Well, I'm using IPSec on two machines and both of them are end hosts.
They are *not* working as routers. My netfilter rules are:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- localhost.localdomain anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The problem is that if I enable IPSec on both machines by using manual,
preshared keys, no traffic will pass through both firewalls, as I need
to open up protocols 50 and 51 (AH and ESP).
The problem here is that opening up protocols 50 and 51, makes *any*
IPSec-protected traffic to pass the firewall, but I still want that any
traffic (IPSec-protected or not) be applied the connection-track
filters. For normal (no IPSec) traffic, an incoming packet is only
accepted if it belongs to a connection that was initiated locally. For
IPSec traffic, I just want the same. I don't want any kind of
IPSec-protected traffic to be able to pass through the firewall, only
traffic that belongs to a connection that was initiated locally on the
machine receiving it.
End note: an incoming packet should be accepted by the firewall if and
only if there is a corresponding connection (let it be TCP, UDP or ICMP)
that was first initiated locally on that machine. For example, for any
incoming TCP packet to traverse the firewall, first there must have been
a packet with the SYN flag that travelled in the opposite direction. I
want this to work for normal traffic (it does work now) and for
IPSec-protected traffic.
Did I explain it clearly?
Thanks again!