Argh! I'm kicking myself

Argh! I'm kicking myself

[Ian Hunter]

For days now I've been trying to figure out how to recompile my Redhat
2.4.20-24.9 kernel to allow masquerading IPSec ESP traffic.  I ran the
much-vaunted "grep -i masq /proc/ksyms" and to my chagrin got nothing back,
but on a lark decided I'd try "iptables -A FORWARD -t nat -i ppp0 -p esp -j
ACCEPT" just to see if it would fly and it did.  Of course.  And now you're
all laughing at me.

Where is this documented, that gre, esp, ah, and the like are acceptable
protocols?  The docs mention icmp, tcp, and udp only.

Is there such a document, or have I discovered a particular cover of the
netfilter doc-hole?

Ian

RE: Argh! I'm kicking myself

[Aldo S. Lagana]

I KNOW you can have always used the PROTOCOL numbers but the names may have
been recently implemented...as far as where it is documented - in the
frees/wan docs - it talks about the types of rules which you will need in
iptables..

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ian Hunter
Sent: Friday, December 19, 2003 3:42 PM
To: netfilter@lists.netfilter.org
Subject: Argh! I'm kicking myself

For days now I've been trying to figure out how to recompile my Redhat
2.4.20-24.9 kernel to allow masquerading IPSec ESP traffic.  I ran the
much-vaunted "grep -i masq /proc/ksyms" and to my chagrin got nothing back,
but on a lark decided I'd try "iptables -A FORWARD -t nat -i ppp0 -p esp -j
ACCEPT" just to see if it would fly and it did.  Of course.  And now you're
all laughing at me.

Where is this documented, that gre, esp, ah, and the like are acceptable
protocols?  The docs mention icmp, tcp, and udp only.

Is there such a document, or have I discovered a particular cover of the
netfilter doc-hole?

Ian

Re: Argh! I'm kicking myself

[pheusion]

Not sure I follow..

AH(51) ESP(50) are IPsec traffic, as long as you have that module you
should be all set (FreeSwan)

On Fri, 2003-12-19 at 15:42, Ian Hunter wrote:
> For days now I've been trying to figure out how to recompile my Redhat
> 2.4.20-24.9 kernel to allow masquerading IPSec ESP traffic.  I ran the
> much-vaunted "grep -i masq /proc/ksyms" and to my chagrin got nothing back,
> but on a lark decided I'd try "iptables -A FORWARD -t nat -i ppp0 -p esp -j
> ACCEPT" just to see if it would fly and it did.  Of course.  And now you're
> all laughing at me.
> 
> Where is this documented, that gre, esp, ah, and the like are acceptable
> protocols?  The docs mention icmp, tcp, and udp only.
> 
> Is there such a document, or have I discovered a particular cover of the
> netfilter doc-hole?
> 
> Ian
> 
> 

Re: Argh! I'm kicking myself

[pheusion]

Wait, I think I understand the question now.
(Correct me if I am wrong)

If you have the match modules enabled, then that would be what 
allows you to include AH/ESP match support,
there was a patch for this, but might be included with distro's 

On Fri, 2003-12-19 at 15:42, Ian Hunter wrote:
> For days now I've been trying to figure out how to recompile my Redhat
> 2.4.20-24.9 kernel to allow masquerading IPSec ESP traffic.  I ran the
> much-vaunted "grep -i masq /proc/ksyms" and to my chagrin got nothing back,
> but on a lark decided I'd try "iptables -A FORWARD -t nat -i ppp0 -p esp -j
> ACCEPT" just to see if it would fly and it did.  Of course.  And now you're
> all laughing at me.
> 
> Where is this documented, that gre, esp, ah, and the like are acceptable
> protocols?  The docs mention icmp, tcp, and udp only.
> 
> Is there such a document, or have I discovered a particular cover of the
> netfilter doc-hole?
> 
> Ian
> 
> 

Re: Argh! I'm kicking myself

[Ramin Dousti]

On Fri, Dec 19, 2003 at 03:42:21PM -0500, Ian Hunter wrote:

> For days now I've been trying to figure out how to recompile my Redhat
> 2.4.20-24.9 kernel to allow masquerading IPSec ESP traffic.  I ran the

"allow masquerading IPSec ESP traffic" ?? Or just allow forwarding the
IPsec traffic?

> much-vaunted "grep -i masq /proc/ksyms" and to my chagrin got nothing back,
> but on a lark decided I'd try "iptables -A FORWARD -t nat -i ppp0 -p esp -j
> ACCEPT" just to see if it would fly and it did.  Of course.  And now you're
> all laughing at me.
> 
> Where is this documented, that gre, esp, ah, and the like are acceptable
> protocols?  The docs mention icmp, tcp, and udp only.

Which doc?

> 
> Is there such a document, or have I discovered a particular cover of the
> netfilter doc-hole?

man iptables:

...
       -p, --protocol [!] protocol
              The protocol of the rule or of the packet to check.  The  speci-
              fied protocol can be one of tcp, udp, icmp, or all, or it can be
              a numeric value, representing one of these protocols or  a  dif-
              ferent  one.   A  protocol  name  from  /etc/protocols  is  also
              allowed.  A "!" argument before the protocol inverts  the  test.
              The  number  zero is equivalent to all.  Protocol all will match
              with all protocols and is taken as default when this  option  is
              omitted.
...

Ramin

> Ian
>