Iptables and ipsec

Richard Guy Briggs rgb@conscoop.ottawa.on.ca
Fri, 28 Jul 2000 23:23:49 -0400 

--NPWyolIJAVLYbHY6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 28, 2000 at 10:48:35PM -0400, Steve Moro wrote:
> What does the $TABLE represent and what is the last rule -p 17..
> What does that stand for?

$TABLE represents the name of the table into which these rules are to
be inserted.  '-p 17' represents IP protocol #17 which is UDP.  These
numbers are all listed in RFC1700.  I really hope you are using a test
jig to set up and test IPSEC with the new firewalling rules you are
trying to concoct here before you deploy this on a real live network
with real live sensitive traffic going across it.  Are you using
FreeS/WAN, something else on Linux or another platform entirely?  If
you are using FreeS/WAN, start with 'lynx doc/index.html' from the
FreeS/WAN root directory once you have unpacked the source.  A lot of
these questions are answered in that fine documentation.

> Steve
>=20
> > -----Original Message-----
> > From: netfilter-admin@samba.org [mailto:netfilter-admin@samba.org]On
> > Behalf Of Andre' Breiler
> > Sent: Friday, July 28, 2000 5:41 PM
> > To: Ury Tkachenko
> > Cc: Multiple recipients of list NETFILTER
> > Subject: Re: Iptables and ipsec
> >
> >
> > On Fri, 28 Jul 2000, Ury Tkachenko wrote:
> >
> > > Does iptables 1.1.1 support IPSEC forwarding.
> >
> > Yes, it works.
> >
> > > The following is required for IPSEC to function:
> > > 1) IP Protocl 50 (ESP) and 51 (AH)
> > > 2) UDP Port 500 (ISAKMP)
> > >
> > > If it does support IPSEC forwarding, what would be the iptables
> > rules that I
> > > need to write and do I have to turn anything special in the
> > kernel for IPSEC
> > > to work.
> >
> > No, nothing special is needed.
> > Rules (sorry, only typed from mind):
> > for ESP
> > iptables -A $TABLE -p 50 -j ACCEPT
> > for AH
> > iptables -A $TABLE -p 51 -j ACCEPT
> > for ISAKMP
> > iptables -A $TABLE -p 17 --sport 500 --dport 500 -j ACCEPT
> >
> > Bye Andre'
> > --
> > eMail: A.Breiler@gmx.net
> > Type Bits/KeyID    Date       User ID
> > pub  2048/89D36175 1997/06/20 Andre' Breiler 2048 <A.Breiler@gmx.net> S=
IG
> >      Key fingerprint =3D 8E 9E A2 F8 29 27 CC 94  10 44 0E 40 7A C9 33 =
10
> >
> >
> >
>=20

	slainte mhath, RGB
--=20
Richard Guy Briggs -- PGP key available            Auto-Free Ottawa! Canada
<www.conscoop.ottawa.on.ca/rgb/>                       <www.flora.org/afo/>
Prevent Internet Wiretapping!        --        FreeS/WAN:<www.freeswan.org>
Thanks for voting Green! -- <green.ca>      Marillion:<www.marillion.co.uk>

--NPWyolIJAVLYbHY6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i

iQCVAwUBOYJOQ9+sBuIhFagtAQFGYgP/bEmlNJZdRiYG0mJyKLypbG7x795Ef5SO
w+0j74aq2a/QowRe3EZYf1mB1dew9QhsG5Le6+hMxiEzoVGYC+xh4yz08Bl1MkZS
v+VZjAzR8nRXJ8/6tv4NwkK3+5u1k5aBKcVSWSqV7KEBDnc6A3tNFrb5DY7AGlF8
ugL3ycEfEgM=
=TagW
-----END PGP SIGNATURE-----

--NPWyolIJAVLYbHY6--