Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to setup firewall protection with iptables to support IPSec tunnels. That is, the firewall will drop anything from any host if it is not from an established IPSec tunnel. And it will accept anything (any protocols) if it's from an IPSec tunnel.
I tried:
iptables -N my-fw
iptables -A my-fw -p esp -j ACCEPT
iptables -A my-fw -p tcp --sport 500 --dport 500 -j ACCEPT
iptables -A my-fw -j DROP
iptables -A INPUT -i eth0 -j my-fw
Then I tried to ping from one end of the tunnel to the other end of the tunnel and ping didn't go through. I need to modify my rules as below to make it work:
iptables -N my-fw
iptables -A my-fw -p esp -j ACCEPT
iptables -A my-fw -p icmp -j ACCEPT
iptables -A my-fw -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A my-fw -p tcp --sport 500 --dport 500 -j ACCEPT
iptables -A my-fw -j DROP
iptables -A INPUT -i eth0 -j my-fw
That is, I need also to open up ping to make ping work. But if I open up icmp, I cannot prevent pings from hosts that's outside my IPSec tunnels. This defeats my purpose.
So if my purpose is to allow "anything" within the tunnel and disallow/drop anything outside the IPSec tunnels, how should I setup the iptables rules?
AH match options
Match: --ahspi
Kernel: 2.5 and 2.6
Example: iptables -A INPUT -p 51 -m ah --ahspi 500
Explanation: This matches the AH Security Parameter Index (SPI) number of the AH
packets. Please note that you must specify the protocol as well, since AH runs on a
different protocol than the standard TCP, UDP or ICMP protocols. The SPI number is used in
conjunction with the source and destination address and the secret keys to create a
security association (SA). The SA uniquely identifies each and every one of the IPSEC
tunnels to all hosts. The SPI is used to uniquely distinguish each IPSEC tunnel connected
between the same two peers. Using the --ahspi match, we can match a packet based on
the SPI of the packets. This match can match a whole range of SPI values by using a : sign,
such as 500:520, which will match the whole range of SPI's.
ESP match options
Match: --espspi
Kernel: 2.5 and 2.6
Example: iptables -A INPUT -p 50 -m esp --espspi 500
Explanation: The ESP counterpart Security Parameter Index (SPI) is used exactly the
same way as the AH variant. The match looks exactly the same, with the esp/ah difference.
Of course, this match can match a whole range of SPI numbers as well as the AH variant of
the SPI match, such as --espspi 200:250 which matches the whole range of SPI's.
My problem is not in the IPSec part of the packets. My firewall can let that pass. Here is a tcpdump output for "one" ping through the tunnel:
11:33:27.250840 IP 192.168.1.1 > 192.168.1.2: ESP(spi=0xca2bb69b,seq=0x1b), length 132
11:33:27.252285 IP 192.168.1.2 > 192.168.1.1: ESP(spi=0xc2e92c6a,seq=0x1b), length 132
11:33:27.252285 IP 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 53521, seq 27, length 64
Note the 3rd packet is an icmp ping. So tcpdump see 2 esp packets plus one icmp, I guess the icmp packet is after the kernel de-capsulate the icmp from the IPSec payload and then refeed it into the iptables INPUT queue. How do I differentiate this icmp from a normal icmp?
Eric
Quote:
Originally Posted by nimnull22
Please read documentation for iptables.
Code:
AH match options
Match: --ahspi
Kernel: 2.5 and 2.6
Example: iptables -A INPUT -p 51 -m ah --ahspi 500
Explanation: This matches the AH Security Parameter Index (SPI) number of the AH
packets. Please note that you must specify the protocol as well, since AH runs on a
different protocol than the standard TCP, UDP or ICMP protocols. The SPI number is used in
conjunction with the source and destination address and the secret keys to create a
security association (SA). The SA uniquely identifies each and every one of the IPSEC
tunnels to all hosts. The SPI is used to uniquely distinguish each IPSEC tunnel connected
between the same two peers. Using the --ahspi match, we can match a packet based on
the SPI of the packets. This match can match a whole range of SPI values by using a : sign,
such as 500:520, which will match the whole range of SPI's.
ESP match options
Match: --espspi
Kernel: 2.5 and 2.6
Example: iptables -A INPUT -p 50 -m esp --espspi 500
Explanation: The ESP counterpart Security Parameter Index (SPI) is used exactly the
same way as the AH variant. The match looks exactly the same, with the esp/ah difference.
Of course, this match can match a whole range of SPI numbers as well as the AH variant of
the SPI match, such as --espspi 200:250 which matches the whole range of SPI's.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.