[Openswan Users] iptables and the policy module

Philip Mountifield pmountifield at formac.net
Tue Dec 16 07:58:43 EST 2008


Hi All,

I have a group of subnets linked to a central server which only has 
external IP addresses. I would like to prevent any traffic which is 
local traffic decapsulated from leaking out the ethernet interface, 
traffic should either be sent down another tunnel, processed locally or 
dropped. The only way I can find at the moment would be to have a 
general rule on the forward and output chains which blocked local 
traffic and then poke holes in it when tunnels were brought up and down 
to allow netkey to grab the packets and send them down the tunnels. Is 
there a good way to do this with the policy module of IP tables? I 
cannot seem to find any clear documentation of how the module tracks 
ipsec packets, can you use it to tell whether a packet will be gobbled 
up by netkey when it reaches the interface? I have tried various 
combinations of the --dir and --pol options but can't work out how this 
should work. The concept is such simpler when you can just have 
individual interfaces.

Kind regards

Philip Mountifield
Formac Electronics


More information about the Users mailing list