GRE over IPsec -- filtering raw GRE packets?

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: abhijit <strongcofi@gmail.com>
To: netfilter@vger.kernel.org
Subject: GRE over IPsec -- filtering raw GRE packets?
Date: Thu, 15 Apr 2010 11:11:30 -0700	[thread overview]
Message-ID: <l2g74db4fb71004151111qba00cb2lf463f3daf5b6b043@mail.gmail.com> (raw)

hi,

i have a simple GRE/IPsec config between two hosts (2.6.32 kernel,
iptables ver1.3.5). i have a GRE tunnel setup between the hosts and
have IPsec auth+encrypt the GRE traffic (only) in transport mode.

i'd like to ensure that no unecrypted GRE packets are sent (and
accepted) over the physical network. only IPsec encapsulated ones
should be. i.e. no GRE pkts should be ever seen on the physical wire
(outgoing).

my filter table chains look like this:
----------
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1        2   328 ACCEPT     ah   --  eth0   *       0.0.0.0/0
  0.0.0.0/0
....

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0
  0.0.0.0/0           reject-with icmp-port-unreachable
...

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
  destination
1        0     0 ACCEPT     ah   --  *      eth0    0.0.0.0/0
  0.0.0.0/0
....
-----------

the above configuration, does NOT work (i thought it would ;-).

it only works when i open up protocol 47 (gre) on eth0 (both on INPUT
and OUTPUT chain). but that may cause naked GRE pkts to be sent out on
eth0 (due to some mis-configuration with IPsec or something else).

is there a way i can prevent this from happening via iptables?

and secondly, i am bit confused on the input+output path taken by GRE
packets. can someone please outline that path (w.r.t iptables). it
seems with GRE/IPsec config, the packet makes two passes over the
netdevice (as my packet counters tell me). i was expecting just one
pass (and hence my initial (above listed) config -- which did not work
:-)

thanks!
abhijit

ps: i am not subscribed to this list. please do Cc: me the replies -- thanks!

                 reply	other threads:[~2010-04-15 18:11 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=l2g74db4fb71004151111qba00cb2lf463f3daf5b6b043@mail.gmail.com \
    --to=strongcofi@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).