How to set iptables for IPSec tunnel?
I want to setup firewall protection with iptables to support IPSec tunnels. That is, the firewall will drop anything from any host if it is not from an established IPSec tunnel. And it will accept anything (any protocols) if it's from an IPSec tunnel.
I tried: iptables -N my-fw iptables -A my-fw -p esp -j ACCEPT iptables -A my-fw -p tcp --sport 500 --dport 500 -j ACCEPT iptables -A my-fw -j DROP iptables -A INPUT -i eth0 -j my-fw Then I tried to ping from one end of the tunnel to the other end of the tunnel and ping didn't go through. I need to modify my rules as below to make it work: iptables -N my-fw iptables -A my-fw -p esp -j ACCEPT iptables -A my-fw -p icmp -j ACCEPT iptables -A my-fw -p udp --sport 500 --dport 500 -j ACCEPT iptables -A my-fw -p tcp --sport 500 --dport 500 -j ACCEPT iptables -A my-fw -j DROP iptables -A INPUT -i eth0 -j my-fw That is, I need also to open up ping to make ping work. But if I open up icmp, I cannot prevent pings from hosts that's outside my IPSec tunnels. This defeats my purpose. So if my purpose is to allow "anything" within the tunnel and disallow/drop anything outside the IPSec tunnels, how should I setup the iptables rules? Eric |
Please read documentation for iptables.
Code:
AH match options |
My problem is not in the IPSec part of the packets. My firewall can let that pass. Here is a tcpdump output for "one" ping through the tunnel:
11:33:27.250840 IP 192.168.1.1 > 192.168.1.2: ESP(spi=0xca2bb69b,seq=0x1b), length 132 11:33:27.252285 IP 192.168.1.2 > 192.168.1.1: ESP(spi=0xc2e92c6a,seq=0x1b), length 132 11:33:27.252285 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 53521, seq 27, length 64 Note the 3rd packet is an icmp ping. So tcpdump see 2 esp packets plus one icmp, I guess the icmp packet is after the kernel de-capsulate the icmp from the IPSec payload and then refeed it into the iptables INPUT queue. How do I differentiate this icmp from a normal icmp? Eric Quote:
|
Are you sure that tcpdump works after packets were extracted from IPSec flow?
And why you think that ICMP was inserted into IPSec? |
All times are GMT -5. The time now is 12:31 PM. |