[strongSwan] netfilter rules for IPsec-only hosts?
Christoph Anton Mitterer
calestyo at scientia.net
Sun Jul 28 23:39:36 CEST 2013
Hi.
Could someone perhaps confirm the following....
I have some iptables rules attached, and what they should do is, that
it's guaranteed that with some hosts all traffic is IPsec'ed (with ESP
and tunnel mode) before it is sent to or accepted from it.
1) Do they really work like this as I expect?
2) Can they be made better (e.g. more secure/strict) for that purpose?
3) Not sure about this part:
-A ipsec-only-in ! --protocol esp -j REJECT --reject-with icmp-admin-prohibited
-A ipsec-only-out ! --protocol esp -j REJECT --reject-with icmp-admin-prohibited
Couldn't I drop the "! --protocol esp"?
Thanks,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rules
Type: text/x-iptables
Size: 2468 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130728/65a5474c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5165 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130728/65a5474c/attachment-0001.bin>
More information about the Users
mailing list