[strongSwan] Blocking a specific resource

Raoul Duke rduke496 at gmail.com
Wed Sep 24 05:27:17 CEST 2014


For a given virtual address pool (lets say 10.10.10.0/24) I want to
block access to a certain https application.

I prototyped this (for one specific address) as follows:

iptables -I FORWARD 1 -p tcp -s 10.10.10.0/24 --dport 443 -d
10.100.20.100 -j DROP

This seems to produce the desired behavior i.e. for the specific
address pool  block traffic destined for a certain destination ip on
port 443.

I should note that I used the "-I" option to ensure that it is
installed as the first rule otherwise the rules added by strongswan
seem to supersede it in precedence (which of course makes sense).

My question is: the (above) rule I want to add is a one-off / global
rule, but it seems like the rules strongswans up/down scripts add
always insert themselves at the top of the list and my global rule
seems to get demoted down the list as clients connect/disconnect.
This leaves me concerned that my rule will be bumped to the bottom of
the list and be too low precedence to do its job.

Can you please advise how I can have my rule  always at the top of the
list and not demoted to lower precedence by the strongswan up/down
rules being installed as clients connect/disconnect?

Perhaps I'm missing something simple?  Do I need to somehow integrate
my rule into the strongswan up/down script?  Or is there a simpler
way?

Thanks


More information about the Users mailing list