IPSEC Lan to Lan IPTABLES configuration requirements


I have configured and established a working IPSEC net to net connection using the following instructions

http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-ipsec-net2net.html

I can ping from any host on either network to host on either network without problems.

My next challenge is configuring a secure firewall that blocks ALL traffic coming in, allows traffic going out using NAT and allows all traffic to come in and out through the IPSEC links on either network without iptables blocking it.

I have been trying to figure this out with no avail.

If someone could give me the specific iptables commands I could type in,  I'll just type them in manually or possibly add them to a script.   I can find plenty of guides for setting up a good firewall for the average home user but none that assist with net to net connections using ipsec and iptables.


Thanks in advance!

-Will


williamjnelsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
williamjnelsonAuthor Commented:
This one I'm missing the boat on!  Any help would do...
0
 
ahoffmannCommented:
which kernel are you using, 2.4 or 2.6?
0
 
williamjnelsonAuthor Commented:
2.6
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
ahoffmannCommented:
IIRC you cannot do it with iptables in 2.6 'cause the definition and use of virtual interfaces has changed.
You need to install additional software like iproute2 http://www.lartc.org/.

AFAIK there're patches and workarounds for that, but don't have a link handy, sorry.
0
 
williamjnelsonAuthor Commented:
I have not tried this but, what do you think about allowing in from iptables data on port 500 and blocking everything else on the internet interface?

Would that work?
0
 
ahoffmannCommented:
if you only allow port 500 and protocol 50 then you have IPSec only, that should work 'cause you don't need to destinguish different routes
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
williamjnelsonAuthor Commented:
I have not yet tried it, but I think thats the working solution for this problem.

The next cool thing would be to have each ipsec connection show up as a virtual interface in ifconfig kind of like a vlan or alias ip on an eth0 interface.
0
 
ahoffmannCommented:
> .. to have each ipsec connection show up as a virtual interface
that's what I said is not possible with 2.6, at least very difficult to configure

If your linux box is just used as firewall/router/gateway/proxy, then you better use 2.4.
0
 
williamjnelsonAuthor Commented:
does 2.4 show the interfaces?
0
 
ahoffmannCommented:
in 2.4 iptables can bind rules to all interfaces, even virtual ones, in 2.6 only physical ones can be used
With IPSec you get a (virtual) ipsec interface which can not simply be used with iptables.
IIRC there was a kernal patch (at least for early 2.6 kernels), which could be used together with iproute2 to get it working again. I don't know the current status of this behaviour ...
Sorry, don't have the links handy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.