Re: Reject non-ipsec traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, Jul 20, 2011 at 4:34 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote:
> On Wednesday 2011-07-20 22:33, Ryan Whelan wrote:
>>>>
>>>>iptables -A OUTPUT -p udp --dport 500 -d hostB.example.com -j ACCEPT
>>>>iptables -A OUTPUT -p tcp --dport 500 -d hostB.example.com -j ACCEPT
>>>>iptables -A OUTPUT -p esp -d hostB.example.com -j ACCEPT
>>>>iptables -A OUTPUT -d hostB.example.com -j REJECT
>>>>
>>>>but if i remove that the last rule, the 3 rule starts counting matches
>>>>(the ESP protocol rule).
>>>
>>> Sure, because once you are not dropping the original packet in rule
>>> 4, it has a chance to get encrypted, show up as ESP, and match rule
>>> 3.
>>
>>So the outbound traffic is being processed by netfilter before getting
>>wrapped by IPSec?
>
> Both before and after.
>

Is there a way to accomplish this? Maybe a way to only accept a
non-esp packets if it destined for the ipsec stack; is that possible?
The only other recourse I can think of is dropping on the receiving
side any non-esp packets.  Thats better than nothing, but I'd like to
not send anything unencrypted if possible.

These machines will be forwarding more traffic than they originate.
Should I put this filtering on the `mangle` to catch both forwarded
and sent packets?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux