Stateful Firewall and Protocol 47

dtw · 2016-01-31 10:53:45

I'm trying to connect to my work VPN. I have configured the Stateful Firewall (long ago) and it's blocking (as I'd expect) the VPN traffic. The VPN connects fine with iptables stopped so I know it's not a config issue.

In the log I can see a lot of lines ending with:

PROTO=47

So, I've figure I need to allow those packets but something as simple as:

-A INPUT -p 47 -j ACCEPT

Isn't working - any ideas?

aiBo · 2016-01-31 11:37:35

Please post your entire iptables ruleset using iptables-save. Also the openvpn-config, the complete error message from the log and the output of "ip a" when all is working (VPN up).

Last edited by aiBo (2016-01-31 11:45:13)

brebs · 2016-01-31 12:39:48

For GRE firewalling, there are *2* interfaces involved:

1. The GRE (virtual) interface
2. The interface that carries the GRE packets.

There are also some GRE-related kernel modules:

ip_gre
nf_conntrack_proto_gre
nf_nat_proto_gre

branch · 2016-01-31 16:31:45

According to the wiki you linked, the last rule in the INPUT chain is

INPUT -j REJECT --reject-with icmp-proto-unreachable

Any rule added after this is unreachable.

The wiki you linked indicates such a new rule should go in in the TCP or UDP chain depending on protocol, which should be specified in the rule.

R00KIE · 2016-01-31 21:41:44

You'll need to provide your full list of firewall rules and any module options you may be passing to nf_conntrack or any other modules related to network filtering/tracking.

Arch Linux

#1 2016-01-31 10:53:45

Stateful Firewall and Protocol 47

#2 2016-01-31 11:37:35

Re: Stateful Firewall and Protocol 47

#3 2016-01-31 12:39:48

Re: Stateful Firewall and Protocol 47

#4 2016-01-31 16:31:45

Re: Stateful Firewall and Protocol 47

#5 2016-01-31 21:41:44

Re: Stateful Firewall and Protocol 47

Board footer