[Openswan Users] IPSec/Netkey interaction with IPTables/Netfilter

Paul TBBle Hampson Paul.Hampson at Pobox.com
Wed Aug 17 20:43:52 CEST 2005


On Tue, Aug 16, 2005 at 03:45:34PM +0100, Nigel Metheringham wrote:
> I would prefer to use netkey (kernel native ipsec) rather than klips if
> possible to keep the maintenance load down (having to generate kernel
> modules every time there is a kernel update could be problematic).
> However if anyone can make a good case for using klips over netkey I'd
> be interested in hearing the details.

> With netkey it appears pretty hard to work out how to handle firewalling
> on the ipsec gateway, and it seems rather poorly documented.  

An alternative is to use the system policy database to filter non-IPsec packets
you don't want...

This is the script I used to block anything from the wireless link
(10.20.30.0/24) except UDP 67 dhcpd3, UDP 500 (pluto) and local ICMP.  As
connections are established with ipsec, they are added to the SPD at a priority
somewhere below 50000 and so override the block.

This means that I only see packets in iptables if they've come from an IPSec
session, or were udp ports 67, 500 or local icmp traffic.  I still see the
packets twice, mind you, before and after ipsec. ^_^

ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto udp sport 67 dport 67 dir in priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto udp sport 500 dport 500 dir in priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto icmp dir in priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 dir in action block priority 50000

ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 proto udp sport 67 dport 67 dir out priority 10000
ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 proto udp sport 500 dport 500 dir out priority 10000
ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 proto icmp dir out priority 10000
ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 dir out action block priority 50000

ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 dir fwd action block priority 50000

-- 
-----------------------------------------------------------
Paul "TBBle" Hampson, MCSE
8th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson at Pobox.com

"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"

License: http://creativecommons.org/licenses/by/2.1/au/
-----------------------------------------------------------


More information about the Users mailing list