Iptables and ipsec
Richard Guy Briggs
Fri, 28 Jul 2000 23:23:49 -0400
Content-Type: text/plain; charset=us-ascii
On Fri, Jul 28, 2000 at 10:48:35PM -0400, Steve Moro wrote:
> What does the $TABLE represent and what is the last rule -p 17..
> What does that stand for?
$TABLE represents the name of the table into which these rules are to
be inserted. '-p 17' represents IP protocol #17 which is UDP. These
numbers are all listed in RFC1700. I really hope you are using a test
jig to set up and test IPSEC with the new firewalling rules you are
trying to concoct here before you deploy this on a real live network
with real live sensitive traffic going across it. Are you using
FreeS/WAN, something else on Linux or another platform entirely? If
you are using FreeS/WAN, start with 'lynx doc/index.html' from the
FreeS/WAN root directory once you have unpacked the source. A lot of
these questions are answered in that fine documentation.
> > -----Original Message-----
> > From: email@example.com [mailto:firstname.lastname@example.org]On
> > Behalf Of Andre' Breiler
> > Sent: Friday, July 28, 2000 5:41 PM
> > To: Ury Tkachenko
> > Cc: Multiple recipients of list NETFILTER
> > Subject: Re: Iptables and ipsec
> > On Fri, 28 Jul 2000, Ury Tkachenko wrote:
> > > Does iptables 1.1.1 support IPSEC forwarding.
> > Yes, it works.
> > > The following is required for IPSEC to function:
> > > 1) IP Protocl 50 (ESP) and 51 (AH)
> > > 2) UDP Port 500 (ISAKMP)
> > >
> > > If it does support IPSEC forwarding, what would be the iptables
> > rules that I
> > > need to write and do I have to turn anything special in the
> > kernel for IPSEC
> > > to work.
> > No, nothing special is needed.
> > Rules (sorry, only typed from mind):
> > for ESP
> > iptables -A $TABLE -p 50 -j ACCEPT
> > for AH
> > iptables -A $TABLE -p 51 -j ACCEPT
> > for ISAKMP
> > iptables -A $TABLE -p 17 --sport 500 --dport 500 -j ACCEPT
> > Bye Andre'
> > --
> > eMail: A.Breiler@gmx.net
> > Type Bits/KeyID Date User ID
> > pub 2048/89D36175 1997/06/20 Andre' Breiler 2048 <A.Breiler@gmx.net> S=
> > Key fingerprint =3D 8E 9E A2 F8 29 27 CC 94 10 44 0E 40 7A C9 33 =
slainte mhath, RGB
Richard Guy Briggs -- PGP key available Auto-Free Ottawa! Canada
Prevent Internet Wiretapping! -- FreeS/WAN:<www.freeswan.org>
Thanks for voting Green! -- <green.ca> Marillion:<www.marillion.co.uk>
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----