?
Solved

IPSEC Lan to Lan IPTABLES configuration requirements

Posted on 2006-06-15
10
Medium Priority
?
823 Views
Last Modified: 2012-05-05

I have configured and established a working IPSEC net to net connection using the following instructions

http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-ipsec-net2net.html

I can ping from any host on either network to host on either network without problems.

My next challenge is configuring a secure firewall that blocks ALL traffic coming in, allows traffic going out using NAT and allows all traffic to come in and out through the IPSEC links on either network without iptables blocking it.

I have been trying to figure this out with no avail.

If someone could give me the specific iptables commands I could type in,  I'll just type them in manually or possibly add them to a script.   I can find plenty of guides for setting up a good firewall for the average home user but none that assist with net to net connections using ipsec and iptables.


Thanks in advance!

-Will


0
Comment
Question by:williamjnelson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 

Author Comment

by:williamjnelson
ID: 16918222
This one I'm missing the boat on!  Any help would do...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16919173
which kernel are you using, 2.4 or 2.6?
0
 

Author Comment

by:williamjnelson
ID: 16927336
2.6
0
Is Your Team Achieving Their Full Potential?

74% of employees feel they are not achieving their full potential. With Linux Academy, not only will you strengthen your team's core competencies but also their knowledge of of the newest IT topics.

With new material every week, we'll make sure that you stay ahead of the game.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 16928918
IIRC you cannot do it with iptables in 2.6 'cause the definition and use of virtual interfaces has changed.
You need to install additional software like iproute2 http://www.lartc.org/.

AFAIK there're patches and workarounds for that, but don't have a link handy, sorry.
0
 

Author Comment

by:williamjnelson
ID: 16988884
I have not tried this but, what do you think about allowing in from iptables data on port 500 and blocking everything else on the internet interface?

Would that work?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 2000 total points
ID: 16990043
if you only allow port 500 and protocol 50 then you have IPSec only, that should work 'cause you don't need to destinguish different routes
0
 

Author Comment

by:williamjnelson
ID: 16997043
I have not yet tried it, but I think thats the working solution for this problem.

The next cool thing would be to have each ipsec connection show up as a virtual interface in ifconfig kind of like a vlan or alias ip on an eth0 interface.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16998871
> .. to have each ipsec connection show up as a virtual interface
that's what I said is not possible with 2.6, at least very difficult to configure

If your linux box is just used as firewall/router/gateway/proxy, then you better use 2.4.
0
 

Author Comment

by:williamjnelson
ID: 17003714
does 2.4 show the interfaces?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17003819
in 2.4 iptables can bind rules to all interfaces, even virtual ones, in 2.6 only physical ones can be used
With IPSec you get a (virtual) ipsec interface which can not simply be used with iptables.
IIRC there was a kernal patch (at least for early 2.6 kernels), which could be used together with iproute2 to get it working again. I don't know the current status of this behaviour ...
Sorry, don't have the links handy.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month13 days, 15 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question