For a given virtual address pool (lets say 10.10.10.0/24) I want to block access to a certain https application.
I prototyped this (for one specific address) as follows: iptables -I FORWARD 1 -p tcp -s 10.10.10.0/24 --dport 443 -d 10.100.20.100 -j DROP This seems to produce the desired behavior i.e. for the specific address pool block traffic destined for a certain destination ip on port 443. I should note that I used the "-I" option to ensure that it is installed as the first rule otherwise the rules added by strongswan seem to supersede it in precedence (which of course makes sense). My question is: the (above) rule I want to add is a one-off / global rule, but it seems like the rules strongswans up/down scripts add always insert themselves at the top of the list and my global rule seems to get demoted down the list as clients connect/disconnect. This leaves me concerned that my rule will be bumped to the bottom of the list and be too low precedence to do its job. Can you please advise how I can have my rule always at the top of the list and not demoted to lower precedence by the strongswan up/down rules being installed as clients connect/disconnect? Perhaps I'm missing something simple? Do I need to somehow integrate my rule into the strongswan up/down script? Or is there a simpler way? Thanks _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
