iptables ipsec router basics

iptables.txt

-t filter -A INPUT -i lo -j ACCEPT
-t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-t filter -A INPUT -p esp -j ACCEPT
-t filter -A INPUT -p udp --dport 500 -j ACCEPT
-t filter -A INPUT -p udp --dport 4500 -j ACCEPT
-t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# any other globally available services
-t filter -N INPUT-LAN
-t filter -A INPUT -i $INTIF -j INPUT-LAN
-t filter -A INPUT-LAN -p udp --dport bootps -j ACCEPT
-t filter -A INPUT-LAN -p udp --dport ntp -j ACCEPT
-t filter -A INPUT-LAN -j LOG --log-prefix "LAN-Reject:"
-t filter -A INPUT-LAN -j REJECT --reject-with admin-prohib
-t filter -A INPUT -j LOG --log-prefix "IN-Reject:"
-t filter -A INPUT -j REJECT --reject-with admin-prohib

-t mangle -A PREROUTING -i $INTIF -j MARK --set-mark 1
-t mangle -A PREROUTING -i $EXTIF -p esp -j MARK --set-mark 2

-t nat -N POST-InToOut
-t nat -A POSTROUTING -m mark --mark 1 -j POST-InToOut
-t nat -A POST-InToOut -d $REMOTESUBNET -j RETURN
-t nat -A POST-InToOut -j SNAT --to-source $EXTIP

-t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-t filter -N Outbound
-t filter -A FORWARD -m mark --mark 1 -s $INTSUBNET -j Outbound # / ACCEPT depending on paranoia
-t filter -A Outbound -p tcp -m multiport --dports $KNOWNSERVICES -j ACCEPT / -t filter -A Outbound -j ACCEPT
-t filter -N FORWARD-IPSec
-t filter -A FORWARD -m policy --dir in --pol ipsec --proto esp -j FORWARD-IPSec
-t filter -A FORWARD-IPSec -s $REMOTESUBNET -j ACCEPT
-t filter -A FORWARD -j LOG --log-prefix "Fwd-Reject:"
-t filter -A FORWARD -j REJECT --reject-with admin-prohib