COMPGROUPS.NET | Search | Post Question | Groups | Stream | About | Register

### How to set iptables for IPSec tunnel?

• Email
• Follow

I want to setup firewall protection with iptables to support IPSec ESP
tunnels. That is, the firewall will drop anything from any host if it
is not from an established IPSec ESP tunnel. And it will accept
anything if it's from an IPSec tunnel.

I tried:
iptables -N my-fw
iptables -A my-fw -p esp -j ACCEPT
iptables -A my-fw -p tcp --sport 500 --dport 500 -j ACCEPT
iptables -A my-fw -j DROP

iptables -A INPUT -i eth0 -j my-fw

Then I tried to ping from one end of the tunnel to the other end of
the tunnel and ping didn't go through. I need to modify my rules as
below to make it work:

iptables -N my-fw
iptables -A my-fw -p esp -j ACCEPT
iptables -A my-fw -p icmp -j ACCEPT
iptables -A my-fw -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A my-fw -p tcp --sport 500 --dport 500 -j ACCEPT
iptables -A my-fw -j DROP

iptables -A INPUT -i eth0 -j my-fw

That is, I need also to open up ping to make ping work. But if I open
up icmp, I cannot prevent pings from hosts that's outside my IPSec
tunnels. This defeats my purpose.

So if my purpose is to allow "anything" within the tunnel and disallow/
drop anything outside the IPSec tunnels, how should I setup the
iptables rules?

Eric

 0
Reply eric5931 (6) 1/9/2010 12:05:56 AM

See related articles to this posting

On Fri, 08 Jan 2010 16:05:56 -0800, eric5931 wrote:

> I want to setup firewall protection with iptables to support IPSec ESP
> tunnels. That is, the firewall will drop anything from any host if it
> is not from an established IPSec ESP tunnel. And it will accept
> anything if it's from an IPSec tunnel.

Use a SESSION Based firewall for starters.
Then use INTERFACES also in your iptables firewall.

Take a look at this tutorial:

http://www.zoominternet.net/~lazydog/iptables-tutorial.html

--

Regards
Robert

Linux User #296285
http://counter.li.org


 0

1 Replies
1038 Views

Similar Articles

12/10/2013 10:08:29 PM
page loaded in 262013 ms. (1)

Similar Artilces:

Setting up a 6400?
I'm setting up a PowerMac/Performa 6400 for my brother. I've run into a few issues I need some help with. 1. The empty bay at the top is ideal for transferring the IDE CDR/CDRW drive from his PC. The 6400's hard drive is IDE, so I presume the on-mboard controller will support another device. Is the hard disk configured as Master? Must it always be? I understand that in order for the CDR/CDRW drive to boot a CD, it must be configured as Master. Can I change the HD to Slave and configure the CDR/CDRW as Master? How do I add a connector for another IDE device? (For those unfa...

iptables logging
Does anybody know how I can change the file that iptables is logged to. And what the different logging levels mean - I'm using redhat 9. Thanks for any help. sam wrote: > Does anybody know how I can change the file that iptables is logged > to. And what the different logging levels mean - I'm using redhat 9. man syslogd and man syslog.conf will tell You everything about that. With iptables, You might also consider using the ULOG target. Cheers, Jack. -- ---------------------------------------------------------------------- My personal reading of the string "MicroSoft...

Setting up a printer
I just bought a HP Photosmart D7160 printer. This printer is compatable with the iMac. I have installed the software and the USB cable is connected and the printer is turned on. The computer recognizes the printer and I can print a test page in device manager but I am unable to set up the printer in printer & fax. When I open printer setup utility to set up the printer the printer is listed. A drop down box opens asking to pick a printer model or driver. The model is not listed and I am unable to find a driver. Any suggestions on where to locate this driver and/or get this prin...

Were the mask sets for the 65xx, SID, CIA, etc, ever released? Is it possible to see exactly how they were implemented? Just a curiosity, Pete PlayDough schreef: > Were the mask sets for the 65xx, SID, CIA, etc, ever released? Is it > possible to see exactly how they were implemented? As far as I know not, but there have been several attempts in reverse engineering these chips, for example: http://impulzus.sch.bme.hu/6502/6502/ Hi PlayDough, > Were the mask sets for the 65xx, SID, CIA, etc, ever released? Is it > possible to see exactly how they were implemented? VIC and ...

setting tabs
I need to set tabs on java generated pages. Pages have four sections: header, sidebar, body, and footer. The sidebar and body change dynamically. The tab key must go to anchors and buttons doing all in the header first, all in the sidebar second, etc. A base page contains includes for all the pieces and has the body tag. I am trying to use code pasted below. It has two problems. One, I should not have to check childnodes.length before doing recursion. If I remove that it gets stuck in a loop. With it, it does not recurse into child nodes. Two, I would like to know what attribute to check prio...

Other Settings than fantasy?
Inspired with conversation in "crpg in crisis" thread I thought to start another with question. In which non-fantasy (non HIGH fantasy) world - setting would you like to see nexy revolutionary crpg. I am for end of XIX and beginning of XX century with ambients from Verne, Corto Maltese and Call of Cthulhu. On that special day, Jan Potocki, (cvijaxo@yahoo.se) said... > Inspired with conversation in "crpg in crisis" thread I thought to > start another with question. In which non-fantasy (non HIGH fantasy) > world - setting would you like to see nexy revolutionar...

Settings turning off by themselves
Since I started using SW2006, I have noticed several system options, as well as document properties, that randomly turn themselves off (uncheck itself) for no apparent reason. The system settings that I notice doing this most often are: System Options>Display/Selection>Dynamic highlight from graphics view System Options>FeatureManager>Dynamic highlight The document setting that I notice is one of the display filters under Annotation Display. I like to display shaded cosmetic threads, but leave the regular cosmetic threads unchecked. The only way you can get it to do this i...

memoir: setting the margins
hello here is a MWE with memoir class <MWE> \documentclass[a4paper,12pt,article]{memoir} \usepackage{fixltx2e} \usepackage[french]{babel} \usepackage[T1]{fontenc} \usepackage[latin9]{inputenc} \usepackage{microtype} \usepackage{lmodern} \usepackage{lipsum} %%%%% classe MEMOIR \settypeblocksize{25.7cm}{17cm}{*} \setlrmargins{2cm}{*}{*} \setulmargins{2cm}{*}{*} \begin{document} \lipsum \end{document} </MWE> I would like to have all four margins equal to 2cm. Obviously, I'm missing something :( Any hint appreciated many thanks in advance -- Le TeXnicien de surface Le TeXni...

IPTables Question #4
Okay this is going to probably come across as a newbie question but it really is bugging me. I have a machine running as a gateway between my local network and the internet. The internet is accessed via dialup (I know but DSL costs big ones at the moment). Everything works fine except for the port forwarding. Below is the script I have knocked together to build the firewall, if some one could have a look at it and tell me what I am doing wrong that would be great. #!/bin/sh # Diable forwarding echo 0 > /proc/...

Setting a textarea to read only
I'm trying to set the "readonly" attribute of a "textarea" element this way: --------------------------------- <script type="text/javascript"> ***snip*** //-- create text area element -- var objTextArea; objTextArea = document.createElement('textarea'); objTextArea.setAttribute('id', 'textArea' + this.InfoBoxID); objTextArea.setAttribute('rows', this.TextAreaRows); objTextArea.setAttribute('cols', this.TextAreaCols); objTextArea.setAttribute('readonly', 'readonly'); document.getElementB...

removing from set
std::set<Stuff>::iterator current_item( stuff_set.begin() ); while ( current_item != stuff_set.end() ) { if ( is_bad( *item ) ) { std::set<Stuff>::iterator previous_item( --current_item ); stuff_set.erase( ++current_item ); current_item = previous_item; } ++current_item; } Is this the best way I can structure this? I hate writing code like this :( -- [ See http://www.gotw.ca/resources/clcm.htm for info about ] [ comp.lang.c++.moderated. First time posters: Do this! ] Alfons wrote: > std::set<Stuff>::iterator current_item( stuff_set.begin() ); ...

Safari forgets settings
> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3143813725_182671 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Safari 1.0 does not remember my download folder setting. It accepts the new location, but when I open Preferences again, it has always defaulted to Desktop. Is there something I am not doing? Also, Autofill says there is nothing to fill, yet when I start typing in the information manually the rest of the fields to fill automagically. Similarly...

Setting recursion depth
Hi all, I have done some Googling regarding setting the depth of recursive search in a ruby script and all I have identified is File-Find. Is this all that can help me? Basically I want to be able to specify the depth my script will work so if the depth is 4, the script will look at all items from the root to 4 folders deep e.g Root Folder 1 Folder 2 Folder 3 Any input is much appreciated. -- Posted via http://www.ruby-forum.com/. El Jueves, 7 de Enero de 2010, Stuart Clarke escribi=C3=B3: > Hi all, >=20 > I have done so...

Default Scanner Settings
I've got an HP LaserJet M1522nf and can't figure out if there is a way to change the default scanner settings. The one in particular I need to set is for the brightness. For some reason I have to adjust the brightness every time I scan or the document is so light I can barely read it. I do not have the HP software installed, just the basic drivers needed for printing/scanning/faxing. Mostly I just use the Scanner/Camera Wizard, the Microsoft Office Document Scanner program or scan into Adobe Acrobat (use the WIA option , not TWAIN). Thanks! Abigail Abie <abig...

L2TPv3 tunnel and SSS
I think I'm making some progress on my L2TPv3 tunnel project (between two 3640s, one connected via ATM at a remote site). It looks like the tunnel is being established, but then it tries to bring up a session within that tunnel. One side sends an ICRQ to the other. That other side responds by sending a service request to SSS. I'm not certain what SSS is, but I'm not sure we have it. That's where everything stops. Does anyone know anything about this? I notice one side is set to "sss switching" and the other is "idb switching". Could that make a difference? ...