Re: [OT] Connection tracking for IPSec

[Felipe Alfaro Solana]

On Wed, 2003-08-20 at 14:11, Christophe Saout wrote:
> Am Mi, 2003-08-20 um 13.22 schrieb Felipe Alfaro Solana:
> 
> > When using IPSec, if I open up protocols 50 and 51, all IPSec-protected
> > traffic passes through the firewall, but it's not checked against the
> > connection tracking module. How can I configure iptables so an
> > IPSec-protected packet, after being classified as IP protocol 50 or 51,
> > loop back one more time to pass through the connection tracking module?
> 
> You're saying it's not honouring the netfilter rules at all?

No... What I'm saying is that normal IP traffic is processed by the
firewall. However, if the incoming traffic is protected with IPSec,
since I opened up protocols 50 and 51, the IPSec traffic is admitted
without passing any remaining firewall filters. The machine in question
is an end host (not a router).

I want something like this:

1. If an IPSec-protected IP packet arrives and since we're not operating
in tunnel mode (the machine is an end host and not a router), the IP
header contains the destination host and is readable. Since we're using
ESP and the packet is intended for us, decrypt the payload to get access
to the TCP/UDP/ICMP data.
2. Else, if the incoming packet is not IPSec-protected, the TCP/UDP/ICMP
payload is already in plaintext.
3. At this point, we have a plaintext TCP/UDP/ICMP payload.
4. If the TCP/UDP/ICMP incoming packet belongs to an existing
connection, that was initiated locally, let the packet pass.
5. Else, the packet is silently discarded.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/