iptables rule for L2TP over IPSec

iptables config

Normally, if you like to allow access for L2TP you need to open port 1701 UDP:

iptables -A INPUT -s 203.0.113.0/24 -p udp --dport 1701 -m state --state NEW -j ACCEPT

This way, all new UDP connections to port 1701 from the given ip address or net will be allowed. If you're running a L2TP/IPSec server, you probably want to limit L2TP to connections which where previously ecncrypted by IPSec, so only authorized clients can access the L2TP server. This can be achieved by using the ipsec policy with iptables:

iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 1701 -j ACCEPT

With this rule, you allow incoming UDP packets on port 1701 which where previously handled by IPSec.

Thank you Stefan for this question!

Cross reference

In this article I explained how to setup a L2TP/IPSec server.

Go back