Is there easy way to get klips ipsec stack into CentOS 6? As it makes firewalling ipsec traffic much easier..
Eero
3 thoughts on - Openswan And Klips Ipsec Stack
Hi Eero,
If you are only concerned about firewalling incoming traffic why would you need more than:
-A INPUT -p udp -s peerip/32 –sport 500 -d yourip/32 –dport 500 -j ACCEPT
-A INPUT -p esp -s peerip/32 -d yourip/32 -j ACCEPT
2014-10-06 22:02 GMT+03:00 Steve Clark :
Also need to filter outgoing ipsec traffic and it’s a bit complex on netkey stack?
Hi Eero,
We are using ipsec-tools which is based on netkey. I am not sure I see the issue. Why wouldn’t the above rules work with those below:
3 thoughts on - Openswan And Klips Ipsec Stack
Hi Eero,
If you are only concerned about firewalling incoming traffic why would you need more than:
-A INPUT -p udp -s peerip/32 –sport 500 -d yourip/32 –dport 500 -j ACCEPT
-A INPUT -p esp -s peerip/32 -d yourip/32 -j ACCEPT
2014-10-06 22:02 GMT+03:00 Steve Clark:
Also need to filter outgoing ipsec traffic and it’s a bit complex on netkey stack?
Hi Eero,
We are using ipsec-tools which is based on netkey. I am not sure I see the issue. Why wouldn’t the above rules work with those below:
-A OUTPUT -o ethx -p udp -s yourip/32 –sport 500 -d peerip/32 –dport 500 -j ACCEPT
-A OUTPUT -o ethx -p esp -s yourip/32 -d peerip/32 -j ACCEPT
If you only want the rules against a certain interface.