* Filtering Transport Mode IPSec
@ 2005-09-29 15:09 Aaron Smith
2005-10-04 1:29 ` Grant Taylor
0 siblings, 1 reply; 3+ messages in thread
From: Aaron Smith @ 2005-09-29 15:09 UTC (permalink / raw)
To: netfilter
I have a Windows 2003 server connecting as a client, in Transport
mode, via IPSec to a RHEL4 server running a 2.6.9 kernel and StrongSwan.
I would like to use netfilter to filter the protocols and ports that the
windows server can access on the RHEL4 server, but from what I've read,
transport mode IPSec packets are decrypted AFTER they have traversed the
netfilter chains. I have a rule in my INPUT chain that says to allow ESP
(protocol 50) packets and this appears to be enough for the windows client
to bypass the rest of the rules. I also have a linux client connecting to
this same server in Tunnel mode and it's packets appear to be accepted,
decrypted, an then sent back into the interface to be subjected to
netfilter so everything works fine there. Is there anyway to use
netfilter to filter Transport Mode IPSec?
------
"The pain of war cannot exceed the woe of aftermath
The drums will shake the castle walls,
the Ringwraiths ride in black..."
Led Zeppelin, "The Battle of Evermore"
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Filtering Transport Mode IPSec
2005-09-29 15:09 Filtering Transport Mode IPSec Aaron Smith
@ 2005-10-04 1:29 ` Grant Taylor
0 siblings, 0 replies; 3+ messages in thread
From: Grant Taylor @ 2005-10-04 1:29 UTC (permalink / raw)
To: Aaron Smith; +Cc: netfilter
Take a look at the NetFilter IPSec patches (4 of them I think). These patches are designed to have the traffic that is passing through the IPSec VPN pass through the NetFilter table twice, once encrypted and once decrypted. This will allow you to filter the traffic on the 2nd (decrypted) pass the way that you are wanting to do.
Grant. . . .
Aaron Smith wrote:
> I have a Windows 2003 server connecting as a client, in Transport mode,
> via IPSec to a RHEL4 server running a 2.6.9 kernel and StrongSwan.
> I would like to use netfilter to filter the protocols and ports that the
> windows server can access on the RHEL4 server, but from what I've read,
> transport mode IPSec packets are decrypted AFTER they have traversed the
> netfilter chains. I have a rule in my INPUT chain that says to allow
> ESP (protocol 50) packets and this appears to be enough for the windows
> client to bypass the rest of the rules. I also have a linux client
> connecting to this same server in Tunnel mode and it's packets appear to
> be accepted, decrypted, an then sent back into the interface to be
> subjected to netfilter so everything works fine there. Is there anyway
> to use netfilter to filter Transport Mode IPSec?
>
> ------
> "The pain of war cannot exceed the woe of aftermath
> The drums will shake the castle walls, the Ringwraiths ride in black..."
> Led Zeppelin, "The Battle of Evermore"
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Filtering Transport Mode IPSec
@ 2005-10-03 20:57 Aaron Smith
0 siblings, 0 replies; 3+ messages in thread
From: Aaron Smith @ 2005-10-03 20:57 UTC (permalink / raw)
To: netfilter
Is there a way to filter IPSec packets in Transport mode AFTER they've
been decrypted?
------
"The pain of war cannot exceed the woe of aftermath
The drums will shake the castle walls,
the Ringwraiths ride in black..."
Led Zeppelin, "The Battle of Evermore"
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-10-04 1:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-29 15:09 Filtering Transport Mode IPSec Aaron Smith
2005-10-04 1:29 ` Grant Taylor
-- strict thread matches above, loose matches on Subject: below --
2005-10-03 20:57 Aaron Smith
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.