RE: port-based filtering of IPsec packets?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>Surely there must be some way of doing port-based filtering of ESP
>packets that are known to be bound for the local host.
If the packet isn't intended for the firewall/ipsec server, then it's forwarded unencrypted to the internal hosts.... I'm sure by then the data in decrypted right? Because it can't pass an encrypted packet to a host who isn't using IPSEC.

Can you put -j LOG rules in the FORWARD chain to filter on it? Mine appear to pickup port 23 telnet sessions... sorry if what you want isn't this..


[root@xxxxxxxx root]# iptables -I FORWARD -i ipsec0 -o eth0 -p tcp --dport 23
[root@xxxxxxxx root]# iptables -L FORWARD -n -v -x
Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       2      104            tcp  --  ipsec0 eth0    0.0.0.0/0            0.0.0.0/0          tcp dpt:23


Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@xxxxxxxxxxxxxxxxxxxxxx

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux