On Sat, Jul 03, 2004 at 01:46:01PM +0200, Primero wrote: > > > > >I hope someone else here can now fill in some useful details for you, > >given > >that you're using 2.6.6 > > > >Regards, > > > >Antony. > > > > I'm not an expert, but AFAIK and because it works using this way i think > that in 2.6 the process is very similar. > > In 2.6 ipsec imlementation there is no Virtual interface, like ipsec0 or > everything else, but the packets both encrypted and unencrypted come from > the same interface , in expample eth0. They traverse netfilter two times, > like in 2.4 , they get the first time to the INPUT chain, if accepted they > traverse netfilter again in the normal process. > > The reason i mark my packets at the STEP 1 when they come in encrypted is > because i needed a way to identify packets that arrived ENCRYPTED, get > decrypted and acceppted by ipsec and that are traversing the netfilter for > the second time. > This way i can be sure that i handle only packets that have been accepted > by ipsec and i can feel good :) > for example, i use ipsec fot my WIFI lan and i have this kind of rules: > > 1) MANGLE/PREROUTING for packets arriving in esp protocol > > iptables -t mangle -a PREROUTING -s $Y_WIFI_HOSTS -i $MY_WIFI_INTERFACE -p > esp -j MARK --set-mark 10 > > 2) INPUT for packets arriving in esp protocol > > iptables -A INPUT -p esp -j ACCEPT > > now IPSEC will authenticate and eventually accept the packets > > 3) INPUT and FORWARD for previously athenticated packets > > iptables -A FORWARD -m --mark 10 -j MY_FORWARD_CHAIN > iptables -A INPUT -m --mark 10 -j MY_INPUT_CHAIN Hi I believe there is a patch in pom-ng called policy that let you match a packet based on which ipsec policy it used. Another methog I use is using the updown script option and adding remove firewall rules on the fly, on seconds thoughts that is not as good as above though. Alex > > > > bye > > > > -- > Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ > >
Attachment:
signature.asc
Description: Digital signature
