how can I check whether packets are being marked as per my tcrules file? 4 0.0.0.0/0 202.37.230.93 udp 500 4 fw 0.0.0.0/0 udp 500 also can someone confirm what ports are needed to be opened for ipsec? 1701,1723,47,500 ??? P.
On Tue, 2004-12-14 at 13:06 +1300, Paul wrote:> how can I check whether packets are being marked as per my tcrules file? > 4 0.0.0.0/0 202.37.230.93 udp 500 > 4 fw 0.0.0.0/0 udp 500 >"shorewall show mangle" and look at the packet counts. You are only counting ISAKMP packets which aren''t sent very often...> also can someone confirm what ports are needed to be opened for ipsec? > 1701,1723,47,500 ???You are mixing ports and protocols and ipsec and pptp -- see http://shorewall.net/ports.htm as a starter... My list is: PROTOCOL PORT UDP 500 (ISAKMP) UDP 4500 (NAT TRAVERSAL) 50 (ESP) 51 (AH) 1701 (L2TP) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Tue, 2004-12-14 at 13:06 +1300, Paul wrote: > >>how can I check whether packets are being marked as per my tcrules file? >>4 0.0.0.0/0 202.37.230.93 udp 500 >>4 fw 0.0.0.0/0 udp 500 >> > > > "shorewall show mangle" and look at the packet counts. You are only > counting ISAKMP packets which aren''t sent very often... > > > >>also can someone confirm what ports are needed to be opened for ipsec? >>1701,1723,47,500 ??? > > > You are mixing ports and protocols and ipsec and pptp -- see > http://shorewall.net/ports.htm as a starter... > > My list is: > > PROTOCOL PORT > UDP 500 (ISAKMP) > UDP 4500 (NAT TRAVERSAL) > 50 (ESP) > 51 (AH) > 1701 (L2TP) > > -Tomhttp://shorewall.net/ports.htm#id2437753 suggests I need proto 50,51, and udp 500 I have udp 500 open but nothing else .. is there where the magic tunnels files steps in? P.S. and yes I''ve been playing with pptp as well ;) but all closed now P.
On Tue, 2004-12-14 at 13:50 +1300, Paul wrote:> > > > You are mixing ports and protocols and ipsec and pptp -- see > > http://shorewall.net/ports.htm as a starter... > > > > My list is: > > > > PROTOCOL PORT > > UDP 500 (ISAKMP) > > UDP 4500 (NAT TRAVERSAL) > > 50 (ESP) > > 51 (AH) > > 1701 (L2TP) > > > > -Tom > http://shorewall.net/ports.htm#id2437753 > suggests I need proto 50,51, and udp 500 > > I have udp 500 open but nothing else .. is there where the magic tunnels > files steps in?Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> "shorewall show mangle" and look at the packet counts. You are only > counting ISAKMP packets which aren''t sent very often...does shorewall show mangle show prerouting "marks" BTW: I''m a little out of my league so I''m kinda guessing tcrules: 4 0.0.0.0/0 202.37.230.93 udp 500 4 202.37.230.93 0.0.0.0/0 udp 500 routing: /sbin/ip rule add prio 223 fwmark 4 table 223 /sbin/ip route add default via 202.37.230.65 dev eth2 \ src 202.37.230.93 proto static table 223 routing rules: rama-kandra root # ip rule show 0: from all lookup local 50: from all lookup main 201: from 202.37.230.64/26 lookup 201 202: from 203.96.212.0/23 lookup 202 222: from all lookup 222 223: from all fwmark 0x4 lookup 223 32766: from all lookup main 32767: from all lookup default rama-kandra root # P.