[Openswan Users] iptables and ipsec
Andreas Stallmann
stallmann at dawin.de
Wed Feb 1 16:08:02 CET 2006
Hello all,
allright. I patched, compiled and installed the kernel as well as
iptables with the "recent" and "policy" patch as recommended. Now I'm
looking for some detailed explanation on how to get the stuff working.
I'm trying to filter a packet based on the fact that the connection was
authenticated by openswan/ipsec (with the firewall and the vpn-router
gateway being one and the same machine). Michael allready gave me the
hint, to do it the following way:
> $IPTABLES -A FORWARD -m policy --dir in -i eth2 --pol ipsec \
> -m state --state NEW -j ACCEPT
I have to admit, I have my difficulties understanding this expression.
:-( And the help available with "iptables -m policy -h" is not very
intuitive.
Allright... I allready allowed AH and ESP directed to the firewall's
external interface. If I understand correctly, I now have to allow
traffic, that's coming from the firewall's - for the lack of a better
word - VPN-Gateway to the internal net.
OK, let's do some naive painting. In the following picture, my packet
"X" has passed the first ruleset on the INPUT chain, allowing it to pass
through to the OPENSWAN-Software. It got authenticated by openswan and
is now passed back to the iptables stack.
outside------->FORWARD--------->inside
| |
INPUT OUTPUT
|_____(OPENSWAN)_X___|
How would the firewall rule look, that allowed the packet to go right
through to my internal net? Like Michael stated above? What I do not
understand, Michael, is that your rule is appending to the FORWARD
chain, but isn't the packet coming from the inside of the firewall,
because it has passed an internal process, and thus should append to the
OUTPUT chain? And is the packet somehow "marked" by openswan, so that
iptables "knows" it passed through? How does this whole "match policy"
stuff actually work, by the way?
*ARGH* Yes, I assume I have to read through all of Rusty Russels HOWTOS
again. But I still do think I won't find anything on "ipsec policy
match" there.
Well, folks, I know I deserve a RTFM - but please let me know, where I
find the FM! Now it "pays back", that I haven't done IPSEC on the
commandline for such a long time (I'm using fwbuilder, silly me!). :-(
Thanks in advance,
A.
--
dawin GmbH - Andreas Stallmann - Consultant
Belgische Allee 50 - 53842 Troisdorf
FON +49 (0)2241 / 39 71 98 - 0
FAX +49 (0)2241 / 39 71 98 - 9
More information about the Users
mailing list