rss logo
Computing
Home
How To
Music
The Band
Tracks
Misc
Links
🇫🇷 Fr

How to match IPsec with iptables rules

Intro

Here is an example to show how to allow only smb protocol through IPsec on a server with netfilter (iptables) rules. We will use the --pol ipsec parameter to match.

Network Diagram

Netfilter Rules

#INPUT
##ACCEPT
iptables -A INPUT -d 192.168.1.200 -p udp --match multiport --dport 137,138 -m policy --dir in --pol ipsec -j ACCEPT
iptables -A INPUT -d 192.168.1.200 -p tcp --match multiport --dport 139,445,137 -m policy --dir in --pol ipsec -j ACCEPT
##DROP smb if not through IPsec
iptables -A INPUT -d 192.168.1.200 -p udp --match multiport --dport 137,138 -j DROP
iptables -A INPUT -d 192.168.1.200 -p tcp --match multiport --dport 139,445,137 -j DROP

#OUTPUT
##ACCEPT
iptables -A OUTPUT -s 192.168.1.200 -p tcp --match multiport --sport 139,445,137 -m policy --dir out --pol ipsec -j ACCEPT
iptables -A OUTPUT -s 192.168.1.200 -p udp --match multiport --sport 137,138 -m policy --dir out --pol ipsec -j ACCEPT
##DROP smb if not through IPsec
iptables -A OUTPUT -s 192.168.1.200 -p tcp --match multiport --sport 139,445,137 -j DROP
iptables -A OUTPUT -s 192.168.1.200 -p udp --match multiport --sport 137,138 -j DROP
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address