I use a trick stste on ipsec-tools howto: iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1 then to catch the uncapsulated packet: iptables -A INPUT -m mark --mark 1 -j ACCEPT On Tue, 2006-02-14 at 14:39 +0100, Marco Berizzi wrote: > Andreas Stallmann wrote: > > >Hello, > > Ciao. > > >3. $IPTABLES -A INPUT -i ipsec0 -d $INTERNAL_NET -j ALLOW > >How do I write rule no. 3 now, without ipsec interfaces at hand? > > Here is an example: policy match is much more flexible than ipsecX > virtual interface. You can even select ipsec traffic from different > gateway. > > iptables -A FORWARD -m policy \ > > --dir in \ this is for select inbound/outbound traffic > > --pol ipsec \ this match if traffic is subject to IPsec processing > > --mode tunnel \ this is if you want to match tunnel mode > > --tunnel-dst 172.16.1.247 --tunnel-src 172.16.1.226 \ > ^^^^^^^^^^^ ^^^^^^^^^^^^ > These are the ipsec endpoint addresses (usually public ip addresses) > > -s blablab -d $INTERNAL_NET --protocol blabla --dport blabla \ > what you want to do with this rule > > -j ACCEPT (or DROP) > > >OK, let's do some naive painting. In the following picture, my packet "X" > >has passed the rules 1 and 2 on the INPUT chain, allowing it to pass > >through to the OPENSWAN-Software. It got authenticated by openswan and is > >now passed back to the iptables stack. > > No. Openswan has nothing to do with this schema. Openswan (when used > with netkey) is only an IKE daemon. > > >outside------->FORWARD--------->inside > > | | > > INPUT OUTPUT > > |_____(OPENSWAN)_X___| > > > > >Or is it passed back to the forward chain, because after "unwrapping", it's > >header identifies it as a packed coming from an external private subnet, > >being directed to a internal private subnet? > > Yes. > > > Este e-mail y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.
