Re: Reject non-ipsec traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 2011-07-20 21:20, Ryan Whelan wrote:

>I have IPSec setup between 2 hosts and would like to stop all
>inter-host traffic thats not secured with IPSec (They have a GRE
>tunnel between them, and I want to be sure the GRE traffic fails to
>transmit if the IPSec daemon fails)
>
>iptables -A OUTPUT -p udp --dport 500 -d hostB.example.com -j ACCEPT
>iptables -A OUTPUT -p tcp --dport 500 -d hostB.example.com -j ACCEPT
>iptables -A OUTPUT -p esp -d hostB.example.com -j ACCEPT
>iptables -A OUTPUT -d hostB.example.com -j REJECT
>
>The reject rule is rejecting all traffic to that host[...]
>If i remove that rule, everything works and i
>see the packets get counted on the ESP protocol rule.  I thought the
>rules were processes in order until a match was found. Clearly I'm
>wrong.

They are indeed processed in order, and until a match is found --
and match _was_ found (packet which has dst=hostB, which is not
ESP, and which does not have tcpudp-500 in its headers).

A `ping hostB` would match the criteria of this 4th rules, as would
opening http://hostB.example.com in a browser, for example.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux