[Openswan Users] Controlling XFRM policies to prevent spoofing
msmith at cbnco.com
Thu Jan 11 16:15:25 EST 2007
On Thu, 11 Jan 2007, Paul Wouters wrote:
> On Thu, 11 Jan 2007, Michael Smith wrote:
> > I'm using openswan 2.4.7 and netkey (kernel 184.108.40.206). I am trying to
> > figure out how to create IPsec policies to require that inbound traffic
> > from certain IP ranges can only be forwarded if it came in over IPsec.
> If you have a tunnel definition, then all plaintext packets for those IP's
> will always be dropped. KLIPS does this for sure. If NETKEY does not, it
> needs fixing.
NETKEY does drop outbound plaintext packets covered by routed tunnel
definitions. When the tunnel is up, Openswan adds policies that cause it
to drop inbound plaintext packets, too. My dummy tunnels don't ever come
up, so that is why they don't get protected in the inbound direction.
> All your border gateways to your ISP should be dropping
> all 10/8 incoming packets from the ISP routers. Once they are inside your
> network, irt becomes much harder to judge if they were spoofed or not.
OK, this is sensible. IPsec is running on my border gateway, so it
is a little harder, but I think I can do it with iptables marks.
iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 1
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 \
-m mark --mark 1 -j some_further_chain
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
More information about the Users