packet counters not incremented
Marko Asplund
aspa@kronodoc.fi
Thu, 17 Jan 2002 21:58:33 +0200 (EET)
On Thu, 17 Jan 2002, Joe Patterson wrote:
> First question, are you doing connection tracking?
>
> If you have a set of rules like:
>
> $IPT -A FORWARD -i $INT_IF -m state --state NEW -j ACCEPT
> $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -p udp --dport 500 --sport 500 -j ACCEPT
> $IPT -A FORWARD -p 50 -j ACCEPT
i am doing connection tracking but the rules differ a bit from the ones
above. the main difference is that, i only allow all tcp traffic from
inside to external network. my IPsec rules look something like this:
IPT -A FORWARD -i IF_FW_INT -p tcp -m state --state NEW -j ACCEPT
IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
IPT -A FORWARD -p udp -d IP_EXT_VPN_HOST -m multiport --port 500,10000 -m state --state NEW -j ACCEPT
IPT -A FORWARD -p udp -s IP_EXT_VPN_HOST -m multiport --port 500,10000 -m state --state NEW -j ACCEPT
IPT -A FORWARD -p 50 -s IP_INT_VPN_HOST -d IP_EXT_VPN_HOST -j ACCEPT
IPT -A FORWARD -p 50 -s IP_EXT_VPN_HOST -d IP_INT_VPN_HOST -j ACCEPT
this is a somewhat simplified view and actually i have different chains
like internal-external, external-internal which contain the above rules.
> ...
> I don't know if this is your case, but it might be. If you want to do
> accounting on ipsec, make sure you do it before you do stateful inspection.
in my case stateful inspection should only affect isakmp accounting,
stateful inspection rules shouldn't match IPsec ESP packets. i'm getting
all zeros in the ESP rule counters while initiated isakmp connections show
up correctly in the isakmp rule counters.
best regards,
--
aspa