On Friday 23 January 2004 20:42, Andreas Jellinghaus wrote: > On Fri, 23 Jan 2004 16:11:07 +0000, Nico Schottelius wrote: > > Hello! > > > > While experiement with ipsec I found the following problems: > > > > Encapsulated ipsec data (esp) passes through iptables and becomes > > decrypted. So far so fine. > > > > Now what happens with thoso unencrypted packages? It looks like > > they travel through iptables again! > > That behaviour is absolutely right. > Otherwise you could not filter what was inside that ipsec tunnel > > The problem is: netfilter does not allow to filter > what gets encrypted - only the already encrypted packet > is seen in OUTGOING. > > Dave M considers this behaviour ok, and already stated: it will not change. > So we have to live with it. > > What you can do is this: > create an IPIP interface, e.g. with: > ip tunnel add ip4sec0 mode ipip \ > remote 192.168.1.10 local 192.168.1.1 # dev wlan0 > > and then you can protect that interface with: > spdadd 192.168.1.10 192.168.1.1 4 -P in ipsec > esp/transport//require; > spdadd 192.168.1.1 192.168.1.10 4 -P out ipsec > esp/transport//require; > > > as normal you can assign that interface an ip address and > because you route to that interface it will be used for > new connections. > > iptables setup using that ipip interface is also quite > easy: on wlan0 don't allow any forwading, and only > allow ping,ssh,ike and esp in incoming. > > you can then allow packets from ip4sec0 interface to > use additional services and forwarding, because you know > that they come via an authenticated ipsec connection. This seems to be a little bit complicated. You can instead mark any ipsec paket in the mangle table in PREROUTING chain and then use the mark to recognize the decrypted packets in the filter table (INPUT or FORWARD chain) (or already in the mangle table, PREROUTING, of course). The last time I tried it worked fine. example: iptables -A PREROUTING -i $DEV_WLAN -p esp -j MARK --set-mark 1 iptables -A PREROUTING -i $DEV_WLAN -p ah -j MARK --set-mark 1 iptables -A INPUT -i $DEV_WLAN --mark 1 ...... -j ACCEPT -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Rechts EDV http://www.studentenwerk.mhn.de/ - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
