Filtering incoming Strongswan VPN packets with iptables
You should have a look at the policy module for iptables, which matches packets based on their relation to IPsec policies (see man 8 iptables or man 8 iptables-extensions for details).
How the module is best applied really depends on how the rest of your firewall is configured and what your exact requirements are. For instance, setting the default (firewall) policy for the INPUT and FORWARD chains to DROP (attention when doing that via SSH as you could potentially lock you out of your machine) and then using strongSwan's default updown script (leftfirewall=yes) will basically do everything related to the IPsec tunnels for you. The script will automatically add proper input and forwarding rules (using the policy module) to only allow traffic from/to the tunneled subnet via IPsec tunnels (actually, for road-warriors only assigned IPs will ever be allowed, not even the whole subnet).
If you don't want to do the above you could add some rules manually. With the following options you can match packets that arrived via any IPsec connection (use --dir in|out to specify the direction):
-m policy --dir in --pol ipsec
So if you simply want to drop packets with a source IP from said subnet that did NOT arrive via IPsec you could add the following rules:
iptables -A INPUT -s 192.168.99.0/24 ! -m policy --dir in --pol ipsec -j DROP
iptables -A FORWARD -s 192.168.99.0/24 ! -m policy --dir in --pol ipsec -j DROP
Related videos on Youtube
50 : 35
06 : 22
29 : 45
02 : 20
09 : 29
GorillaPatch
Mac/Linux/UNIX enthusiast. I like coding for the Mac, iPhone and nowadays looking much in to Python, Django and Twisted. Also playing around with the Raspberry Pi.
Updated on November 23, 2022Comments
-
GorillaPatch over 1 year
I am using a Strongswan VPN server on a Debian Squeeze machine. The incoming VPN clients get an IP of the 192.168.99.0/24 subnet.
As I am using this VPN mainly to have encryption when using non-encrypted WLANs I am doing a source NAT into the internet using iptables. (I prefere source NATing because the server has a static ipv4 adress.)
At the moment I am using the following iptables command
# used for StrongSWAN iptables -t nat -I POSTROUTING -s 192.168.99.0/24 -o eth0 -j SNAT --to-source <public IP adress of server>My question is: when using this rule, every traffic that is incoming from this 192.168.99.0/24 subnet is now accepted and NATted. I would like to be more specific that only traffic that entered the server through this VPN tunnel is accepted by this rule.
In a classic router setup with two network devices I would check for the incoming device to achieve that. Is there something equivalent in Strongswan (e.g. virtual network devices)?
How can I filter out the packets that reached the server through the tunnel so that only these packets are NATed?
-
GorillaPatch over 11 yearsThanks for your reply. I will try it out later. I am using Arno's firewall scripts, but it gets a little too complicated and it does not work well with StrongSWAN.