Take a look at the NetFilter IPSec patches (4 of them I think). These patches are designed to have the traffic that is passing through the IPSec VPN pass through the NetFilter table twice, once encrypted and once decrypted. This will allow you to filter the traffic on the 2nd (decrypted) pass the way that you are wanting to do.
Grant. . . .
Aaron Smith wrote:
I have a Windows 2003 server connecting as a client, in Transport mode,
via IPSec to a RHEL4 server running a 2.6.9 kernel and StrongSwan.
I would like to use netfilter to filter the protocols and ports that the
windows server can access on the RHEL4 server, but from what I've read,
transport mode IPSec packets are decrypted AFTER they have traversed the
netfilter chains. I have a rule in my INPUT chain that says to allow
ESP (protocol 50) packets and this appears to be enough for the windows
client to bypass the rest of the rules. I also have a linux client
connecting to this same server in Tunnel mode and it's packets appear to
be accepted, decrypted, an then sent back into the interface to be
subjected to netfilter so everything works fine there. Is there anyway
to use netfilter to filter Transport Mode IPSec?
------
"The pain of war cannot exceed the woe of aftermath
The drums will shake the castle walls, the Ringwraiths ride in black..."
Led Zeppelin, "The Battle of Evermore"
