Re: Filtering Transport Mode IPSec

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Take a look at the NetFilter IPSec patches (4 of them I think).  These patches are designed to have the traffic that is passing through the IPSec VPN pass through the NetFilter table twice, once encrypted and once decrypted.  This will allow you to filter the traffic on the 2nd (decrypted) pass the way that you are wanting to do.



Grant. . . .

Aaron Smith wrote:
I have a Windows 2003 server connecting as a client, in Transport mode, via IPSec to a RHEL4 server running a 2.6.9 kernel and StrongSwan.
I would like to use netfilter to filter the protocols and ports that the
windows server can access on the RHEL4 server, but from what I've read, transport mode IPSec packets are decrypted AFTER they have traversed the netfilter chains. I have a rule in my INPUT chain that says to allow ESP (protocol 50) packets and this appears to be enough for the windows client to bypass the rest of the rules. I also have a linux client connecting to this same server in Tunnel mode and it's packets appear to be accepted, decrypted, an then sent back into the interface to be subjected to netfilter so everything works fine there. Is there anyway to use netfilter to filter Transport Mode IPSec?

------
"The pain of war cannot exceed the woe of aftermath
The drums will shake the castle walls, the Ringwraiths ride in black..."
    Led Zeppelin, "The Battle of Evermore"




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux