On Thursday 2011-07-21 02:09, Ryan Whelan wrote: >>> >>>So the outbound traffic is being processed by netfilter before getting >>>wrapped by IPSec? >> >> Both before and after. > >Is there a way to accomplish this? Maybe a way to only accept a >non-esp packets if it destined for the ipsec stack; is that possible? >The only other recourse I can think of is dropping on the receiving >side any non-esp packets. Thats better than nothing, but I'd like to >not send anything unencrypted if possible. And don't strip the Cc list. You can use -m policy in OUTPUT to check for packets destined to be xfrmed (output path) or having come out of xfrm (input path), i.e. -A OUTPUT -m policy --dir out --pol ipsec -j ACCEPT -A OUTPUT [ike port 500/4500] -j ACCEPT -A OUTPUT -p esp -j ACCEPT -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
