kernel 2.6 IPsec and netfilter

kernel 2.6 IPsec and netfilter

[Dobersberger Dieter]

Hi All !

I have set up an in-kernel IPsec Tunnel with Linux 2.6.0 and want to
filter traffic going through this tunnel.

Before I upgraded to 2.6 I used FreeS/WAN on Linux 2.4 which provided
a virtual interface called ipsec0 which I could use to apply rules
after the IPsec packet has been decrypted. Now with kernel 2.6 ipsec0
is gone and the incoming interface is the same as the physical (eth0).
So the machine on the other end of the IPsec tunnel has unlimted
access to my server.

I used these rules for FreeS/WAN:

# $WWW .. ip address of the webserver
# $DB ... ip address of the database server
# both are linked with an IPsec tunnel

# allow IKE and IPsec (AH and ESP)
iptables -A INPUT -s $WWW -d $DB -p udp --dport 500 -j ACCEPT
iptables -A INPUT -s $WWW -d $DB -p 50 -j ACCEPT
iptables -A INPUT -s $WWW -d $DB -p 51 -j ACCEPT

# allow mysql via IPsec
iptables -A INPUT -i ipsec0 -p tcp -s $WWW -d $DB \
   --dport 3306 -j ACCEPT

# drop everything else
iptables -A INPUT -j DROP

The above rules don't work for in-kernel IPsec. The www server has
unlimited access to the db server because the decrypted packets are
not processed by iptables.

All I found on the net is a link to an older thread discussing the
same problem but they didn't find a solution:
http://www.spinics.net/lists/netfilter/msg18030.html

Anyone got an idea how to limit the traffic coming in via IPsec to
certain ports and block all other traffic ? Can someone please post
iptables rules that do the same filtering for in-kernel IPsec as mine
did in FreeS/WAN ?

Thanks for reading this far.
best regards,
Dieter

Re: kernel 2.6 IPsec and netfilter

[Dobersberger Dieter]

Wednesday, January 14, 2004, 7:51:24 PM, Dobersberger Dieter wrote:
> I have set up an in-kernel IPsec Tunnel with Linux 2.6.0 and want to
> filter traffic going through this tunnel.

Hi All !

Valentijn Sessink has posted a solution to my problem to the list:

Subject: port based filtering and IPsec linux 2.6
Date: Wed, 14 Jan 2004 21:41:34 +0100
https://lists.netfilter.org/pipermail/netfilter/2004-January/049775.html

thanks for your help Valentijn !

best regards,
Dieter

kernel 2.6 IPsec and netfilter

[Devaraj Das]

Hi,
I wanted to know whether there is a working solution for the issue that
was discussed sometime back:
http://www.spinics.net/lists/netfilter/msg22099.html
In short is there any solution to enable blocking selective ports in a
machine running Linux 2.6.0 + in-kernel ipsec.
I would be very helpful if I can get a working solution or some
information on a possible solution.
Thanks,
Devaraj.

Re: kernel 2.6 IPsec and netfilter

[Thomas Lussnig]

Devaraj Das wrote:

>Hi,
>I wanted to know whether there is a working solution for the issue that
>was discussed sometime back:
>http://www.spinics.net/lists/netfilter/msg22099.html
>In short is there any solution to enable blocking selective ports in a
>machine running Linux 2.6.0 + in-kernel ipsec.
>I would be very helpful if I can get a working solution or some
>information on a possible solution.
>Thanks,
>Devaraj.
>  
>
Hi,
if you look at ipsec from Linux-2.6.0 you would have noticed that you define
SRC-IP/SRC-PORT -- DST-IP/DST-PORT this mean you question imply the 
following setup:

1. You allow any port combination to go via the ipsec tunnel
2. You have ports that should not go via the ipsec tunnel wich you allow 
via ipsec
3. Now this ports should be filtered on iptables layer
- possible at prerouting/mangle
+ define the correkt ipsec config

Grufl Thomas Luflnig

Re: kernel 2.6 IPsec and netfilter

[Lane Powers]

Well, it might not be perfect, but here is what I do, and it 'works for me'

In my ipsec.conf I use the updown script functionality of pluto, i.e. in 
my conn default I put
         leftupdown=/usr/local/bin/updown.sh


and then that script is responsible for setting netfilter rules for that 
ip while the tunnel is up, i.e.

#!/bin/bash
if [ "$PLUTO_VERB" == "up-client" ] || [ "$PLUTO_VERB" == "up-host" ] ; then
         iptables -N $PLUTO_CONNECTION;
         iptables -A  $PLUTO_CONNECTION -p tcp --dport 22 -j ACCEPT;
         iptables -A  $PLUTO_CONNECTION -p tcp --dport 23 -j ACCEPT;
         iptables -A  $PLUTO_CONNECTION -p tcp --dport 80 -j ACCEPT;
         iptables -A  $PLUTO_CONNECTION -p tcp --dport 443 -j ACCEPT;
         iptables -A  $PLUTO_CONNECTION -p tcp --dport 3389 -j ACCEPT;
         iptables -A  $PLUTO_CONNECTION -p tcp --dport 5900 -j ACCEPT;
         iptables -A  $PLUTO_CONNECTION -p icmp --icmp-type echo-reply 
-j ACCEPT;
         iptables -A  $PLUTO_CONNECTION -p icmp --icmp-type echo-request 
-j ACCEPT;
         iptables -A $PLUTO_CONNECTION -j ACCEPT
         iptables -I INPUT -s $PLUTO_PEER -j $PLUTO_CONNECTION;
         iptables -I FORWARD -s $PLUTO_PEER -j $PLUTO_CONNECTION;
         exit 0;
elif [ "$PLUTO_VERB" == "down-client" ] || [ "$PLUTO_VERB" == 
"down-host" ] ; then
         iptables -D INPUT -s $PLUTO_PEER -j $PLUTO_CONNECTION;
         iptables -D FORWARD -s $PLUTO_PEER -j $PLUTO_CONNECTION;
         iptables -F $PLUTO_CONNECTION;
         iptables -X $PLUTO_CONNECTION;
         exit 0;
fi
         exit 0;

obviously if you needed different rules per tunnel you could just move 
the updown into the individual conn and define a seperate script per 
connection with different rules.  all of the $PLUTO_... stuff is set in 
the ENV while the connection is being built... obviously for me, my 
FORWARD chain is a default drop, so I am just inserting at the top and 
allowing what I want for the duration of the tunnel.

Hope that helps.

Lane

Devaraj Das wrote:
> Hi,
> I wanted to know whether there is a working solution for the issue that
> was discussed sometime back:
> http://www.spinics.net/lists/netfilter/msg22099.html
> In short is there any solution to enable blocking selective ports in a
> machine running Linux 2.6.0 + in-kernel ipsec.
> I would be very helpful if I can get a working solution or some
> information on a possible solution.
> Thanks,
> Devaraj.
> 
> 

Re: kernel 2.6 IPsec and netfilter

[Devaraj Das]

Thanks for your responses Thomas & Lane. I forgot to mention that I am using
racoon as the IKE daemon. If I enable ipsec tunnelling between two linux-2.6
machines, things work fine. I am able to restrict accesses to ports, etc.

I also have windows (2K) machines that can be connected as a client to the
linux-2.6 machine. The problem that I am facing now is that the windows
machine's native ipsec implementation does not work if the "tunnel mode" is
enabled. So now I am looking for a solution that does not require enabling
tunnelling.

Thanks for your help.

Devaraj.

Thomas Lussnig wrote:

> Devaraj Das wrote:
>
> >Hi,
> >I wanted to know whether there is a working solution for the issue that
> >was discussed sometime back:
> >http://www.spinics.net/lists/netfilter/msg22099.html
> >In short is there any solution to enable blocking selective ports in a
> >machine running Linux 2.6.0 + in-kernel ipsec.
> >I would be very helpful if I can get a working solution or some
> >information on a possible solution.
> >Thanks,
> >Devaraj.
> >
> >
> Hi,
> if you look at ipsec from Linux-2.6.0 you would have noticed that you define
> SRC-IP/SRC-PORT -- DST-IP/DST-PORT this mean you question imply the
> following setup:
>
> 1. You allow any port combination to go via the ipsec tunnel
> 2. You have ports that should not go via the ipsec tunnel wich you allow
> via ipsec
> 3. Now this ports should be filtered on iptables layer
> - possible at prerouting/mangle
> + define the correkt ipsec config
>
> Grufl Thomas Luflnig

Re: kernel 2.6 IPsec and netfilter

[Devaraj Das]

Lets take for this discussion a simple case where
* we want to disable 10.0.1.5's access to port 5000 on another machine 10.0.1.1.

* 10.0.1.5, however, has access to all other ports on 10.0.1.1.
* Another machine 10.0.1.6 has access to all ports on 10.0.1.1.
* Creating tunnels to 10.0.1.1 may not be possible on all machines.
* All the clients have to necessarily go through the ipsec protocols...
* racoon is the key mgmt daemon.

Please let me know your inputs...

Thanks,
Devaraj.

Lane Powers wrote:

> Well, it might not be perfect, but here is what I do, and it 'works for me'
>
> In my ipsec.conf I use the updown script functionality of pluto, i.e. in
> my conn default I put
>          leftupdown=/usr/local/bin/updown.sh
>
> and then that script is responsible for setting netfilter rules for that
> ip while the tunnel is up, i.e.
>
> #!/bin/bash
> if [ "$PLUTO_VERB" == "up-client" ] || [ "$PLUTO_VERB" == "up-host" ] ; then
>          iptables -N $PLUTO_CONNECTION;
>          iptables -A  $PLUTO_CONNECTION -p tcp --dport 22 -j ACCEPT;
>          iptables -A  $PLUTO_CONNECTION -p tcp --dport 23 -j ACCEPT;
>          iptables -A  $PLUTO_CONNECTION -p tcp --dport 80 -j ACCEPT;
>          iptables -A  $PLUTO_CONNECTION -p tcp --dport 443 -j ACCEPT;
>          iptables -A  $PLUTO_CONNECTION -p tcp --dport 3389 -j ACCEPT;
>          iptables -A  $PLUTO_CONNECTION -p tcp --dport 5900 -j ACCEPT;
>          iptables -A  $PLUTO_CONNECTION -p icmp --icmp-type echo-reply
> -j ACCEPT;
>          iptables -A  $PLUTO_CONNECTION -p icmp --icmp-type echo-request
> -j ACCEPT;
>          iptables -A $PLUTO_CONNECTION -j ACCEPT
>          iptables -I INPUT -s $PLUTO_PEER -j $PLUTO_CONNECTION;
>          iptables -I FORWARD -s $PLUTO_PEER -j $PLUTO_CONNECTION;
>          exit 0;
> elif [ "$PLUTO_VERB" == "down-client" ] || [ "$PLUTO_VERB" ==
> "down-host" ] ; then
>          iptables -D INPUT -s $PLUTO_PEER -j $PLUTO_CONNECTION;
>          iptables -D FORWARD -s $PLUTO_PEER -j $PLUTO_CONNECTION;
>          iptables -F $PLUTO_CONNECTION;
>          iptables -X $PLUTO_CONNECTION;
>          exit 0;
> fi
>          exit 0;
>
> obviously if you needed different rules per tunnel you could just move
> the updown into the individual conn and define a seperate script per
> connection with different rules.  all of the $PLUTO_... stuff is set in
> the ENV while the connection is being built... obviously for me, my
> FORWARD chain is a default drop, so I am just inserting at the top and
> allowing what I want for the duration of the tunnel.
>
> Hope that helps.
>
> Lane
>
> Devaraj Das wrote:
> > Hi,
> > I wanted to know whether there is a working solution for the issue that
> > was discussed sometime back:
> > http://www.spinics.net/lists/netfilter/msg22099.html
> > In short is there any solution to enable blocking selective ports in a
> > machine running Linux 2.6.0 + in-kernel ipsec.
> > I would be very helpful if I can get a working solution or some
> > information on a possible solution.
> > Thanks,
> > Devaraj.
> >
> >