[Shorewall-users] special l2tp tunnel rules

Tom Eastep teastep at shorewall.net
Thu Dec 18 07:54:37 PST 2003

On Wednesday 17 December 2003 09:12 pm, drwho wrote:
> As discussed on
> http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
>  To allow for lt2p / freeswan / and the MS Vpn client it is necessary
> to setup l2tp and it is prefered to run it on an internal interface.
>  I have done this in start and stop files of shorewall but i was
> not sure if maybe this could be accomplised better elsewhere
> (tunnels,other?)
> qt /sbin/iptables -t nat --append PREROUTING -i ipsec0 -p udp --sport 1701
> --dport 1701 -j DNAT - -to-destination

In /etc/shorewall/rules:

DNAT	<ipsec0's zone>	loc:	udp	1701	1701

No point in putting your rule in /etc/shorewall/stopped unless you are also 
configuring masquerading/SNAT in that file as well.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-users mailing list