At Sat, Jan 17, 2004 at 02:45:19PM +0100, Andreas Kretschmer wrote: > > Simply use a *tunnel* between the two hosts, and define the subnets to > > be "tunneled" to be the hosts themselves > Okay, but you can't filtering packets. It's not possible to filter, for > instance, all traffic from/to telnet-port and enable all traffic to/from > ssh-port. Yes you can. Re-read my post, and be creative. Example: suppose you want to setup a secure connection between host1 and host2, and you want to allow POP3 between these, but only if the POP3 came in through IPsec. Steps to take: 1) set up a VPN between host1 and host2. NOTE: use tunnel mode for this, not transport mode! I repeat: use tunnel mode, not transport! NOTE 2: when using tunnel mode, you MUST use authentication, otherwise your VPN is not secure! 2) set up your firewalling: # first, we set a "mark" on every IPsec packet that comes in. iptables -A INPUT -p esp -t mangle -j MARK --set-mark 1 # the Linux kernel keeps the MARK after a packet has been decrypted, so # we can check for the mark to see if a packet came in through IPsec. This # is equivalent to the ipsec0 virtual interface that FreeS/WAN has. # # we are silly firewall builders and we accept every "marked" packet that # goes to port 110. DO NOT DO THIS AT HOME, you should probably use stateful # firewalling for this. iptables -A INPUT -p tcp --dport pop3 -m mark --mark 1 -j ACCEPT # we drop all other packets to port 110 iptables -A INPUT -p tcp --dport pop3 -j DROP V. -- Blokkeer die vervelende popup-advertenties met Mozilla: www.mozilla.org - http://www.openoffice.nl/ Open Office - Linux Office Solutions Valentijn Sessink valentyn+sessink@xxxxxxxxxxxxxxxxxxxx
