Re: [OT] Connection tracking for IPSec

From: Andrew McGregor
Date: Wed Aug 20 2003 - 17:18:00 EST

Next message: Touko Korpela: "buffer cache hash table size"
Previous message: Alex Goddard: "Re: build error in current 2.6-BK..."
In reply to: Felipe Alfaro Solana: "Re: [OT] Connection tracking for IPSec"
Next in thread: Rick Kennell: "Re: [OT] Connection tracking for IPSec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--On Wednesday, August 20, 2003 04:16:28 PM +0200 Felipe Alfaro Solana <felipe_alfaro@xxxxxxxxxxxxx> wrote:

Well, I'm using IPSec on two machines and both of them are end hosts.
They are *not* working as routers. My netfilter rules are:

Ah. OK. You want to do that *inside* the tunnels.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- localhost.localdomain anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

The problem is that if I enable IPSec on both machines by using manual,
preshared keys, no traffic will pass through both firewalls, as I need
to open up protocols 50 and 51 (AH and ESP).

Which makes sense so far.

The problem here is that opening up protocols 50 and 51, makes *any*
IPSec-protected traffic to pass the firewall, but I still want that any
traffic (IPSec-protected or not) be applied the connection-track
filters. For normal (no IPSec) traffic, an incoming packet is only
accepted if it belongs to a connection that was initiated locally. For
IPSec traffic, I just want the same. I don't want any kind of
IPSec-protected traffic to be able to pass through the firewall, only
traffic that belongs to a connection that was initiated locally on the
machine receiving it.

It doesn't make sense for this configuration to fail in this way, I agree.

Essentially, the ESP and AH transforms should be a magic netfilter rule, so you can insert them in a netfilter chain and do this sort of thing. If they aren't, we should at least have the input and output chains traversed by packets both before and after the transforms.

The issue exists, I'm convinced. Dang, I'm going to run into it too one day soon. Another thing that needs looking at, in case noone else fixes it first.

End note: an incoming packet should be accepted by the firewall if and
only if there is a corresponding connection (let it be TCP, UDP or ICMP)
that was first initiated locally on that machine. For example, for any
incoming TCP packet to traverse the firewall, first there must have been
a packet with the SYN flag that travelled in the opposite direction. I
want this to work for normal traffic (it does work now) and for
IPSec-protected traffic.

Did I explain it clearly?

Yes, you did.

Thanks again!

You're welcome,

Andrew

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Touko Korpela: "buffer cache hash table size"
Previous message: Alex Goddard: "Re: build error in current 2.6-BK..."
In reply to: Felipe Alfaro Solana: "Re: [OT] Connection tracking for IPSec"
Next in thread: Rick Kennell: "Re: [OT] Connection tracking for IPSec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]