<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Damir Dezeljin (dev) wrote:
<blockquote
cite="mid:6A71C86B2A55964C8682D358BB8D5B803E3003@mailex.mbss.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta content="MSHTML 6.00.6000.16544" name="GENERATOR">
<div><span class="125523206-22102007"><font face="Arial" size="2">Hoj,</font></span></div>
<div><span class="125523206-22102007"></span> </div>
<div><span class="125523206-22102007"><font face="Arial" size="2">Use
case:</font></span></div>
<div><span class="125523206-22102007"><font face="Arial" size="2">-
Imam povezana dva networka z uporabo OpenSWan IPSec implementacije na
Ubuntu</font></span></div>
<div><span class="125523206-22102007"><font face="Arial" size="2">-
left = 10.0.0.0/24</font></span></div>
<div><span class="125523206-22102007"><font face="Arial" size="2">-
right = 10.0.1.0/24</font></span></div>
<div><span class="125523206-22102007"><font face="Arial" size="2">-
RSA keys</font></span></div>
<div><span class="125523206-22102007"><font face="Arial" size="2">-
zunanji interface left = eth0; zunanji interface right = ppp0 (eth0)</font></span></div>
<div><span class="125523206-22102007"><font face="Arial" size="2">-
notranji interfaci = eth1</font></span></div>
<div><span class="125523206-22102007"></span> </div>
<div><span class="125523206-22102007"></span> </div>
<div><span class="125523206-22102007"><font face="Arial" size="2">Z
iptables bi rad filtriral promet in sicer tako, da bi vedel kaj prihaja
preko VPN-ja in kaj iz interneta. Namrec NIMAM moznosti nastaviti
anti-spoofing rulo. To pomeni, da lahko na zunanjem interfaceju (torej
od ISP-ja) dobim tudi promet iz 10.0.0.0/16.</font></span></div>
<div><span class="125523206-22102007"></span> </div>
<div><span class="125523206-22102007"><font face="Arial" size="2">Na
kernelu 2.4 je bilo to enostavno - pac VPN promet je prisel preko
ipsec+ interfaceja. Na 2.6 pa mi prihaja preko external interfaceja
(ppp0 oz. eth0). Ce je le mozno bi se rad izognil patchanju kernela
(oz. ga ne zelim patchat).</font></span></div>
<div><span class="125523206-22102007"></span> </div>
<div><span class="125523206-22102007"><font face="Arial" size="2">Kaksen
hint (pa po moznosti se example :) ), kako identificirati tak promet?</font></span></div>
<div><span class="125523206-22102007"></span> </div>
<div><span class="125523206-22102007"></span> </div>
<div><span class="125523206-22102007"><font face="Arial" size="2">Podobno
rabim tudi za implementacijo MS IPSec VPN-ja, kjer mora L2TP
avtentikacija priti preko VPN-ja << spet isti problem kot zgoraj.</font></span></div>
<div><span class="125523206-22102007"></span> </div>
<div><span class="125523206-22102007"></span> </div>
<div><span class="125523206-22102007"><font face="Arial" size="2">Hvala
in lp,</font></span></div>
<div><span class="125523206-22102007"><font face="Arial" size="2">Damir</font></span></div>
</blockquote>
Lahko uporabis tudi "MARK":<br>
<br>
$IPTABLES --table mangle -A PREROUTING -p esp -j MARK --set-mark 1<br>
$IPTABLES --table filter --insert FORWARD --match mark --mark 1 -s
10.0.0.0/16 -j ACCEPT<br>
<br>
<br>
LP<br>
Darko
</body>
</html>