LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to set iptables for IPSec tunnel? (https://www.linuxquestions.org/questions/linux-security-4/how-to-set-iptables-for-ipsec-tunnel-780706/)

ecvoyager 01-07-2010 06:14 PM
How to set iptables for IPSec tunnel?
 
I want to setup firewall protection with iptables to support IPSec tunnels. That is, the firewall will drop anything from any host if it is not from an established IPSec tunnel. And it will accept anything (any protocols) if it's from an IPSec tunnel.

I tried:
iptables -N my-fw
iptables -A my-fw -p esp -j ACCEPT
iptables -A my-fw -p tcp --sport 500 --dport 500 -j ACCEPT
iptables -A my-fw -j DROP

iptables -A INPUT -i eth0 -j my-fw

Then I tried to ping from one end of the tunnel to the other end of the tunnel and ping didn't go through. I need to modify my rules as below to make it work:

iptables -N my-fw
iptables -A my-fw -p esp -j ACCEPT
iptables -A my-fw -p icmp -j ACCEPT
iptables -A my-fw -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A my-fw -p tcp --sport 500 --dport 500 -j ACCEPT
iptables -A my-fw -j DROP

iptables -A INPUT -i eth0 -j my-fw

That is, I need also to open up ping to make ping work. But if I open up icmp, I cannot prevent pings from hosts that's outside my IPSec tunnels. This defeats my purpose.

So if my purpose is to allow "anything" within the tunnel and disallow/drop anything outside the IPSec tunnels, how should I setup the iptables rules?

Eric

nimnull22 01-09-2010 05:08 PM
Please read documentation for iptables.
Code:
AH match options
Match:        --ahspi
Kernel:        2.5 and 2.6
Example:        iptables -A INPUT -p 51 -m ah --ahspi 500
Explanation:        This matches the AH Security Parameter Index (SPI) number of the AH
packets. Please note that you must specify the protocol as well, since AH runs on a
different protocol than the standard TCP, UDP or ICMP protocols. The SPI number is used in
conjunction with the source and destination address and the secret keys to create a
security association (SA). The SA uniquely identifies each and every one of the IPSEC
tunnels to all hosts. The SPI is used to uniquely distinguish each IPSEC tunnel connected
between the same two peers. Using the --ahspi match, we can match a packet based on
the SPI of the packets. This match can match a whole range of SPI values by using a : sign,
such as 500:520, which will match the whole range of SPI's.

ESP match options
Match:        --espspi
Kernel:        2.5 and 2.6
Example:        iptables -A INPUT -p 50 -m esp --espspi 500
Explanation:        The ESP counterpart Security Parameter Index (SPI) is used exactly the
same way as the AH variant. The match looks exactly the same, with the esp/ah difference.
Of course, this match can match a whole range of SPI numbers as well as the AH variant of
the SPI match, such as --espspi 200:250 which matches the whole range of SPI's.

ecvoyager 01-11-2010 01:42 PM
My problem is not in the IPSec part of the packets. My firewall can let that pass. Here is a tcpdump output for "one" ping through the tunnel:

11:33:27.250840 IP 192.168.1.1 > 192.168.1.2: ESP(spi=0xca2bb69b,seq=0x1b), length 132
11:33:27.252285 IP 192.168.1.2 > 192.168.1.1: ESP(spi=0xc2e92c6a,seq=0x1b), length 132
11:33:27.252285 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 53521, seq 27, length 64

Note the 3rd packet is an icmp ping. So tcpdump see 2 esp packets plus one icmp, I guess the icmp packet is after the kernel de-capsulate the icmp from the IPSec payload and then refeed it into the iptables INPUT queue. How do I differentiate this icmp from a normal icmp?

Eric

Quote:
Originally Posted by nimnull22 (Post 3820585)
Please read documentation for iptables.
Code:
AH match options
Match:        --ahspi
Kernel:        2.5 and 2.6
Example:        iptables -A INPUT -p 51 -m ah --ahspi 500
Explanation:        This matches the AH Security Parameter Index (SPI) number of the AH
packets. Please note that you must specify the protocol as well, since AH runs on a
different protocol than the standard TCP, UDP or ICMP protocols. The SPI number is used in
conjunction with the source and destination address and the secret keys to create a
security association (SA). The SA uniquely identifies each and every one of the IPSEC
tunnels to all hosts. The SPI is used to uniquely distinguish each IPSEC tunnel connected
between the same two peers. Using the --ahspi match, we can match a packet based on
the SPI of the packets. This match can match a whole range of SPI values by using a : sign,
such as 500:520, which will match the whole range of SPI's.

ESP match options
Match:        --espspi
Kernel:        2.5 and 2.6
Example:        iptables -A INPUT -p 50 -m esp --espspi 500
Explanation:        The ESP counterpart Security Parameter Index (SPI) is used exactly the
same way as the AH variant. The match looks exactly the same, with the esp/ah difference.
Of course, this match can match a whole range of SPI numbers as well as the AH variant of
the SPI match, such as --espspi 200:250 which matches the whole range of SPI's.

nimnull22 01-11-2010 08:39 PM
Are you sure that tcpdump works after packets were extracted from IPSec flow?
And why you think that ICMP was inserted into IPSec?


All times are GMT -5. The time now is 12:31 PM.