* kernel 2.6 IPsec and netfilter
@ 2004-03-29 11:10 Devaraj Das
2004-03-29 12:33 ` Thomas Lussnig
2004-03-29 12:36 ` Lane Powers
0 siblings, 2 replies; 7+ messages in thread
From: Devaraj Das @ 2004-03-29 11:10 UTC (permalink / raw)
To: netfilter
Hi,
I wanted to know whether there is a working solution for the issue that
was discussed sometime back:
http://www.spinics.net/lists/netfilter/msg22099.html
In short is there any solution to enable blocking selective ports in a
machine running Linux 2.6.0 + in-kernel ipsec.
I would be very helpful if I can get a working solution or some
information on a possible solution.
Thanks,
Devaraj.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: kernel 2.6 IPsec and netfilter
2004-03-29 11:10 kernel 2.6 IPsec and netfilter Devaraj Das
@ 2004-03-29 12:33 ` Thomas Lussnig
2004-03-29 15:13 ` Devaraj Das
2004-03-29 12:36 ` Lane Powers
1 sibling, 1 reply; 7+ messages in thread
From: Thomas Lussnig @ 2004-03-29 12:33 UTC (permalink / raw)
To: netfilter; +Cc: Devaraj Das
Devaraj Das wrote:
>Hi,
>I wanted to know whether there is a working solution for the issue that
>was discussed sometime back:
>http://www.spinics.net/lists/netfilter/msg22099.html
>In short is there any solution to enable blocking selective ports in a
>machine running Linux 2.6.0 + in-kernel ipsec.
>I would be very helpful if I can get a working solution or some
>information on a possible solution.
>Thanks,
>Devaraj.
>
>
Hi,
if you look at ipsec from Linux-2.6.0 you would have noticed that you define
SRC-IP/SRC-PORT -- DST-IP/DST-PORT this mean you question imply the
following setup:
1. You allow any port combination to go via the ipsec tunnel
2. You have ports that should not go via the ipsec tunnel wich you allow
via ipsec
3. Now this ports should be filtered on iptables layer
- possible at prerouting/mangle
+ define the correkt ipsec config
Grufl Thomas Luflnig
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: kernel 2.6 IPsec and netfilter
2004-03-29 12:33 ` Thomas Lussnig
@ 2004-03-29 15:13 ` Devaraj Das
0 siblings, 0 replies; 7+ messages in thread
From: Devaraj Das @ 2004-03-29 15:13 UTC (permalink / raw)
To: Thomas Lussnig, lpowers; +Cc: netfilter
Thanks for your responses Thomas & Lane. I forgot to mention that I am using
racoon as the IKE daemon. If I enable ipsec tunnelling between two linux-2.6
machines, things work fine. I am able to restrict accesses to ports, etc.
I also have windows (2K) machines that can be connected as a client to the
linux-2.6 machine. The problem that I am facing now is that the windows
machine's native ipsec implementation does not work if the "tunnel mode" is
enabled. So now I am looking for a solution that does not require enabling
tunnelling.
Thanks for your help.
Devaraj.
Thomas Lussnig wrote:
> Devaraj Das wrote:
>
> >Hi,
> >I wanted to know whether there is a working solution for the issue that
> >was discussed sometime back:
> >http://www.spinics.net/lists/netfilter/msg22099.html
> >In short is there any solution to enable blocking selective ports in a
> >machine running Linux 2.6.0 + in-kernel ipsec.
> >I would be very helpful if I can get a working solution or some
> >information on a possible solution.
> >Thanks,
> >Devaraj.
> >
> >
> Hi,
> if you look at ipsec from Linux-2.6.0 you would have noticed that you define
> SRC-IP/SRC-PORT -- DST-IP/DST-PORT this mean you question imply the
> following setup:
>
> 1. You allow any port combination to go via the ipsec tunnel
> 2. You have ports that should not go via the ipsec tunnel wich you allow
> via ipsec
> 3. Now this ports should be filtered on iptables layer
> - possible at prerouting/mangle
> + define the correkt ipsec config
>
> Grufl Thomas Luflnig
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: kernel 2.6 IPsec and netfilter
2004-03-29 11:10 kernel 2.6 IPsec and netfilter Devaraj Das
2004-03-29 12:33 ` Thomas Lussnig
@ 2004-03-29 12:36 ` Lane Powers
2004-03-29 15:21 ` Devaraj Das
1 sibling, 1 reply; 7+ messages in thread
From: Lane Powers @ 2004-03-29 12:36 UTC (permalink / raw)
To: netfilter
Well, it might not be perfect, but here is what I do, and it 'works for me'
In my ipsec.conf I use the updown script functionality of pluto, i.e. in
my conn default I put
leftupdown=/usr/local/bin/updown.sh
and then that script is responsible for setting netfilter rules for that
ip while the tunnel is up, i.e.
#!/bin/bash
if [ "$PLUTO_VERB" == "up-client" ] || [ "$PLUTO_VERB" == "up-host" ] ; then
iptables -N $PLUTO_CONNECTION;
iptables -A $PLUTO_CONNECTION -p tcp --dport 22 -j ACCEPT;
iptables -A $PLUTO_CONNECTION -p tcp --dport 23 -j ACCEPT;
iptables -A $PLUTO_CONNECTION -p tcp --dport 80 -j ACCEPT;
iptables -A $PLUTO_CONNECTION -p tcp --dport 443 -j ACCEPT;
iptables -A $PLUTO_CONNECTION -p tcp --dport 3389 -j ACCEPT;
iptables -A $PLUTO_CONNECTION -p tcp --dport 5900 -j ACCEPT;
iptables -A $PLUTO_CONNECTION -p icmp --icmp-type echo-reply
-j ACCEPT;
iptables -A $PLUTO_CONNECTION -p icmp --icmp-type echo-request
-j ACCEPT;
iptables -A $PLUTO_CONNECTION -j ACCEPT
iptables -I INPUT -s $PLUTO_PEER -j $PLUTO_CONNECTION;
iptables -I FORWARD -s $PLUTO_PEER -j $PLUTO_CONNECTION;
exit 0;
elif [ "$PLUTO_VERB" == "down-client" ] || [ "$PLUTO_VERB" ==
"down-host" ] ; then
iptables -D INPUT -s $PLUTO_PEER -j $PLUTO_CONNECTION;
iptables -D FORWARD -s $PLUTO_PEER -j $PLUTO_CONNECTION;
iptables -F $PLUTO_CONNECTION;
iptables -X $PLUTO_CONNECTION;
exit 0;
fi
exit 0;
obviously if you needed different rules per tunnel you could just move
the updown into the individual conn and define a seperate script per
connection with different rules. all of the $PLUTO_... stuff is set in
the ENV while the connection is being built... obviously for me, my
FORWARD chain is a default drop, so I am just inserting at the top and
allowing what I want for the duration of the tunnel.
Hope that helps.
Lane
Devaraj Das wrote:
> Hi,
> I wanted to know whether there is a working solution for the issue that
> was discussed sometime back:
> http://www.spinics.net/lists/netfilter/msg22099.html
> In short is there any solution to enable blocking selective ports in a
> machine running Linux 2.6.0 + in-kernel ipsec.
> I would be very helpful if I can get a working solution or some
> information on a possible solution.
> Thanks,
> Devaraj.
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: kernel 2.6 IPsec and netfilter
2004-03-29 12:36 ` Lane Powers
@ 2004-03-29 15:21 ` Devaraj Das
0 siblings, 0 replies; 7+ messages in thread
From: Devaraj Das @ 2004-03-29 15:21 UTC (permalink / raw)
To: Lane Powers; +Cc: netfilter
Lets take for this discussion a simple case where
* we want to disable 10.0.1.5's access to port 5000 on another machine 10.0.1.1.
* 10.0.1.5, however, has access to all other ports on 10.0.1.1.
* Another machine 10.0.1.6 has access to all ports on 10.0.1.1.
* Creating tunnels to 10.0.1.1 may not be possible on all machines.
* All the clients have to necessarily go through the ipsec protocols...
* racoon is the key mgmt daemon.
Please let me know your inputs...
Thanks,
Devaraj.
Lane Powers wrote:
> Well, it might not be perfect, but here is what I do, and it 'works for me'
>
> In my ipsec.conf I use the updown script functionality of pluto, i.e. in
> my conn default I put
> leftupdown=/usr/local/bin/updown.sh
>
> and then that script is responsible for setting netfilter rules for that
> ip while the tunnel is up, i.e.
>
> #!/bin/bash
> if [ "$PLUTO_VERB" == "up-client" ] || [ "$PLUTO_VERB" == "up-host" ] ; then
> iptables -N $PLUTO_CONNECTION;
> iptables -A $PLUTO_CONNECTION -p tcp --dport 22 -j ACCEPT;
> iptables -A $PLUTO_CONNECTION -p tcp --dport 23 -j ACCEPT;
> iptables -A $PLUTO_CONNECTION -p tcp --dport 80 -j ACCEPT;
> iptables -A $PLUTO_CONNECTION -p tcp --dport 443 -j ACCEPT;
> iptables -A $PLUTO_CONNECTION -p tcp --dport 3389 -j ACCEPT;
> iptables -A $PLUTO_CONNECTION -p tcp --dport 5900 -j ACCEPT;
> iptables -A $PLUTO_CONNECTION -p icmp --icmp-type echo-reply
> -j ACCEPT;
> iptables -A $PLUTO_CONNECTION -p icmp --icmp-type echo-request
> -j ACCEPT;
> iptables -A $PLUTO_CONNECTION -j ACCEPT
> iptables -I INPUT -s $PLUTO_PEER -j $PLUTO_CONNECTION;
> iptables -I FORWARD -s $PLUTO_PEER -j $PLUTO_CONNECTION;
> exit 0;
> elif [ "$PLUTO_VERB" == "down-client" ] || [ "$PLUTO_VERB" ==
> "down-host" ] ; then
> iptables -D INPUT -s $PLUTO_PEER -j $PLUTO_CONNECTION;
> iptables -D FORWARD -s $PLUTO_PEER -j $PLUTO_CONNECTION;
> iptables -F $PLUTO_CONNECTION;
> iptables -X $PLUTO_CONNECTION;
> exit 0;
> fi
> exit 0;
>
> obviously if you needed different rules per tunnel you could just move
> the updown into the individual conn and define a seperate script per
> connection with different rules. all of the $PLUTO_... stuff is set in
> the ENV while the connection is being built... obviously for me, my
> FORWARD chain is a default drop, so I am just inserting at the top and
> allowing what I want for the duration of the tunnel.
>
> Hope that helps.
>
> Lane
>
> Devaraj Das wrote:
> > Hi,
> > I wanted to know whether there is a working solution for the issue that
> > was discussed sometime back:
> > http://www.spinics.net/lists/netfilter/msg22099.html
> > In short is there any solution to enable blocking selective ports in a
> > machine running Linux 2.6.0 + in-kernel ipsec.
> > I would be very helpful if I can get a working solution or some
> > information on a possible solution.
> > Thanks,
> > Devaraj.
> >
> >
^ permalink raw reply [flat|nested] 7+ messages in thread
* kernel 2.6 IPsec and netfilter
@ 2004-01-14 18:51 Dobersberger Dieter
2004-01-15 3:06 ` Dobersberger Dieter
0 siblings, 1 reply; 7+ messages in thread
From: Dobersberger Dieter @ 2004-01-14 18:51 UTC (permalink / raw)
To: netfilter
Hi All !
I have set up an in-kernel IPsec Tunnel with Linux 2.6.0 and want to
filter traffic going through this tunnel.
Before I upgraded to 2.6 I used FreeS/WAN on Linux 2.4 which provided
a virtual interface called ipsec0 which I could use to apply rules
after the IPsec packet has been decrypted. Now with kernel 2.6 ipsec0
is gone and the incoming interface is the same as the physical (eth0).
So the machine on the other end of the IPsec tunnel has unlimted
access to my server.
I used these rules for FreeS/WAN:
# $WWW .. ip address of the webserver
# $DB ... ip address of the database server
# both are linked with an IPsec tunnel
# allow IKE and IPsec (AH and ESP)
iptables -A INPUT -s $WWW -d $DB -p udp --dport 500 -j ACCEPT
iptables -A INPUT -s $WWW -d $DB -p 50 -j ACCEPT
iptables -A INPUT -s $WWW -d $DB -p 51 -j ACCEPT
# allow mysql via IPsec
iptables -A INPUT -i ipsec0 -p tcp -s $WWW -d $DB \
--dport 3306 -j ACCEPT
# drop everything else
iptables -A INPUT -j DROP
The above rules don't work for in-kernel IPsec. The www server has
unlimited access to the db server because the decrypted packets are
not processed by iptables.
All I found on the net is a link to an older thread discussing the
same problem but they didn't find a solution:
http://www.spinics.net/lists/netfilter/msg18030.html
Anyone got an idea how to limit the traffic coming in via IPsec to
certain ports and block all other traffic ? Can someone please post
iptables rules that do the same filtering for in-kernel IPsec as mine
did in FreeS/WAN ?
Thanks for reading this far.
best regards,
Dieter
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-03-29 15:21 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-29 11:10 kernel 2.6 IPsec and netfilter Devaraj Das
2004-03-29 12:33 ` Thomas Lussnig
2004-03-29 15:13 ` Devaraj Das
2004-03-29 12:36 ` Lane Powers
2004-03-29 15:21 ` Devaraj Das
-- strict thread matches above, loose matches on Subject: below --
2004-01-14 18:51 Dobersberger Dieter
2004-01-15 3:06 ` Dobersberger Dieter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.