Hi,
with kernel 2.5 and ipsec there is a second
mechanism that can allow and deny connections:
the ipsec policy engine.
most likely it will be useful to combine ipsec
policies and netfilter. but how? some common
scenarios and solutions would make a good
addition to the lartc howto.
here is one scenario (my home network).
server with lan and internet connection.
old setup: plain text protocols for smtp, imap etc.
on the lan. netfilter to block incoming tcp connections
except ssh from internet.
new setup:
plain text protocols are ok, if they are protected
by ipsec. Thus ipsec is not only used for securing
but also for access control (i.e. smtp server will
relay everything).
ipsec should accept connections from both local
network and internet, but only connections from
people with pre shared secret / certificate in its
database.
How to solve this?
#!/path/to/ipsec/sbin/setkey -f
spdadd 0/0 0/0[22] tcp -P in none;
spdadd 0/0 0/0 tcp -P in ipsec require
esp/transport//require ah/transport//require;
I don't think this will work.
The nice thing with netfilter is: it has connection
tracking. That way you throw away packets not related
to any connection, and then only filter the first packet
that creates a connection.
But with ipsec spd there is no connection tracking,
you have to filter each packet.
Second try: 192.168.0.1 is the lan ip.
12.34.56.78 is the internet ip (only an example).
#!/path/to/ipsec/sbin/setkey -f
spdadd 0/0 192.168.0.1/32[25] tcp -P in ipsec require
esp/transport//require ah/transport//require;
spdadd 0/0 12.34.56.78/32[25] tcp -P in ipsec require
esp/transport//require ah/transport//require;
spdadd 0/0 192.168.0.1/32[143] tcp -P in ipsec require
esp/transport//require ah/transport//require;
spdadd 0/0 12.34.56.78/32[143] tcp -P in ipsec require
esp/transport//require ah/transport//require;
spdadd 0/0 192.168.0.1/32[119] tcp -P in ipsec require
esp/transport//require ah/transport//require;
spdadd 0/0 12.34.56.78/32[119] tcp -P in ipsec require
esp/transport//require ah/transport//require;
spdadd 0/0 192.168.0.1/32[631] tcp -P in ipsec require
esp/transport//require ah/transport//require;
spdadd 0/0 12.34.56.78/32[631] tcp -P in ipsec require
esp/transport//require ah/transport//require;
That should work. In this scenario the four ports for
smtp, imap2, nntp and ipp require ipsec for all
connections to the local port. But wait, thats only
incoming, copy all rules, and require the same
for outgoing traffic, too.
So we end with a rule for each combination of
direction {in,out}, local ip {lan, wan}, service
port {smtp, imap2, nntp, ipp}.
A total of 16 rules? Ok, a script could create these.
But the bigger problem is: I don't want to maintain
negative lists. I want to maintain a positive
list:
- ssh port requires no ipsec
- dns/udp requires no ipsec
- lo interface requires no ipsec
- outgoing tcp connections do not require ipsec.
and then have on all simple rule:
- everything else requires ipsec.
netfilter allows such rules, and it is quite simple.
But netfilter can only allow or deny, but not
set ipsec rules.
Maybe a combination of both will help me?
Regards, Andreas
