[strongSwan] Avoid leakage of packets addressed to/from private IP space

Noel Kuntze noel at familie-kuntze.de
Tue Sep 8 01:31:07 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Vitaly,


> But I need to have similar rules for other RFC1918 networks? I thought that one rule is enough if IPsec-based VPN network is known.

You need to shunt every network that is reachable through the tunnel.

> Agree with your. But shall I have also rule iptables -A FORWARD -s 10.57.0.0/16 -m policy --pol none --dir out -j DROP ?

Only if hosts with IPs in the subnet of 10.57.0.0/16 are not supposed to be able to communicate without IPsec protection
over the server.

> The distribution which I have used did not have ebtables-svae and ebtables-restore scripts.
> Strange enough: http://packages.ubuntu.com/precise/amd64/ebtables/filelist
> I agree with your points. I think my script can be useful to initialize the ebtables tables.
> And after that ebtables-save and ebtables-restore shall be used.

Even trusty does not ship ebtables-{save,restore}. Probably some missing information about the existence of those programs
on Canonical's part.


> > Additionally, you don't even /need/ ebtables. You can filter everything
> > in *filter FORWARD.
> By means of iptables -A FORWARD -d 10.57.0.0/16 -m policy --pol none
> --dir out -j DROP  ?

For example.

The *filter FORWARD chain in ebtables is invoked prior to the *filter FORWARD chain in iptables.
ebtables is on layer two, iptables on layer three.
Sadly, the nf-packet-flow diagram doesn't show the ebtables chains.


> Something like this (but of course with ipsets) :

> iptables -A FORWARD -d 10.0.0.0/8  -j LOG --log-level info
> --log-prefix "IPTABLES-BLKO"
> iptables -A FORWARD -d 10.0.0.0/8  -j DROp
>
> ?

Yes, with -m set --match-set rfc1918 dst isntead of -d 10.0.0.0/8.
- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV7h44AAoJEDg5KY9j7GZY38sP/2YCH44rKhMPQlexW9ka/3yQ
/03FXNbpDYwpGDLG6BoemHWqdForLDGNG+4sYDCXppk3SWKPT0jA/CMsdabxTD5H
4SQdReg7geeMpBb+ZC1Pgb9/tM6NZ6UNDINJfGJp0EiVfx0IFbVRF1ka/+S6xLy9
6gl9KHh/58PhgRotRDKXN7kY8ffr+6eu/KVb7Dq6yaFi4uCBlsXuHapdxmvXa5Rq
XP/sVA/8U5DqvBHuN7Gno1nUiAZbIeSAsNN4QWGhGmRufuRyISP/C3IgYYl5rp8Y
TTJIKcqHKPkkXuwk1A4sNIdwOD7Q4N9Dt2oPW69fKaC/zwuRudU8HQgyRGXBvwUP
2h/WE+Kta2r/qs4QeRKFHVWCHQA4dVjhZsii0NyBpVs8I/YAyOzj5L8mu9Y3evVi
B/Tc+f0BPxwpJFhmddEUpJ5XKbu+PVGl7WQYYHUqYClwAdA4Q9lUYwP1KyxNxs8u
eeWZ1HHW3ouID37SWnTODAZl/Q0JMlXreGh90e4lcLrC/2TPsy8AUuN/LY6Ykm+r
/j608Od4mntKONKjsKphcQDBYjm+9F41R12wUzNpUlyR5jvxVNjdw16cbR5IAo8c
qPovDnJmyQ/VlvzIXQwwSfUoVxRMvVe4e8qqKr666nTTFND6mjLLWgNjy/khNFn0
sR/UyfzI0WL1bHm8JXzc
=22+Y
-----END PGP SIGNATURE-----




More information about the Users mailing list