Mailing List Archive: iptables: User

IPSec rules

Index | Next | Previous | View Threaded

jimm at simutronics

Mar 28, 2003, 8:52 AM

Post #1 of 3 (888 views)
Permalink

IPSec rules

Hello everyone =)

I have reviewed a few posts about how to setup rules to allow IPSec. I sure
would appreciate a peer review of my rules for IPSec traffic before putting
them into general use. Of course, this is not my whole rule set, just the
IPSec aspects. I'm not doing NAT on the inside (we're lucky enough to have
a few class 'C's to use around here). And for simplicity I'm trusting
roadwarriors and not limiting the source of IPSec traffic.
eth1 = untrusted side
eth0 = trusted side

INPUT:
$IPTABLES -A INPUT -i eth1 -p 50 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p 51 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p UDP --dport 500 -j ACCEPT

FORWARD:
$IPTABLES -A FORWARD -i eth0 -o ipsec+ -j ACCEPT
$IPTABLES -A FORWARD -i ipsec+ -o eth0 -j ACCEPT

OUTPUT:
$IPTABLES -A OUTPUT -p 50 -j ACCEPT
$IPTABLES -A OUTPUT -p 51 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 500 -j ACCEPT

Thanks everyone,
--jim

rreid at studio3arc

Mar 28, 2001, 9:57 AM

Post #2 of 3 (846 views)
Permalink

RE: IPSec rules [In reply to]

ce of IPSec traffic. eth1 = untrusted side eth0 = trusted side
>
> INPUT:
> $IPTABLES -A INPUT -i eth1 -p 50 -j ACCEPT
> $IPTABLES -A INPUT -i eth1 -p 51 -j ACCEPT
> $IPTABLES -A INPUT -i eth1 -p UDP --dport 500 -j ACCEPT
>
> FORWARD:
> $IPTABLES -A FORWARD -i eth0 -o ipsec+ -j ACCEPT
> $IPTABLES -A FORWARD -i ipsec+ -o eth0 -j ACCEPT

>
> OUTPUT:
> $IPTABLES -A OUTPUT -p 50 -j ACCEPT
> $IPTABLES -A OUTPUT -p 51 -j ACCEPT
> $IPTABLES -A INPUT -p udp -m udp --dport 500 -j ACCEPT

Looks good that’s pretty much what I have. 'cept I actually specify ah
and eps for my protocol. Don’t forget not to masquarade outgoing
packates through your vpn. Since I have a net to net connection that is
fairly definate I only allow connections from my trusted hosts.

blancher at cartel-securite

Mar 28, 2003, 9:45 AM

Post #3 of 3 (845 views)
Permalink

Re: IPSec rules [In reply to]

Le ven 28/03/2003 à 16:52, James Miller a écrit :
> I have reviewed a few posts about how to setup rules to allow IPSec. I sure
> would appreciate a peer review of my rules for IPSec traffic before putting
> them into general use.
[...]
> INPUT:
> $IPTABLES -A INPUT -i eth1 -p 50 -j ACCEPT
> $IPTABLES -A INPUT -i eth1 -p 51 -j ACCEPT
> $IPTABLES -A INPUT -i eth1 -p UDP --dport 500 -j ACCEPT

You can harden this one saying source port has also to be 500.

[...]
> OUTPUT:
> $IPTABLES -A OUTPUT -p 50 -j ACCEPT
> $IPTABLES -A OUTPUT -p 51 -j ACCEPT
> $IPTABLES -A INPUT -p udp -m udp --dport 500 -j ACCEPT

You can also add output interface using "-o eth1" and specify source
port for last rule.

Matching state is not useful if both sides are likely to initiate IPSEC
tunnel.

--
Cédric Blancher <blancher [at] cartel-securite>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads