[Openswan Users] Tunnels come up, but not all traffic goesthrough
Michael Richardson
mcr at sandelman.ottawa.on.ca
Thu Jun 10 14:25:40 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
>>>>>>> "Matt" == Matt Harrell <matt at mattharrell.net> writes:
Matt> I should have mentioned that. I did change all references to
Matt> ipsec0 to eth1 (external NIC) in my iptables rules. Is that
Matt> all there is to it?
>> No. You have likely caused yourself a security hole.
>>
>> You can not firewall IPsec things with 2.6 kernels, without
>> patches.
Herbert> This is bullshit. You *can* firewall IPsec traffic just
Herbert> fine with 2.6. It is also unlikely to have caused security
Okay. I owed the poster a followup, so let me do it now.
Assume that I currently have a setup like:
Internet
|
.-------.
| eth1 |
| |
| eth0 |
'-------'
|
192.168.1.0/24
Assume two VPNs, one to network C: 192.168.2.0/24 and D:192.168.3.0/24
Now, assume that I have setup rules like:
# prevent bogons, since we turned off rp_filter
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -d 0.0.0.0/0 -j DROP
# prevent impersonation on in-secure side
iptables -A INPUT -i eth1 -s 192.168.2.0/24 -d 0.0.0.0/0 -j DROP
iptables -A INPUT -i eth1 -s 192.168.3.0/24 -d 0.0.0.0/0 -j DROP
# permit LAN-C to connect to special server at 1.19:
iptables -A INPUT -i ipsec0 -s 192.168.2.0/24 -d 192.168.1.19/32 -j ACCEPT
iptables -A INPUT -i ipsec0 -s 192.168.3.0/24 -d 192.168.1.19/32 -j DROP
.... (appologies for syntax error)
Now, if one simply "change all references to ipsec0 to eth1", then one
has just permitted traffic from the outside to arrive on eth1, unencrypted.
I know of no way to do this on stock 2.6 without resort to patches
posted to netdev in the past two months, which I think are still being
improved.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQMiZkYqHRg3pndX9AQFShAQAtY/30ef6wtTl2KjOSfGq4GWK6yJoP+ld
7gwQRdiEhJaC/0ET5wS27mymDHl0RE6L/0Epdifd11D/RR1ac1idqB1hmTaVvWen
h2d9n9ZF8f0+fFRNUKepI0yit8e0AMG6pRouf9bQfY2eldyCnjYhNwvnJ6r5aA6F
U7KxQt7Vrig=
=oRGT
-----END PGP SIGNATURE-----
More information about the Users
mailing list