[Openswan Users]
Paul Wouters
paul at xelerance.com
Fri Feb 3 20:56:25 CET 2006
On Fri, 3 Feb 2006, Andreas Stallmann wrote:
> Yes, I know, I could compile the ipsec-Module. But this is only a theoretical
> solution, 'cause it won't compile against any of the 2.6 kernels I have
> tested. Using a 2.4 kernel would be a measure of last reason, if everything
> else fails.
>
> So - any further ideas how I can solve my problem? Here's the question:
>
> How can I assure, that only traffic, which was at first authenticated via
> IPSEC, can use *specific* services in my local net?
You can use iptables -j MARK to mark all esp packets. These marks survive
decapsulation, so that you can have firewall rules blocking "all but marked
service X packets".
Paul
More information about the Users
mailing list