003-12-19 22:06 ` Ramin Dousti
3 siblings, 0 replies; 5+ messages in thread
From: pheusion @ 2003-12-19 21:33 UTC (permalink / raw)
To: Ian Hunter; +Cc: netfilter
Not sure I follow..
AH(51) ESP(50) are IPsec traffic, as long as you have that module you
should be all set (FreeSwan)
On Fri, 2003-12-19 at 15:42, Ian Hunter wrote:
> For days now I've been trying to figure out how to recompile my Redhat
> 2.4.20-24.9 kernel to allow masquerading IPSec ESP traffic. I ran the
> much-vaunted "grep -i masq /proc/ksyms" and to my chagrin got nothing back,
> but on a lark decided I'd try "iptables -A FORWARD -t nat -i ppp0 -p esp -j
> ACCEPT" just to see if it would fly and it did. Of course. And now you're
> all laughing at me.
>
> Where is this documented, that gre, esp, ah, and the like are acceptable
> protocols? The docs mention icmp, tcp, and udp only.
>
> Is there such a document, or have I discovered a particular cover of the
> netfilter doc-hole?
>
> Ian
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Argh! I'm kicking myself
2003-12-19 20:42 Argh! I'm kicking myself Ian Hunter
2003-12-19 20:59 ` Aldo S. Lagana
2003-12-19 21:33 ` pheusion
@ 2003-12-19 21:39 ` pheusion
2003-12-19 22:06 ` Ramin Dousti
3 siblings, 0 replies; 5+ messages in thread
From: pheusion @ 2003-12-19 21:39 UTC (permalink / raw)
To: Ian Hunter; +Cc: netfilter
Wait, I think I understand the question now.
(Correct me if I am wrong)
If you have the match modules enabled, then that would be what
allows you to include AH/ESP match support,
there was a patch for this, but might be included with distro's
On Fri, 2003-12-19 at 15:42, Ian Hunter wrote:
> For days now I've been trying to figure out how to recompile my Redhat
> 2.4.20-24.9 kernel to allow masquerading IPSec ESP traffic. I ran the
> much-vaunted "grep -i masq /proc/ksyms" and to my chagrin got nothing back,
> but on a lark decided I'd try "iptables -A FORWARD -t nat -i ppp0 -p esp -j
> ACCEPT" just to see if it would fly and it did. Of course. And now you're
> all laughing at me.
>
> Where is this documented, that gre, esp, ah, and the like are acceptable
> protocols? The docs mention icmp, tcp, and udp only.
>
> Is there such a document, or have I discovered a particular cover of the
> netfilter doc-hole?
>
> Ian
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Argh! I'm kicking myself
2003-12-19 20:42 Argh! I'm kicking myself Ian Hunter
` (2 preceding siblings ...)
2003-12-19 21:39 ` pheusion
@ 2003-12-19 22:06 ` Ramin Dousti
3 siblings, 0 replies; 5+ messages in thread
From: Ramin Dousti @ 2003-12-19 22:06 UTC (permalink / raw)
To: Ian Hunter; +Cc: netfilter
On Fri, Dec 19, 2003 at 03:42:21PM -0500, Ian Hunter wrote:
> For days now I've been trying to figure out how to recompile my Redhat
> 2.4.20-24.9 kernel to allow masquerading IPSec ESP traffic. I ran the
"allow masquerading IPSec ESP traffic" ?? Or just allow forwarding the
IPsec traffic?
> much-vaunted "grep -i masq /proc/ksyms" and to my chagrin got nothing back,
> but on a lark decided I'd try "iptables -A FORWARD -t nat -i ppp0 -p esp -j
> ACCEPT" just to see if it would fly and it did. Of course. And now you're
> all laughing at me.
>
> Where is this documented, that gre, esp, ah, and the like are acceptable
> protocols? The docs mention icmp, tcp, and udp only.
Which doc?
>
> Is there such a document, or have I discovered a particular cover of the
> netfilter doc-hole?
man iptables:
...
-p, --protocol [!] protocol
The protocol of the rule or of the packet to check. The speci-
fied protocol can be one of tcp, udp, icmp, or all, or it can be
a numeric value, representing one of these protocols or a dif-
ferent one. A protocol name from /etc/protocols is also
allowed. A "!" argument before the protocol inverts the test.
The number zero is equivalent to all. Protocol all will match
with all protocols and is taken as default when this option is
omitted.
...
Ramin
> Ian
>
^ permalink raw reply [flat|nested] 5+ messages in thread