[Openswan Users] Controlling XFRM policies to prevent spoofing

Michael Smith msmith at cbnco.com
Thu Jan 11 16:15:25 EST 2007

On Thu, 11 Jan 2007, Paul Wouters wrote:

> On Thu, 11 Jan 2007, Michael Smith wrote:
> > I'm using openswan 2.4.7 and netkey (kernel I am trying to
> > figure out how to create IPsec policies to require that inbound traffic
> > from certain IP ranges can only be forwarded if it came in over IPsec.
> If you have a tunnel definition, then all plaintext packets for those IP's
> will always be dropped. KLIPS does this for sure. If NETKEY does not, it
> needs fixing.

NETKEY does drop outbound plaintext packets covered by routed tunnel 
definitions. When the tunnel is up, Openswan adds policies that cause it 
to drop inbound plaintext packets, too. My dummy tunnels don't ever come 
up, so that is why they don't get protected in the inbound direction.

> All your border gateways to your ISP should be dropping
> all 10/8 incoming packets from the ISP routers. Once they are inside your
> network, irt becomes much harder to judge if they were spoofed or not.

OK, this is sensible. IPsec is running on my border gateway, so it
is a little harder, but I think I can do it with iptables marks.

iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 1
iptables -A FORWARD -i eth0 -s	\
	-m mark --mark 1 -j some_further_chain
iptables -A FORWARD -i eth0 -s -j DROP



More information about the Users mailing list