From: Valentijn Sessink <valentyn+netfilter-users@nospam.openoffice.nl>
To: Andreas Kretschmer <andreas_kretschmer@despammed.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: [despammed] port based filtering and IPsec 2.6
Date: Wed, 21 Jan 2004 16:37:48 +0100 [thread overview]
Message-ID: <20040121153748.GA2715@openoffice.nl> (raw)
In-Reply-To: <20040117134519.GA4911@kaufbach.delug.de>
At Sat, Jan 17, 2004 at 02:45:19PM +0100, Andreas Kretschmer wrote:
> > Simply use a *tunnel* between the two hosts, and define the subnets to
> > be "tunneled" to be the hosts themselves
> Okay, but you can't filtering packets. It's not possible to filter, for
> instance, all traffic from/to telnet-port and enable all traffic to/from
> ssh-port.
Yes you can. Re-read my post, and be creative.
Example: suppose you want to setup a secure connection between host1 and
host2, and you want to allow POP3 between these, but only if the POP3 came
in through IPsec.
Steps to take:
1) set up a VPN between host1 and host2. NOTE: use tunnel mode for this, not
transport mode! I repeat: use tunnel mode, not transport! NOTE 2: when using
tunnel mode, you MUST use authentication, otherwise your VPN is not secure!
2) set up your firewalling:
# first, we set a "mark" on every IPsec packet that comes in.
iptables -A INPUT -p esp -t mangle -j MARK --set-mark 1
# the Linux kernel keeps the MARK after a packet has been decrypted, so
# we can check for the mark to see if a packet came in through IPsec. This
# is equivalent to the ipsec0 virtual interface that FreeS/WAN has.
#
# we are silly firewall builders and we accept every "marked" packet that
# goes to port 110. DO NOT DO THIS AT HOME, you should probably use stateful
# firewalling for this.
iptables -A INPUT -p tcp --dport pop3 -m mark --mark 1 -j ACCEPT
# we drop all other packets to port 110
iptables -A INPUT -p tcp --dport pop3 -j DROP
V.
--
Blokkeer die vervelende popup-advertenties met Mozilla: www.mozilla.org
-
http://www.openoffice.nl/ Open Office - Linux Office Solutions
Valentijn Sessink valentyn+sessink@nospam.openoffice.nl
next prev parent reply other threads:[~2004-01-21 15:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-14 16:26 port based filtering and IPsec 2.6 Valentijn Sessink
2004-01-17 13:45 ` [despammed] " Andreas Kretschmer
2004-01-17 17:47 ` netfilter.lists.samba.org
2004-01-17 18:29 ` Antony Stone
2004-01-18 9:14 ` Marc Haber
2004-01-18 9:34 ` Antony Stone
2004-01-19 7:43 ` Marc Haber
2004-01-21 15:39 ` [despammed] " Valentijn Sessink
2004-01-21 15:37 ` Valentijn Sessink [this message]
2004-01-21 15:44 ` Marc Haber
2004-01-21 16:31 ` Valentijn Sessink
2004-01-21 21:46 ` Marc Haber
2004-01-22 12:43 ` Valentijn Sessink
2004-02-17 15:02 ` Marc Haber
2004-02-17 15:16 ` Valentijn Sessink
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040121153748.GA2715@openoffice.nl \
--to=valentyn+netfilter-users@nospam.openoffice.nl \
--cc=andreas_kretschmer@despammed.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.