From: Wiktor Wodecki <wodecki@gmx.de>
To: Felipe Alfaro Solana <felipe_alfaro@linuxmail.org>
Cc: LKML <linux-kernel@vger.kernel.org>
Subject: Re: [OT] Connection tracking for IPSec
Date: Wed, 20 Aug 2003 16:43:04 +0200 [thread overview]
Message-ID: <20030820144304.GC725@gmx.de> (raw)
In-Reply-To: <1061378568.668.9.camel@teapot.felipe-alfaro.com>
[-- Attachment #1: Type: text/plain, Size: 1430 bytes --]
On Wed, Aug 20, 2003 at 01:22:49PM +0200, Felipe Alfaro Solana wrote:
> I'm starting with IPSec right now. To make it work, I must open up
> protocols 50 and 51 to pass across my Linux firewalls, but I want to use
> connection tracking much like I do when not using IPSec.
>
> For example,
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED
>
> When using IPSec, if I open up protocols 50 and 51, all IPSec-protected
> traffic passes through the firewall, but it's not checked against the
> connection tracking module. How can I configure iptables so an
> IPSec-protected packet, after being classified as IP protocol 50 or 51,
> loop back one more time to pass through the connection tracking module?
>
> I don't want to set up IPSec to get addititional protection by using AH
> and ESP and then let any machine talking IPSec pass entirely through my
> firewall ignoring the rest of rules.
you can use iptables to open proto 50 and 51 to specific ip's, too:
iptables -A INPUT -i eth0 -p 50 -s n.n.n.n -j ACCEPT
iptables -A INPUT -i eth0 -p 51 -s n.n.n.n -j ACCEPT
iptables -A INPUT -i eth0 -p 51 -s n.m.n.n -j DROP
this will work. If you want netfilter to fully recognize ipsec states
you have to do it yourself, afaik there is no ipsec support for the
statefull/conntrack system.
But you are better of asking here: netfilter-devel@lists.samba.org
--
Regards,
Wiktor Wodecki
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
prev parent reply other threads:[~2003-08-20 14:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-20 11:22 [OT] Connection tracking for IPSec Felipe Alfaro Solana
2003-08-20 12:11 ` Christophe Saout
2003-08-20 14:22 ` Felipe Alfaro Solana
2003-08-20 14:53 ` Christophe Saout
2003-08-20 15:18 ` Felipe Alfaro Solana
2003-08-20 17:36 ` Jose Luis Domingo Lopez
2003-08-20 12:49 ` Andrew McGregor
2003-08-20 14:16 ` Felipe Alfaro Solana
2003-08-20 22:12 ` Andrew McGregor
2003-08-21 4:37 ` Rick Kennell
2003-08-20 14:43 ` Wiktor Wodecki [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030820144304.GC725@gmx.de \
--to=wodecki@gmx.de \
--cc=felipe_alfaro@linuxmail.org \
--cc=johoho@hojo-net.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.