Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261987AbTHTOlu (ORCPT ); Wed, 20 Aug 2003 10:41:50 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261989AbTHTOlu (ORCPT ); Wed, 20 Aug 2003 10:41:50 -0400 Received: from mx02.qsc.de ([213.148.130.14]:37059 "EHLO mx02.qsc.de") by vger.kernel.org with ESMTP id S261987AbTHTOls (ORCPT ); Wed, 20 Aug 2003 10:41:48 -0400 Date: Wed, 20 Aug 2003 16:43:04 +0200 From: Wiktor Wodecki To: Felipe Alfaro Solana Cc: LKML Subject: Re: [OT] Connection tracking for IPSec Message-ID: <20030820144304.GC725@gmx.de> Reply-To: Johoho References: <1061378568.668.9.camel@teapot.felipe-alfaro.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nVMJ2NtxeReIH9PS" Content-Disposition: inline In-Reply-To: <1061378568.668.9.camel@teapot.felipe-alfaro.com> X-message-flag: Linux - choice of the GNU generation X-Operating-System: Linux 2.6.0-test3-O16.2 i686 X-PGP-KeyID: 182C9783 X-Info: X-PGP-KeyID, send an email with the subject 'public key request' to wodecki@gmx.de User-Agent: Mutt/1.5.4i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2085 Lines: 60 --nVMJ2NtxeReIH9PS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 20, 2003 at 01:22:49PM +0200, Felipe Alfaro Solana wrote: > I'm starting with IPSec right now. To make it work, I must open up > protocols 50 and 51 to pass across my Linux firewalls, but I want to use > connection tracking much like I do when not using IPSec. >=20 > For example, >=20 > iptables -A INPUT -m state --state RELATED,ESTABLISHED >=20 > When using IPSec, if I open up protocols 50 and 51, all IPSec-protected > traffic passes through the firewall, but it's not checked against the > connection tracking module. How can I configure iptables so an > IPSec-protected packet, after being classified as IP protocol 50 or 51, > loop back one more time to pass through the connection tracking module? >=20 > I don't want to set up IPSec to get addititional protection by using AH > and ESP and then let any machine talking IPSec pass entirely through my > firewall ignoring the rest of rules. you can use iptables to open proto 50 and 51 to specific ip's, too: iptables -A INPUT -i eth0 -p 50 -s n.n.n.n -j ACCEPT iptables -A INPUT -i eth0 -p 51 -s n.n.n.n -j ACCEPT iptables -A INPUT -i eth0 -p 51 -s n.m.n.n -j DROP this will work. If you want netfilter to fully recognize ipsec states you have to do it yourself, afaik there is no ipsec support for the statefull/conntrack system. But you are better of asking here: netfilter-devel@lists.samba.org --=20 Regards, Wiktor Wodecki --nVMJ2NtxeReIH9PS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/Q4j46SNaNRgsl4MRAiD7AJ4sowB2ySQYk3IbWMRYzScEzCRsMQCgwyhV O2ePEkPJCbAU5W+x1F3ut6M= =B2py -----END PGP SIGNATURE----- --nVMJ2NtxeReIH9PS-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/