[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Openswan and iptables

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Openswan and iptables
From: Robin Cornelius <robin.cornelius@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 18 Oct 2005 09:01:07 +0100

Alex Charrett wrote:

Hi All,
I'm getting very confused with openswan and iptables. I've got myopenswan connection establised fine and I get encryped packets goingback and forth between the machines, but as soon as I bring iptablesup on the server end it stops working. I'm guessing this is due tothe lack of distinct ipsec0 interface in openswan unlike when it wasstill freeswan.

freeswan and openswan are identical in this respect its because you areusing a 2.6.X kernel, ipsecN interfaces are the KAME stack (part of thefreeswan project) that patched 2.4.X. 2.6.X has a native ipsec stack (KLIPS)


I'm allowing all the stuff I think I should be:
iptables -A INPUT -i eth1 -p 50 -j ACCEPT
iptables -A INPUT -i eth1 -p 51 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --destination-port 500 -j ACCEPT



Oh you may also want to allow UDP-4500 for NAT-T connections.

And then rejecting anything else:
iptables -A INPUT -i eth1 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP
Presumably in the old days it once the packets came in on ipsec0 theyweren't affected by the firewall, but I can't see how to account forthat now.

With KLIPS ipsec stack (kernel 2.6.X +) this approach can no longerwork. What happens is the ESP packet appears on eth1 is decoded by thekernel then injected back into the input of eth1 so the reject all ruleswill then reject the decoded data.

The most effective solution I have found is packet marking using theiptables trafic shaping rules, i cheated a bit and used shorewall to dosome of this so you will have to cross reference this with the iptablesman page but i marked all packets of type ESP on my eth0 (my incommingport) with a 1, specificly I added this to /etc/shorewall/tcrules


#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER
1:P             ppp0            0.0.0.0/0       ESP
1:F             ppp0            0.0.0.0/0       ESP
1                $FW             0.0.0.0/0       ALL

This will mark all incomming packets with a 1, if the packet suvives decryption it *still* has the mark of 1.

Then i added the following allow rules (these i placed in the /etc/shorewall/start)

iptables -I all2all -i eth0 -d 0.0.0.0/0 -m mark --mark 1 -j ACCEPT
iptables -I all2all -o eth0 -d 0.0.0.0/0 -m mark --mark 1 -j ACCEPT

if you do use shorewall then you will need to add TC_ENABLED=yes to themain config file

I think my marking of outgoing packets is non-optimal and a bitpointless as i seem to be allowing everything out.


Regards

Robin

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-up: Re: [LUG] Openswan and iptables
- From: Alex Charrett

References:
- [LUG] Openswan and iptables
  - From: Alex Charrett

Prev by Date: Re: [LUG] Broadband
Next by Date: Re: [LUG] Broadband
Previous by thread: [LUG] Openswan and iptables
Next by thread: Re: [LUG] Openswan and iptables
Index(es):
- Date
- Thread