[Swan] Basic firewall rules for traffic through tunnel

Nick Howitt nick at howitts.co.uk
Mon Apr 2 08:06:29 UTC 2018 

Hi Paul,

ClearOS comes with the following automatic rules to allow traffic to 
pass through the tunnel using packet marking:

    iptables -I PREROUTING -t mangle -p esp -j MARK --set-mark 0x64
    iptables -I INPUT -m mark --mark 0x64 -d my_wan_IP -j ACCEPT    #
    necessary for incoming traffic
    iptables -I INPUT -m mark --mark 0x64 -d my_LAN_IP -j ACCEPT    #
    not too sure why needed
    iptables -I FORWARD -m mark --mark 0x64 -j ACCEPT


It also has the following relevant rules

    iptables -I POSTROUTING -t nat -m policy --dir out --pol ipsec -j
    ACCEPT
    iptables -I FORWARD -s my_LAN_interface -j ACCEPT    # general allow
    all traffic from LAN out
    iptables -I INPUT -s my_LAN_interface -j ACCEPT    # general allow
    all traffic from LAN into server    #not sure if relevant
    iptables -I OUTPUT -s my_WAN_interface -j ACCEPT    # general allow
    all traffic from WAN out
    iptables -I OUTPUT -s my_LAN_interface -j ACCEPT    # general allow
    all traffic from LAN i/f out
    iptables -I INPUT -s my_WAN_interface -m state --state NEW
    RELATED,ESTABLISHED p- tcp -m multiport --dports 1024:65535 -j
    ACCEPT    # not sure if relevant to tunnel
    iptables -I INPUT -s my_WAN_interface -m state --state NEW
    RELATED,ESTABLISHED p- udp -m multiport --dports 1024:65535 -j
    ACCEPT    # not sure if relevant to tunnel


I am looking to replace the packet marked rules with generic policy 
based rules which don't need to know anything about the remote end such 
as subnets, so using:

    iptables -I INPUT -m policy --dir in --pol ipsec  -j ACCEPT
    iptables -I FORWARD -m policy --dir in --pol ipsec  -j ACCEPT


Am I going down the right lines or have I missed something. I have 
someone testing it out a bit and is reporting random timeouts connecting 
to his mail server and "Random timeouts connecting to websites (DNS 
Resolution errors)".

Have I missed anything? Do also I need policy rules for outbound 
traffic, so:

    iptables -I INPUT -m policy --dir out --pol ipsec -j ACCEPT    #
    Also would allow low ports
    iptables -I FORWARD -m policy --dir out --pol ipsec  -j ACCEPT    #
    covered by the generic FORWARD rule?
    iptables -I OUTPUT -m policy --dir out --pol ipsec -j ACCEPT    #
    covered by the generic OUTPUT rule?

or are they irrelevant. Would they even work because I don't know where 
in the processing the packets get policy marked?

Regards,

Nick

More information about the Swan mailing list