Firewalling non-IPsec connections

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Peter Hoeg" <disposable1@hoeg.com>
To: netfilter@lists.netfilter.org
Subject: Firewalling non-IPsec connections
Date: Sun, 14 Dec 2003 23:30:35 +0100	[thread overview]
Message-ID: <000c01c3c291$e4e0f3a0$fc00000a@vmwarew2k> (raw)

Normally google is my friend but hasn't been able to help me out, which is
the reason I am turning to you guys.

Here is the deal:

I have a multipurpose gateway/firewall box (running linux kernel
2.6.0-test9) using iptables 1.2.9 (standard debian package) with 3 NICs:

eth0 - internal LAN
eth1 - WLAN (using a crossover cable into an orinoco wireless gateway)
eth2 - internet connection via adsl

For the IPsec stuff I am using the in-kernel ipsec implementation and racoon
for IKE (tunnel mode by the way).

What I want to do:

Basically, the only connections that are to be allowed as wireless
connections are IPsec tunnels, so I can ensure nobody else uses my
connection. This is pretty easy for connections to the gateway host (UDP
port 500 for IKE, ESP protocol and dhcp) as I just need to limit the INPUT
chain for eth1.

The REAL problem is since I need to allow connections from the wireless LAN
segment to go onto the internet and it seems like the connections only hit
the FORWARD chain AFTER the kernel has done all its magic with unpacking the
encrypted packages. What I would like to do is something like:

iptables -A FORWARD -i eth1 -o eth2 -p esp -j ACCEPT

and then drop everything else, but again, the problem is that if I as an
example ping www.google.com from a wireless host with the IPsec tunnel
active and having this rule:

iptables -A FORWARD -j LOG

I can then see the ICMP packages in my log for the forward chain.

I hope I have managed to explain what it is that I am looking for and that
somebody out there can help me out.

next             reply	other threads:[~2003-12-14 22:30 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-12-14 22:30 Peter Hoeg [this message]
2003-12-14 23:59 ` Firewalling non-IPsec connections Arnt Karlsen
2003-12-15 20:44 ` Antony Stone
2003-12-15 23:55   ` Sven-Haegar Koch
2003-12-16  0:09     ` Michael Gale
2003-12-16  8:53     ` Antony Stone
2003-12-16 14:45       ` Mark Weaver
2003-12-16 15:12         ` Antony Stone
2003-12-16 19:46           ` Mark Weaver
2003-12-17 22:02             ` Peter Hoeg
2003-12-18  0:37               ` Michael H. Warfield
2003-12-18 12:59               ` Mark Weaver

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='000c01c3c291$e4e0f3a0$fc00000a@vmwarew2k' \
    --to=disposable1@hoeg.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.