Iptables and IPSec

All of lore.kernel.org
 help / color / mirror / Atom feed

* Iptables and IPSec
@ 2003-06-25 11:39 Raul Siles
  0 siblings, 0 replies; 3+ messages in thread
From: Raul Siles @ 2003-06-25 11:39 UTC (permalink / raw)
  To: netfilter

Hi all,
I have a Linux box (RedHat 7.3, kernel 2.4.18-19.7) working with 
IPtables v.1.2.5.
I have installed a VPN client from NetLock (IPSEC), ver. 2.1.1-0, 
www.netlock.org.

Everything works fine except the stateful rules, I mean:
- Once I connect through the VPN tunnel (it is using ISAKMP (UDP,500) 
and ESP (IP prot. 50)) I cannot use UDP or TCP protocols just filtering 
based on the following rule:

 From /etc/sysconfig/iptables:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

When working without VPN tunnel, just Internet connected, all the 
protocols work fine, as for example, UDP dns resolution or TCP telnet, 
ssh or http sessions.

When the tunnel has been established, it seems that IPTables cannot 
extract the stateful information from the encapsulated packets (IPSec, 
ESP), so it only works using old stateless rules as:

-A INPUT -s 0/0 -d 0/0 -p tcp ! --syn -j ACCEPT

Any help and information about when the IPTables stateful processing 
when using IPSec takes place will be appreciated,

Best Regards,
Raúl

^ permalink raw reply	[flat|nested] 3+ messages in thread

* iptables and ipsec
@ 2003-10-22 11:12 dimitri borjac
  2003-10-22 13:18 ` Julian Gomez
  0 siblings, 1 reply; 3+ messages in thread
From: dimitri borjac @ 2003-10-22 11:12 UTC (permalink / raw)
  To: netfilter

Hi,

do you know where i can find any interesting documentation about the 
interoperability/compatibility of ipsec with iptables ...?
what's more regarding the eventual UDP encapsulation and the pass-through 
technology ?

any link or help would be appreciated :)
thanks !

Dimo

_________________________________________________________________
Trouvez l'âme soeur sur MSN Rencontres ! http://g.msn.fr/FR1000/9551

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: iptables and ipsec
  2003-10-22 11:12 iptables and ipsec dimitri borjac
@ 2003-10-22 13:18 ` Julian Gomez
  0 siblings, 0 replies; 3+ messages in thread
From: Julian Gomez @ 2003-10-22 13:18 UTC (permalink / raw)
  To: netfilter

On Wed, Oct 22, 2003 at 11:12:56AM +0000, dimitri borjac spoke thusly:

>do you know where i can find any interesting documentation about the 
>interoperability/compatibility of ipsec with iptables ...?

Check the FreeSWAN docs out. Last time I checked (which was in the v1.9x
series); there were complementary information in regards to it.

It also depends on what IPsec scenario are you envisioning ?

>what's more regarding the eventual UDP encapsulation and the pass-through 
>technology ?

I think only Checkpoint (?) and Cisco do UDP encapsulation for NAT
traversal. Have no experience with pass-through.

In general, IPsec + Netfilter will play nice together. If you are
experiencing otherwise however, give us more information.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2003-10-22 13:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-25 11:39 Iptables and IPSec Raul Siles
  -- strict thread matches above, loose matches on Subject: below --
2003-10-22 11:12 iptables and ipsec dimitri borjac
2003-10-22 13:18 ` Julian Gomez

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.