New extension: CRYPT target
m at rtij.nl
Sun May 21 19:51:17 CEST 2006
Gervasio Bernal wrote:
>After some months of development we have finished this new extension.
>CRYPT is a new target extension for Netfilter/Iptables that enables the
>user to encrypt, decrypt and authenticate any IP protocol traffic using
>the Linux Cryptographic API.
>For example, if you want to encrypt FTP (TOP) traffic between host A and
>host B, you can do as follows:
>(on host A, 126.96.36.199, FTP client)
># iptables -t mangle -A POSTROUTING -d 188.8.131.52 -p tcp --dport 20:21 -j
>CRYPT --cipher blowfish --key topsecret --mode ecb --direction encrypt
># iptables -t mangle -A PREROUTING -s 184.108.40.206 -p 206 -j CRYPT --cipher
>3des --key topsecretkeyinascii12345 --mode cbc --direction decrypt
Minor critisism, this will not catch the data channels of ftp, only the
control channel. Active ftp uses a *source* port of 20, passive ftp
(which is more common nowadays) uses whatever port range the server uses
for data channels (typically something like 30000-31000).
Does -mode cbc use the iv from the last packet? If not, this seems like
a false sense of security. Protocols that use lots of small packets will
still more or less have the drawbacks of ecb.
More information about the netfilter-devel