Le ven 28/03/2003 à 16:52, James Miller a écrit : > I have reviewed a few posts about how to setup rules to allow IPSec. I sure > would appreciate a peer review of my rules for IPSec traffic before putting > them into general use. [...] > INPUT: > $IPTABLES -A INPUT -i eth1 -p 50 -j ACCEPT > $IPTABLES -A INPUT -i eth1 -p 51 -j ACCEPT > $IPTABLES -A INPUT -i eth1 -p UDP --dport 500 -j ACCEPT You can harden this one saying source port has also to be 500. [...] > OUTPUT: > $IPTABLES -A OUTPUT -p 50 -j ACCEPT > $IPTABLES -A OUTPUT -p 51 -j ACCEPT > $IPTABLES -A INPUT -p udp -m udp --dport 500 -j ACCEPT You can also add output interface using "-o eth1" and specify source port for last rule. Matching state is not useful if both sides are likely to initiate IPSEC tunnel. -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
