Re: Reject non-ipsec traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Wed, Jul 20, 2011 at 4:34 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote:
> On Wednesday 2011-07-20 22:33, Ryan Whelan wrote:
>>>>iptables -A OUTPUT -p udp --dport 500 -d -j ACCEPT
>>>>iptables -A OUTPUT -p tcp --dport 500 -d -j ACCEPT
>>>>iptables -A OUTPUT -p esp -d -j ACCEPT
>>>>iptables -A OUTPUT -d -j REJECT
>>>>but if i remove that the last rule, the 3 rule starts counting matches
>>>>(the ESP protocol rule).
>>> Sure, because once you are not dropping the original packet in rule
>>> 4, it has a chance to get encrypted, show up as ESP, and match rule
>>> 3.
>>So the outbound traffic is being processed by netfilter before getting
>>wrapped by IPSec?
> Both before and after.

Is there a way to accomplish this? Maybe a way to only accept a
non-esp packets if it destined for the ipsec stack; is that possible?
The only other recourse I can think of is dropping on the receiving
side any non-esp packets.  Thats better than nothing, but I'd like to
not send anything unencrypted if possible.

These machines will be forwarding more traffic than they originate.
Should I put this filtering on the `mangle` to catch both forwarded
and sent packets?
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux