[Openswan Users] IPSec/Netkey interaction with IPTables/Netfilter
Paul TBBle Hampson
Paul.Hampson at Pobox.com
Wed Aug 17 20:43:52 CEST 2005
On Tue, Aug 16, 2005 at 03:45:34PM +0100, Nigel Metheringham wrote:
> I would prefer to use netkey (kernel native ipsec) rather than klips if
> possible to keep the maintenance load down (having to generate kernel
> modules every time there is a kernel update could be problematic).
> However if anyone can make a good case for using klips over netkey I'd
> be interested in hearing the details.
> With netkey it appears pretty hard to work out how to handle firewalling
> on the ipsec gateway, and it seems rather poorly documented.
An alternative is to use the system policy database to filter non-IPsec packets
you don't want...
This is the script I used to block anything from the wireless link
(10.20.30.0/24) except UDP 67 dhcpd3, UDP 500 (pluto) and local ICMP. As
connections are established with ipsec, they are added to the SPD at a priority
somewhere below 50000 and so override the block.
This means that I only see packets in iptables if they've come from an IPSec
session, or were udp ports 67, 500 or local icmp traffic. I still see the
packets twice, mind you, before and after ipsec. ^_^
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto udp sport 67 dport 67 dir in priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto udp sport 500 dport 500 dir in priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 proto icmp dir in priority 10000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 dir in action block priority 50000
ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 proto udp sport 67 dport 67 dir out priority 10000
ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 proto udp sport 500 dport 500 dir out priority 10000
ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 proto icmp dir out priority 10000
ip xfrm policy add src 0.0.0.0/0 dst 10.20.30.0/24 dir out action block priority 50000
ip xfrm policy add src 10.20.30.0/24 dst 0.0.0.0/0 dir fwd action block priority 50000
--
-----------------------------------------------------------
Paul "TBBle" Hampson, MCSE
8th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson at Pobox.com
"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"
License: http://creativecommons.org/licenses/by/2.1/au/
-----------------------------------------------------------
More information about the Users
mailing list