Project

General

Profile

Issue #3032

Connected to VPN, but no traffic

Added by Aiden A over 1 year ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.5.1
Resolution:
No feedback

Description

Hello.

I'm able to connect to my VPN but am not able connect to the internet.

# ipsec.conf - strongSwan IPsec configuration file

config setup
    cachecrls=yes
    uniqueids=no

conn ios
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    right=%any
    rightsubnet=10.0.0.0/24
    rightsourceip=10.0.0.1/24
    rightdns=1.1.1.1,9.9.9.9,192.168.1.1
    auto=add
    forceencaps=yes

include /var/lib/strongswan/ipsec.conf.inc
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc

192.168.1.10 %any : PSK "xxxxxxxxxx" 

User1 : XAUTH "xxxxxxxxxx" 
#!/bin/sh

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -Z

## To prevent us from being locked out of the SSH session, 
## well accept connections that are already accepted. 
## Well also open port 22 (or whichever port you've configured) for future SSH connections to the server.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

## Well also need to accept connections on the local loopback interface:
iptables -A INPUT -i lo -j ACCEPT

## Then well tell IPTables to accept IPSec connections:
iptables -A INPUT -p udp --dport  500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

## Next, well tell IPTables to forward ESP (Encapsulating Security Payload) traffic so the VPN clients will be able to connect. 
## ESP provides additional security for our VPN packets as they're traversing untrusted networks:
iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.0.0.0/24 -j ACCEPT

## Our VPN server will act as a gateway between the VPN clients and the internet. 
## Since the VPN server will only have a single public IP address, 
## we will need to configure masquerading to allow the server to request data from the internet on behalf of the clients; 
## this will allow traffic to flow from the VPN clients to the internet, and vice-versa:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

## To prevent IP packet fragmentation on some clients, well tell IPTables to reduce the size of packets by adjusting the packets' maximum segment size. 
## This prevents issues with some VPN clients.
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.0.0.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

## For better security, well drop everything else that does not match the rules we've configured:
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

History

#1 Updated by Tobias Brunner over 1 year ago

  • Description updated (diff)
  • Status changed from New to Feedback

First, don't configure rightsubnet if you configure rightsourceip. Second debug the traffic flow (check traffic counters on SAs and firewall rules, capture traffic etc.) to see where it might get stuck. Also see HelpRequests.

#2 Updated by Aiden A over 1 year ago

I tried running the following and this is what I get:


pi@raspberrypi:~ $ tail -f /var/log/auth.log
May 13 03:53:40 raspberrypi charon: 10[IKE] 208.54.37.231 is initiating a Main Mode IKE_SA
May 13 03:53:40 raspberrypi charon: 07[IKE] IKE_SA ios1 established between 10.0.0.10[10.0.0.10]...208.54.37.231[0.0.0.0]
May 13 03:53:41 raspberrypi charon: 09[IKE] CHILD_SA ios{1} established with SPIs cdcbe627_i 09ea835d_o and TS 0.0.0.0/0 === 10.0.0.101/32


#3 Updated by Tobias Brunner over 1 year ago

I tried running the following and this is what I get:

What are you trying to say? Did you read ForwardingAndSplitTunneling?

#4 Updated by Tobias Brunner 12 months ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

#5 Updated by Olaf Martens 4 months ago

I'm currently experiencing a similar problem, and by doing a good deal of testing I have noticed that the firewall rules installed by charon in the FORWARD table are actually reached (the packet counter is increasing), but they are never sent out (POSTROUTING in the nat table is never reached - a logging rule that is inserted at position 1 is never invoked).

I've also done some other testing by attempting to set entries in the routing table, unfortunately they don't seem to have any effect, either, and mapping IPsec traffic to virtual network interfaces still beats me so that I haven't attempted that approach yet.

The point is, I'm working in a VM whose network traffic is routed through the Domain-0 on my computer (it acts as both a DNS server and an X terminal - the LAN is shunted in charon-nm so that local addresses can be reached) which in turn links to the gateway to my ISP's network. I can reach the Internet without any problems.
Now, what I'm attempting to do is set up my server as an IPsec gateway (any traffic is supposed to be routed via the server to the Internet, and any responses are supposed to be returned), however, once the tunnel is open I am able to reach the server, but nothing meant for the Internet is able to reach its destination.
A traceroute to an arbitrary address indicates that it is reaching the server, but anything beyond that is unsuccessful.
Upon closing the tunnel normal behavior is restored.

/etc/ipsec.conf on the server:

config setup
        strictcrlpolicy=no
        uniqueids=no

ca robidu.de
        cacert=cacert.der
        auto=add

ca rw-intermediate
        cacert=rw-intermediate-cert.der
        auto=add

ca intermediate
        cacert=intermediate-cert.der
        auto=add

conn %default
        fragmentation=yes
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=3
        dpdaction=restart
        dpddelay=2m
        keyexchange=ikev2
        left=81.169.175.87
        leftcert=central-servercert.der
        leftid="*******" 
        leftsubnet=81.169.175.87
        reauth=no
        compress=yes
        auto=route

conn backup-server
        keyingtries=1
        right=85.214.197.171
        rightid="******" 
        rightsendcert=yes
        mobike=no
        type=transport

conn rw
        forceencaps=yes
        rightid="******" 
        leftauth=pubkey
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        rightauth=eap-radius
        right=%any
        rightsourceip=172.16.1.128-172.16.1.254
        rightfirewall=yes
        auto=add

The firewall and security features setup (IPv4 only) - irrelevant interfaces have been removed:

/sbin/tc qdisc del dev eth0 root > /dev/null 2>&1

echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables

# Set default chain policies to shield the machine before anything comes up
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP

/sbin/iptables -F
/sbin/iptables -t raw -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t raw -X
/sbin/iptables -Z

if [[ -e /opt/ipset/spamhaus.set ]] && [[ -s /opt/ipset/spamhaus.set ]] ; then
    /sbin/ipset -q restore -f /opt/ipset/spamhaus.set
else
    /sbin/ipset -q -exist create SPAMHAUS hash:net family inet timeout 0
fi
if [[ -e /opt/ipset/bogon.set ]] && [[ -s /opt/ipset/bogon.set ]] ; then
    /sbin/ipset -q restore -f /opt/ipset/bogon.set
else
    /sbin/ipset -q -exist create BOGON hash:net family inet timeout 0
fi
if [[ -e /opt/ipset/spiderkill.set ]] && [[ -s /opt/ipset/spiderkill.set ]] ; then
    /sbin/ipset -q restore -f /opt/ipset/spiderkill.set
else
    /sbin/ipset -q -exist create SPIDERKILL hash:net family inet timeout 1209600
fi
if [[ -e /opt/ipset/spamhaus6.set ]] && [[ -s /opt/ipset/spamhaus6.set ]] ; then
    /sbin/ipset -q restore -f /opt/ipset/spamhaus6.set
else
    /sbin/ipset -q -exist create SPAMHAUS6 hash:net family inet6 maxelem 655360 timeout 0
fi
if [[ -e /opt/ipset/bogon6.set ]] && [[ -s /opt/ipset/bogon6.set ]] ; then
    /sbin/ipset -q restore -f /opt/ipset/bogon6.set
else
    /sbin/ipset -q -exist create BOGON6 hash:net family inet6 maxelem 655360 timeout 0
fi
if [[ -e /opt/ipset/spiderkill6.set ]] && [[ -s /opt/ipset/spiderkill6.set ]] ; then
    /sbin/ipset -q restore -f /opt/ipset/spiderkill6.set
else
    /sbin/ipset -q -exist create SPIDERKILL6 hash:net family inet6 timeout 1209600
fi

# Generate additional packet chains
/sbin/iptables -N block_ext_in
/sbin/iptables -N block_ext_out
/sbin/iptables -N zone_ext_in
/sbin/iptables -N zone_ext_out
/sbin/iptables -N ICMP_ECHO
/sbin/iptables -N ICMP_ECHO_ABL
/sbin/iptables -N SSH
/sbin/iptables -N SSH_ABL
/sbin/iptables -N SSH_KNOCK
/sbin/iptables -N SMTP
/sbin/iptables -N SMTP_ABL
/sbin/iptables -N RSMTP
/sbin/iptables -N RSMTP_ABL
/sbin/iptables -N IMAP
/sbin/iptables -N IMAP_ABL
/sbin/iptables -N drop_icmp

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc

# Drop deprecated ICMP messages
/sbin/iptables -A drop_icmp -p icmp --icmp-type 4 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 6 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 15 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 16 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 17 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 18 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 30 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 31 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 32 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 33 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 34 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 35 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 36 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 37 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 38 -j DROP
/sbin/iptables -A drop_icmp -p icmp --icmp-type 39 -j DROP

# Protection against flood-pinging
/sbin/iptables -A ICMP_ECHO -m recent --name ICMP_ECHO_ABL --update --seconds 86400 -j DROP
/sbin/iptables -A ICMP_ECHO -m recent --name ICMP_ECHO --rcheck --seconds 60 --hitcount 60 -j ICMP_ECHO_ABL
/sbin/iptables -A ICMP_ECHO_ABL -m recent --name ICMP_ECHO_ABL --set -j LOG --log-level warning --log-prefix "ABL: +Ping: " 
/sbin/iptables -A ICMP_ECHO_ABL -j DROP
/sbin/iptables -A ICMP_ECHO -m recent --name ICMP_ECHO --rcheck --seconds 1 --hitcount 3 -j LOG --log-level warning --log-prefix "Ping-RATE: " 
/sbin/iptables -A ICMP_ECHO -m recent --name ICMP_ECHO --update --seconds 1 --hitcount 3 -j REJECT --reject-with icmp-admin-prohibited
/sbin/iptables -A ICMP_ECHO -m recent --name ICMP_ECHO_ABL --remove -j LOG --log-level warning --log-prefix "ABL: -Ping: " 
/sbin/iptables -A ICMP_ECHO -m recent --name ICMP_ECHO --set -j ACCEPT

# SSH protection
/sbin/iptables -A SSH -m recent --name SSH_ABL --update --seconds 7200 -j DROP
/sbin/iptables -A SSH -m recent --name SSH --rcheck --seconds 600 --hitcount 3 -j SSH_ABL
/sbin/iptables -A SSH_ABL -m recent --name SSH_ABL --set -j LOG --log-level warning --log-prefix "ABL: +SSH: " 
/sbin/iptables -A SSH_ABL -j DROP
/sbin/iptables -A SSH -m recent --name SSH --rcheck --seconds 10 -j LOG --log-level warning --log-prefix "SSH-RATE: " 
/sbin/iptables -A SSH -m recent --name SSH --update --seconds 10 -j REJECT --reject-with icmp-admin-prohibited
/sbin/iptables -A SSH -m recent --name SSH_ABL --remove -j LOG --log-level warning --log-prefix "ABL: -SSH: " 
/sbin/iptables -A SSH -m recent --name SSH --set -j ACCEPT

# SMTP protection
/sbin/iptables -A SMTP -m recent --name SMTP_ABL --update --seconds 1800 -j DROP
/sbin/iptables -A SMTP -m recent --name SMTP --rcheck --seconds 300 --hitcount 3 -j SMTP_ABL
/sbin/iptables -A SMTP_ABL -m recent --name SMTP_ABL --set -j LOG --log-level warning --log-prefix "ABL: +SMTP: " 
/sbin/iptables -A SMTP_ABL -j DROP
/sbin/iptables -A SMTP -m recent --name SMTP --rcheck --seconds 10 -j LOG --log-level warning --log-prefix "SMTP-RATE: " 
/sbin/iptables -A SMTP -m recent --name SMTP --update --seconds 10 -j REJECT --reject-with icmp-admin-prohibited
/sbin/iptables -A SMTP -m recent --name SMTP_ABL --remove -j LOG --log-level warning --log-prefix "ABL: -SMTP: " 
/sbin/iptables -A SMTP -m recent --name SMTP --set -j ACCEPT

# RSMTP protection
/sbin/iptables -A RSMTP -m recent --name RSMTP_ABL --update --seconds 3600 -j DROP
/sbin/iptables -A RSMTP -m recent --name RSMTP --rcheck --seconds 120 --hitcount 5 -j RSMTP_ABL
/sbin/iptables -A RSMTP_ABL -m recent --name RSMTP_ABL --set -j LOG --log-level warning --log-prefix "ABL: +RSMTP: " 
/sbin/iptables -A RSMTP_ABL -j DROP
/sbin/iptables -A RSMTP -m recent --name RSMTP --rcheck --seconds 10 -j LOG --log-level warning --log-prefix "RSMTP-RATE: " 
/sbin/iptables -A RSMTP -m recent --name RSMTP --update --seconds 10 -j REJECT --reject-with icmp-admin-prohibited
/sbin/iptables -A RSMTP -m recent --name RSMTP_ABL --remove -j LOG --log-level warning --log-prefix "ABL: -RSMTP: " 
/sbin/iptables -A RSMTP -m recent --name RSMTP --set -j ACCEPT

# IMAP protection
/sbin/iptables -A IMAP -m recent --name IMAP_ABL --update --seconds 1800 -j DROP
/sbin/iptables -A IMAP -m recent --name IMAP --rcheck --seconds 120 --hitcount 5 -j IMAP_ABL
/sbin/iptables -A IMAP_ABL -m recent --name IMAP_ABL --set -j LOG --log-level warning --log-prefix "ABL: +IMAP: " 
/sbin/iptables -A IMAP_ABL -j DROP
/sbin/iptables -A IMAP -m recent --name IMAP --rcheck --seconds 5 -j LOG --log-level warning --log-prefix "IMAP-RATE: " 
/sbin/iptables -A IMAP -m recent --name IMAP --update --seconds 5 -j REJECT --reject-with icmp-admin-prohibited
/sbin/iptables -A IMAP -m recent --name IMAP_ABL --remove -j LOG --log-level warning --log-prefix "ABL: -IMAP: " 
/sbin/iptables -A IMAP -m recent --name IMAP --set -j ACCEPT

# Initial blocks for the external zone
/sbin/iptables -A block_ext_in -m set --match-set BOGON src -j DROP
/sbin/iptables -A block_ext_in -m set --match-set SPAMHAUS src -j REJECT --reject-with icmp-admin-prohibited
/sbin/iptables -A block_ext_in -p tcp --dport 80 -m set --match-set SPIDERKILL src -j LOG --log-level warning --log-prefix "Rogue spider: " 
/sbin/iptables -A block_ext_in -p tcp --dport 80 -m set --match-set SPIDERKILL src -j REJECT --reject-with icmp-admin-prohibited
/sbin/iptables -A block_ext_in -p tcp --dport 443 -m set --match-set SPIDERKILL src -j LOG --log-level warning --log-prefix "Rogue spider: " 
/sbin/iptables -A block_ext_in -p tcp --dport 443 -m set --match-set SPIDERKILL src -j REJECT --reject-with icmp-admin-prohibited

/sbin/iptables -A block_ext_out -m set --match-set BOGON dst -j REJECT --reject-with icmp-net-unreachable
/sbin/iptables -A block_ext_out -m set --match-set SPAMHAUS dst -j REJECT --reject-with icmp-net-unreachable

# Rules for the external zone
/sbin/iptables -A zone_ext_in -p tcp --dport 22 -m conntrack --ctstate NEW -j SSH_KNOCK
/sbin/iptables -A zone_ext_in -p tcp --dport 22 -m conntrack --ctstate NEW -j SSH
/sbin/iptables -A zone_ext_in -p tcp --dport 6667 -m conntrack --ctstate NEW -j ACCEPT
/sbin/iptables -A zone_ext_in -p tcp --dport 25 -m conntrack --ctstate NEW -j SMTP
/sbin/iptables -A zone_ext_in -p tcp --dport 587 -m conntrack --ctstate NEW -j RSMTP
/sbin/iptables -A zone_ext_in -p tcp --dport 993 -m conntrack --ctstate NEW -j IMAP
/sbin/iptables -A zone_ext_in -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
/sbin/iptables -A zone_ext_in -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
/sbin/iptables -A zone_ext_in -p tcp --dport 990 -m conntrack --ctstate NEW -j ACCEPT
/sbin/iptables -A zone_ext_in -p udp --sport 53 -m conntrack --ctdir REPLY -j ACCEPT
/sbin/iptables -A zone_ext_in -p udp --sport 123 -m conntrack --ctdir REPLY -j ACCEPT

# Basic rules for incoming packets
/sbin/iptables -t raw -A PREROUTING -i lo -j CT --notrack
/sbin/iptables -t raw -A PREROUTING -i eth0 -m set --match-set BOGON src -j CT --notrack
/sbin/iptables -t raw -A PREROUTING -i eth0 -m set --match-set SPAMHAUS src -j CT --notrack
/sbin/iptables -t raw -A OUTPUT -o eth0 -m set --match-set BOGON dst -j CT --notrack
/sbin/iptables -t raw -A OUTPUT -o eth0 -m set --match-set SPAMHAUS dst -j CT --notrack
/sbin/iptables -t raw -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
/sbin/iptables -t mangle -A PREROUTING -p tcp -s 172.16.1.0/24 -m policy --pol ipsec --dir in -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
/sbin/iptables -t mangle -A POSTROUTING -p tcp -d 172.16.1.0/24 -m policy --pol ipsec --dir out -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPM
/sbin/iptables -t raw -A OUTPUT -o lo -j CT --notrack

/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,ACK,FIN,RST SYN -m conntrack --ctstate NEW -j DROP
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 81.169.175.87 -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.1.0/24 -m policy --pol ipsec --dir in -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m policy --pol none --dir in -j block_ext_in
/sbin/iptables -A INPUT -p icmp -j drop_icmp
/sbin/iptables -A INPUT -i eth0 -p udp --dport isakmp -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p esp -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctdir REPLY -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp -m conntrack --ctdir REPLY -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -j ICMP_ECHO
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type 3/4 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j zone_ext_in
/sbin/iptables -A INPUT -p icmp -j DROP
/sbin/iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited

# Basic rules for outgoing packets
/sbin/iptables -A OUTPUT -d 172.16.1.0/24 -m policy --pol ipsec --dir out -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 ! -p icmp -j block_ext_out
/sbin/iptables -A OUTPUT -o eth0 ! -p icmp -j block_vlan_out
/sbin/iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -m policy --pol none --dir out -j REJECT --reject-with icmp-net-unreachable
/sbin/iptables -A OUTPUT -o eth0 -d 172.16.0.0/12 -m policy --pol none --dir out -j REJECT --reject-with icmp-net-unreachable
/sbin/iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -m policy --pol none --dir out -j REJECT --reject-with icmp-net-unreachable
/sbin/iptables -A OUTPUT -o eth0 ! -p icmp -j zone_ext_out

# For now, block packet routing
/sbin/iptables -A FORWARD -p tcp -m conntrack --ctstate INVALID -j DROP
/sbin/iptables -A FORWARD -i eth0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -p udp --sport 53 -m conntrack --ctdir REPLY -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -p udp --sport 123 -m conntrack --ctdir REPLY -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -p icmp -m conntrack --ctdir REPLY -j ACCEPT
/sbin/iptables -A FORWARD -o eth0 -s 172.16.1.0/24 -m policy --pol ipsec --dir in -j ACCEPT
/sbin/iptables -A FORWARD -o eth0 -d 10.0.0.0/8 -m policy --pol none --dir out -j REJECT --reject-with icmp-net-unreachable
/sbin/iptables -A FORWARD -o eth0 -d 172.16.0.0/12 -m policy --pol none --dir out -j REJECT --reject-with icmp-net-unreachable
/sbin/iptables -A FORWARD -o eth0 -d 192.168.0.0/16 -m policy --pol none --dir out -j REJECT --reject-with icmp-net-unreachable
/sbin/iptables -A FORWARD -j REJECT --reject-with icmp-admin-prohibited

/sbin/iptables -t nat -A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -j SNAT --to-source 81.169.175.87 --persistent

/sbin/iptables -A FORWARD -p tcp -m conntrack --ctstate INVALID -j DROP
/sbin/iptables -A FORWARD -i eth0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -p udp --sport 53 -m conntrack --ctdir REPLY -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -p udp --sport 123 -m conntrack --ctdir REPLY -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -p icmp -m conntrack --ctdir REPLY -j ACCEPT
/sbin/iptables -A FORWARD -o eth0 -s 172.16.1.0/24 -m policy --pol ipsec --dir in -j ACCEPT
/sbin/iptables -A FORWARD -o eth0 -d 10.0.0.0/8 -m policy --pol none --dir out -j REJECT --reject-with icmp-net-unreachable
/sbin/iptables -A FORWARD -o eth0 -d 172.16.0.0/12 -m policy --pol none --dir out -j REJECT --reject-with icmp-net-unreachable
/sbin/iptables -A FORWARD -o eth0 -d 192.168.0.0/16 -m policy --pol none --dir out -j REJECT --reject-with icmp-net-unreachable
/sbin/iptables -A FORWARD -j REJECT --reject-with icmp-admin-prohibited

/sbin/iptables -t nat -A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -j SNAT --to-source 81.169.175.87 --persistent

/sbin/iptables -t mangle -A POSTROUTING -o eth0 -m length --length :128 -j CLASSIFY --set-class 1:1
/sbin/iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 53 -j CLASSIFY --set-class 1:1
/sbin/iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 53 -j CLASSIFY --set-class 1:1
/sbin/iptables -t mangle -A POSTROUTING -o eth0 -p tcp --sport 22 -m tos --tos Minimize-Delay -j CLASSIFY --set-class 1:2
/sbin/iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 111 -j CLASSIFY --set-class 1:3
/sbin/iptables -t mangle -A POSTROUTING -o eth0 -p tcp --sport 111 -j CLASSIFY --set-class 1:3
/sbin/iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 2049 -j CLASSIFY --set-class 1:3
/sbin/iptables -t mangle -A POSTROUTING -o eth0 -p tcp --sport 2049 -j CLASSIFY --set-class 1:3
/sbin/iptables -t mangle -A POSTROUTING -o eth0 -p esp -j CLASSIFY --set-class 1:4

/sbin/tc qdisc add dev eth0 root handle 1:0 htb default 16
/sbin/tc class add dev eth0 parent 1:0 classid 1:20 htb rate 102000kbit ceil 102000kbit
/sbin/tc class add dev eth0 parent 1:20 classid 1:1 htb rate 25kbit ceil 102000kbit prio 0 quantum 3000
/sbin/tc class add dev eth0 parent 1:20 classid 1:2 htb rate 25kbit ceil 102000kbit prio 1 quantum 3000
/sbin/tc class add dev eth0 parent 1:20 classid 1:3 htb rate 10200kbit ceil 102000kbit prio 2 quantum 3000
/sbin/tc class add dev eth0 parent 1:20 classid 1:4 htb rate 20400kbit ceil 102000kbit prio 3 quantum 3000
/sbin/tc class add dev eth0 parent 1:20 classid 1:16 htb rate 71350kbit ceil 102000kbit prio 4 quantum 3000
/sbin/tc qdisc add dev eth0 parent 1:4 hhf
/sbin/tc qdisc add dev eth0 parent 1:16 hhf

Right now I don't seem to see the forest for the trees. Any pointers on what could be going wrong here?
And to avoid the question: I have read the documentation on forwarding and split-tunneling and some others, but I have merely drawn blanks there.

Also available in: Atom PDF