Re: IPSec - IPTables issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Nico,

If you have SPD rule (sorry for racoon/setkey speak)
0.0.0.0/0 Your.IP/32 any -P in esp/.../require (or unique)
then any packet coming to your box which is not esp encapsulated will be thrown away by ipsec code in kernel (if I remember correctly, it will not even reach FORWARD chain). Therefore you could safely skip check for esp, ah, udp/500 in iptables rules.

P.S. you may need to add SPD rule allowing udp/500 before enforcing esp traffic. I never required to ipsec all the traffic and therefore I'm not sure on this detail.

Nico Schottelius wrote:
Hello Pablo,
(netfilter guys, please read http://www.uwsg.iu.edu/hypermail/linux/net/0405.0/0002.html before)

Pablo Neira [Mon, May 03, 2004 at 01:48:15PM +0200]:

Hi Nico,

since this stuff is netfilter-related and netfilter/iptables geeks are mostly in netfilter's maillist, I think you could redirect this request there, someone could help you out. 


Thank you for the hint. I first thought this is a netfilter problem, but
currently I don't think so.

The problem is IMHO the design of the Linux IPSec implementation.

I'll compare what freeswan did with what Linux 2.6 does now:

Freeswan has virtual devices (ipsec*), through which the unencrypted
packets come into the system. So you can add these firewall lines:

- allow AH, ESP, UDP/500, deny rest on eth0
- allow IPs/networks, etc. on ipsec0

With Linux 2.6 I don't have virtual devices. This means that my IPSec
packets enter the physical device twice:

1. esp encrypted packet enters
2. Linux decrypts it
3. Linux sends the unencrypted packets through the same device again

The problem with that is, that

- allow AH, ESP, UDP/500, deny rest on eth0

will deny the _content_ of my encrypted packages (step three is broken).

Wouldn't this work fine, if we have the virtual device like freeswan had
or is netfilter broken with this?

I mean I cannot practicly setup an IPSec only access point with the current
netfilter and ipsec in Linux 2.6, or am I deadly wrong?

Greetings,

Nico



--
Aidas Kasparas
IT administrator
GM Consult Group, UAB
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux