[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Hi all, I am trying to lockdown (securely) a wireless network. I can't get WEP to work (which i am not that bothered about anyway) and I am using IPSEC/x509 encryption. I am having some firewall issues with a system running a 2.6 kernel (i.e native IPSEC stack, no klips). What happens is as a encrypted (ESP) packet appears on interface eth0 (as an ESP packet), it gets decrypted and then appears as the real unencrypted packed on eth0(same interface), firewalling nighmare. What i am attempting to do is mark (ESP) packets which i am lead to believe, the mark will stay with the packet even after decryption. In my shore wall tcrules i have :- 1:P eth0 0.0.0.0/0 ESP and (as shorewall has limited support for traffic shaping) in my shorewall (/etc/shorewall/start) i have :- iptables -I all2all -i eth0 -m mark --mark 1 -j ACCEPT (also for the record I only allow UDP500 and ESP in/out on eth0 (exposed to the wireless network). This allows me to access the server from a wireless client but i cannot get through to the internet (shorewall blocks me). With all the security off I can access the internet. if i disable either the line in tcrules OR the line in start i can no longer access the server so the mark is working. What i get from shorewall is :- Jun 19 22:35:32 localhost kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=ppp0 SRC=192.168.1.3 DST=158.152.1.43 LEN=45 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=32777 DPT=53 LEN=25 So it appears when the packet is forwarded across interfaces the packet mark is lost? Anybody know *anything* about this? or packet marking? Many thanks Robin
Attachment:
pgp00014.pgp
Description: signature