Las reglas de iptables necesarias para que el gateway se comporte como debe son las siguientes:
#!/bin/bash
#
##
# Configuration
#
IPTABLES="/sbin/iptables"
#
# interfaces
#
INTERFACE_LO="lo"
INTERFACE_LAN="eth0"
INTERFACE_INTERNET="eth1"
INTERFACE_IPSEC="ipsec0"
#
# network
#
IP_LOCALHOST="127.0.0.1"
IP_LAN="192.168.1.254"
BCAST_LAN="192.168.1.255"
IP_INET="193.146.99.5"
IP_LAN_CLIENT_IPSEC="192.168.1.4"
IP_INET_CLIENT_IPSEC="212.22.69.45"
#
# ports
#
OPEN_TCP_PORTS="22"
OPEN_UDP_PORTS="500"
OPEN_ICMP_PORTS="0 3 5 8 11"
#
# IP NAT
#
IP_NAT="193.146.99.5"
##
# Reset iptables
#
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -X
${IPTABLES} -F
##
# Policy
#
${IPTABLES} -P INPUT DROP
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
##
# INPUT Chain
#
#
# open tcp ports
#
for x in ${TCP_PORTS}
do
${IPTABLES} -A INPUT -p TCP -i ${INERFACE_INET} --dport ${x} -j ACCEPT
done
#
# open udp ports
#
for x in ${UDP_PORTS}
do
${IPTABLES} -A INPUT -p UDP -i ${INERFACE_INET} --dport ${x} -j ACCEPT
done
#
# open icmp ports
#
for x in ${ICMP_PORTS}
do
${IPTABLES} -A INPUT -p ICMP -i ${INERFACE_INET} --icmp-type ${x} -j ACCEPT
done
#
# general input rules
#
${IPTABLES} -A INPUT -p ALL -i ${INTERFACE_LO} -d ${IP_LOCALHOST} -j ACCEPT
${IPTABLES} -A INPUT -p ALL -d ${IP_LAN} -j ACCEPT
${IPTABLES} -A INPUT -p ALL -i ${INTERFACE_LAN} -d ${BCAST_LAN} -j ACCEPT
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##
# OUTPUT Chain
#
${IPTABLES} -A OUTPUT -p ALL -s ${IP_LOCALHOST} -j ACCEPT
${IPTABLES} -A OUTPUT -p ALL -s ${IP_LAN} -j ACCEPT
${IPTABLES} -A OUTPUT -p ALL -s ${IP_LAN} -o ${INTERFACE_IPSEC} \
-d ! ${IP_LAN_CLIENT_IPSEC} -j DROP
${IPTABLES} -A OUTPUT -p ALL -s ${IP_LAN} -o ${INTERFACE_INTERNET} \
-d ${IP_LAN_CLIENT_IPSEC} -j DROP
##
# NAT
#
${IPTABLES} -t nat -A POSTROUTING -o ${INTERFACE_INET} \
-d ! ${IP_LAN_CLIENT_IPSEC} -j SNAT --to-source ${IP_NAT}
|