[Openswan Users] iptables and ipsec

Andreas Stallmann stallmann at dawin.de
Wed Feb 1 16:08:02 CET 2006 

Hello all,

allright. I patched, compiled and installed the kernel as well as 
iptables with the "recent" and "policy" patch as recommended. Now I'm 
looking for some detailed explanation on how to get the stuff working.

I'm trying to filter a packet based on the fact that the connection was 
authenticated by openswan/ipsec (with the firewall and the vpn-router 
gateway being one and the same machine). Michael allready gave me the 
hint, to do it the following way:

 > $IPTABLES -A FORWARD  -m policy --dir in -i eth2 --pol  ipsec \
 > -m state --state NEW  -j ACCEPT

I have to admit, I have my difficulties understanding this expression. 
:-( And the help available with "iptables -m policy -h" is not very 
intuitive.

Allright... I allready allowed AH and ESP directed to the firewall's 
external interface. If I understand correctly, I now have to allow 
traffic, that's coming from the firewall's - for the lack of a better 
word - VPN-Gateway to the internal net.

OK, let's do some naive painting. In the following picture, my packet 
"X" has passed the first ruleset on the INPUT chain, allowing it to pass 
through to the OPENSWAN-Software. It got authenticated by openswan and 
is now passed back to the iptables stack.

outside------->FORWARD--------->inside
        |                    |
      INPUT                OUTPUT
        |_____(OPENSWAN)_X___|

How would the firewall rule look, that allowed the packet to go right 
through to my internal net? Like Michael stated above? What I do not 
understand, Michael, is that your rule is appending to the FORWARD 
chain, but isn't the packet coming from the inside of the firewall, 
because it has passed an internal process, and thus should append to the 
OUTPUT chain? And is the packet somehow "marked" by openswan, so that 
iptables "knows" it passed through? How does this whole "match policy" 
stuff actually work, by the way?

*ARGH* Yes, I assume I have to read through all of Rusty Russels HOWTOS 
again. But I still do think I won't find anything on "ipsec policy 
match" there.

Well, folks, I know I deserve a RTFM - but please let me know, where I 
find the FM! Now it "pays back", that I haven't done IPSEC on the 
commandline for such a long time (I'm using fwbuilder, silly me!). :-(

Thanks in advance,

A.
-- 
dawin GmbH - Andreas Stallmann - Consultant
Belgische Allee 50 - 53842 Troisdorf
FON +49 (0)2241 / 39 71 98 - 0
FAX +49 (0)2241 / 39 71 98 - 9

More information about the Users mailing list