Quoting Jan Engelhardt <jengelh@xxxxxxxxxx>:
#allow IKE to/from these hosts without IPsec
-A ipsec-only --protocol udp -m udp --source-port isakmp
--destination-port isakmp -j ACCEPT
-A ipsec-only --protocol udp -m udp --source-port isakmp-nat
--destination-port isakmp-nat -j ACCEPT
But in the NAT scenario, the source port may no longer be 4500.
I think you want --dport here in both cases.
Ah,.. good point, but why in both cases? With the non-NAT scenario,
aren't both ports 500?
1) As you see, I tried to first allow from/to hostB: udp/500 and
udp/4500 for
the key negotiations.
4500 is also used for espinudp transport, not just IKE.
Mhh,... what's that? Is this the encapsulation in UDP packet
(forceencaps in strongswan)?
Are there any other ports or so I have to open?
Well where's your rule to it?
I've not yet done one, because I didn't knew how policy work, and with
just adding a normal rule like (e.g. I want to allow tcp/4369 from
hostB (but ONLY when encrypted) to do erlang/ejabberd clustering) like:
-A INPUT --destination eth0_ip --protocol tcp -m tcp
--destination-port 4369 -j ACCEPT
it would be filterd out by above rules, as the source address is that
of hostB, and proto != esp, right?
So when during netfilter are packets still esp, and when are they
authenticated/decrypted, and I see (and can match) the "normal" IP packet?
The normal ones with -m policy.
Is there some more elaborate description on this, than that of the manpage?
I must admit that I don't understand how to use it, an what it
actually matches :/
Does the INPUT/OUTPUT queues even ever see esp packets?
Of course.
How does this conceptually work, when I have encapsulated protocols
like with ESP/AH where I have IP within IP.
Is first the ESP packet going through netfilter/IP stack, then it's
decrypted authenticated and the resulting IP packet goes through it
again?
Thanks,
Chris.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html