* question about esp and policy matching rule
@ 2010-07-19 3:29 Richard Knight
2010-07-19 11:14 ` Sergei Zhirikov
2010-07-19 11:44 ` Jan Engelhardt
0 siblings, 2 replies; 8+ messages in thread
From: Richard Knight @ 2010-07-19 3:29 UTC (permalink / raw)
To: netfilter
Hello,
I don't fully understand the two rules below.
Since each of the rules are get inserted at position 1 in the table the ESP
rule ends up below the policy matching rule, will the ESP rule ever be
checked?
# allow all ipsec traffic into and out
$IP6_TABLES -I INPUT 1 -i $EXIF -p esp -j ACCEPT
$IP6_TABLES -I OUTPUT 1 -o $EXIF -p esp -j ACCEPT
$IP6_TABLES -I INPUT 1 -i $EXIF -m policy --dir in --pol ipsec -j ACCEPT
$IP6_TABLES -I OUTPUT 1 -o $EXIF -m policy --dir out --pol ipsec -j ACCEPT
I have an application which does not seem to operate through my ipsec
tunnel without both rules in place, I'm having trouble figuring out why.
Thank you in advance.
Jamie Knight (rjknight@us.ibm.com)
IBM Power Firmware Development
(512) 286-7017 (t/l 386-7017)
office 045/2A-01
IBM Austin, TX
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: question about esp and policy matching rule
2010-07-19 3:29 question about esp and policy matching rule Richard Knight
@ 2010-07-19 11:14 ` Sergei Zhirikov
2010-07-20 16:56 ` ratheesh k
2010-07-19 11:44 ` Jan Engelhardt
1 sibling, 1 reply; 8+ messages in thread
From: Sergei Zhirikov @ 2010-07-19 11:14 UTC (permalink / raw)
To: netfilter
On 2010-07-19 05:29, Richard Knight wrote:
>
> Hello,
>
> I don't fully understand the two rules below.
>
> Since each of the rules are get inserted at position 1 in the table the ESP
> rule ends up below the policy matching rule, will the ESP rule ever be
> checked?
>
> # allow all ipsec traffic into and out
> $IP6_TABLES -I INPUT 1 -i $EXIF -p esp -j ACCEPT
> $IP6_TABLES -I OUTPUT 1 -o $EXIF -p esp -j ACCEPT
> $IP6_TABLES -I INPUT 1 -i $EXIF -m policy --dir in --pol ipsec -j ACCEPT
> $IP6_TABLES -I OUTPUT 1 -o $EXIF -m policy --dir out --pol ipsec -j ACCEPT
>
> I have an application which does not seem to operate through my ipsec
> tunnel without both rules in place, I'm having trouble figuring out why.
>
The order of those rules does not matter. They have different purpose and match different packets.
With IPSec involved packets pass netfilter twice. For example, if you have an incoming ESP packet
that contains an UDP packet as payload the following happens.
1. The ESP packet passes netfilter and matches the line with "-I INPUT -p esp"
2. The packet is decrypted and its payload (the UDP packet in this example) is processed further
3. The UDP packet passes netfilter and matches the line with "-I INPUT -m policy ...".
In other words, "-m policy" applies to packets after IPSec decapsulation (or before encapsulation, for outgoing packets).
--
Sergei.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: question about esp and policy matching rule
2010-07-19 3:29 question about esp and policy matching rule Richard Knight
2010-07-19 11:14 ` Sergei Zhirikov
@ 2010-07-19 11:44 ` Jan Engelhardt
2010-07-19 13:34 ` Richard Knight
1 sibling, 1 reply; 8+ messages in thread
From: Jan Engelhardt @ 2010-07-19 11:44 UTC (permalink / raw)
To: Richard Knight; +Cc: netfilter
On Monday 2010-07-19 05:29, Richard Knight wrote:
>rule ends up below the policy matching rule, will the ESP rule ever be
>checked?
Yes; -m policy applies to the in-tunnel packets only.
># allow all ipsec traffic into and out
>$IP6_TABLES -I INPUT 1 -i $EXIF -p esp -j ACCEPT
>$IP6_TABLES -I OUTPUT 1 -o $EXIF -p esp -j ACCEPT
>$IP6_TABLES -I INPUT 1 -i $EXIF -m policy --dir in --pol ipsec -j ACCEPT
>$IP6_TABLES -I OUTPUT 1 -o $EXIF -m policy --dir out --pol ipsec -j ACCEPT
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: question about esp and policy matching rule
2010-07-19 11:44 ` Jan Engelhardt
@ 2010-07-19 13:34 ` Richard Knight
2010-07-19 16:06 ` Jan Engelhardt
0 siblings, 1 reply; 8+ messages in thread
From: Richard Knight @ 2010-07-19 13:34 UTC (permalink / raw)
To: netfilter
>
> Yes; -m policy applies to the in-tunnel packets only.
>
Ah, thanks. so for instance to block telnet through my tunnel I could add a
rule like this
$IP6_TABLES -I INPUT 1 -i $EXIF -p tcp --destination-port 23 -m policy
--dir in --pol ipsec -j REJECT
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: question about esp and policy matching rule
2010-07-19 13:34 ` Richard Knight
@ 2010-07-19 16:06 ` Jan Engelhardt
0 siblings, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2010-07-19 16:06 UTC (permalink / raw)
To: Richard Knight; +Cc: netfilter
On Monday 2010-07-19 15:34, Richard Knight wrote:
>>
>> Yes; -m policy applies to the in-tunnel packets only.
>
>Ah, thanks. so for instance to block telnet through my tunnel I could add a
>rule like this
>
>$IP6_TABLES -I INPUT 1 -i $EXIF -p tcp --destination-port 23 -m policy
>--dir in --pol ipsec -j REJECT
For something as evil^W insecure as telnet, I'd drop the -m policy
portion and just always block it, tunneled or not :-)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: question about esp and policy matching rule
2010-07-19 11:14 ` Sergei Zhirikov
@ 2010-07-20 16:56 ` ratheesh k
2010-07-21 13:46 ` Sergei Zhirikov
0 siblings, 1 reply; 8+ messages in thread
From: ratheesh k @ 2010-07-20 16:56 UTC (permalink / raw)
To: Sergei Zhirikov; +Cc: netfilter
On Mon, Jul 19, 2010 at 4:44 PM, Sergei Zhirikov <sfzhi@yahoo.com> wrote:
> On 2010-07-19 05:29, Richard Knight wrote:
>>
>> Hello,
>>
>> I don't fully understand the two rules below.
>>
>> Since each of the rules are get inserted at position 1 in the table the
>> ESP
>> rule ends up below the policy matching rule, will the ESP rule ever be
>> checked?
>>
>> # allow all ipsec traffic into and out
>> $IP6_TABLES -I INPUT 1 -i $EXIF -p esp -j ACCEPT
>> $IP6_TABLES -I OUTPUT 1 -o $EXIF -p esp -j ACCEPT
>> $IP6_TABLES -I INPUT 1 -i $EXIF -m policy --dir in --pol ipsec -j
>> ACCEPT
>> $IP6_TABLES -I OUTPUT 1 -o $EXIF -m policy --dir out --pol ipsec -j
>> ACCEPT
>>
>> I have an application which does not seem to operate through my ipsec
>> tunnel without both rules in place, I'm having trouble figuring out why.
>>
>
> The order of those rules does not matter. They have different purpose and
> match different packets.
>
> With IPSec involved packets pass netfilter twice. For example, if you have
> an incoming ESP packet
> that contains an UDP packet as payload the following happens.
>
> 1. The ESP packet passes netfilter and matches the line with "-I INPUT -p
> esp"
> 2. The packet is decrypted and its payload (the UDP packet in this example)
> is processed further
> 3. The UDP packet passes netfilter and matches the line with "-I INPUT -m
> policy ...".
>
> In other words, "-m policy" applies to packets after IPSec decapsulation (or
> before encapsulation, for outgoing packets).
>
> --
> Sergei.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
After decapsulation , will the ip packet will traverse prerouting chain again ?
-Ratheesh
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: question about esp and policy matching rule
2010-07-20 16:56 ` ratheesh k
@ 2010-07-21 13:46 ` Sergei Zhirikov
2010-07-21 13:55 ` Jan Engelhardt
0 siblings, 1 reply; 8+ messages in thread
From: Sergei Zhirikov @ 2010-07-21 13:46 UTC (permalink / raw)
To: netfilter
On 2010-07-20 18:56, ratheesh k wrote:
>
> After decapsulation , will the ip packet will traverse prerouting chain again ?
>
Do you mean the prerouting chain of "nat" table (as opposed to "mangle" or "raw" table)?
I don't know for sure, but I would think that yes. You could perform a simple experiment to know for sure.
When using tunnel mode the destination of an incoming encapsulated packet can be another host (usually in the local network), while the destination of the ESP packet is the machine where the IPSec tunnel ends, so those two are to be routed differently. I'm just thinking aloud based more on my general undertanding of IPSec rather than on the knowledge of the implementation.
And don't forget that only the first packed in a connection is visible in the prerouting chain of "nat" table.
--
Sergei.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: question about esp and policy matching rule
2010-07-21 13:46 ` Sergei Zhirikov
@ 2010-07-21 13:55 ` Jan Engelhardt
0 siblings, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2010-07-21 13:55 UTC (permalink / raw)
To: Sergei Zhirikov; +Cc: netfilter
On Wednesday 2010-07-21 15:46, Sergei Zhirikov wrote:
> On 2010-07-20 18:56, ratheesh k wrote:
>>
>> After decapsulation , will the ip packet will traverse prerouting chain again
>> ?
>
> I don't know for sure, but I would think that yes. You could perform a simple
> experiment to know for sure.
As per http://jengelh.medozas.de/images/nf-packet-flow.png , yes it
will. This also makes sense for transport mode, to strip the AH header
or to decrypt ESP.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-07-21 13:55 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-19 3:29 question about esp and policy matching rule Richard Knight
2010-07-19 11:14 ` Sergei Zhirikov
2010-07-20 16:56 ` ratheesh k
2010-07-21 13:46 ` Sergei Zhirikov
2010-07-21 13:55 ` Jan Engelhardt
2010-07-19 11:44 ` Jan Engelhardt
2010-07-19 13:34 ` Richard Knight
2010-07-19 16:06 ` Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox