-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Vitaly,
> But I need to have similar rules for other RFC1918 networks? I thought that > one rule is enough if IPsec-based VPN network is known. You need to shunt every network that is reachable through the tunnel. > Agree with your. But shall I have also rule iptables -A FORWARD -s > 10.57.0.0/16 -m policy --pol none --dir out -j DROP ? Only if hosts with IPs in the subnet of 10.57.0.0/16 are not supposed to be able to communicate without IPsec protection over the server. > The distribution which I have used did not have ebtables-svae and > ebtables-restore scripts. > Strange enough: http://packages.ubuntu.com/precise/amd64/ebtables/filelist > I agree with your points. I think my script can be useful to initialize the > ebtables tables. > And after that ebtables-save and ebtables-restore shall be used. Even trusty does not ship ebtables-{save,restore}. Probably some missing information about the existence of those programs on Canonical's part. > > Additionally, you don't even /need/ ebtables. You can filter everything > > in *filter FORWARD. > By means of iptables -A FORWARD -d 10.57.0.0/16 -m policy --pol none > --dir out -j DROP ? For example. The *filter FORWARD chain in ebtables is invoked prior to the *filter FORWARD chain in iptables. ebtables is on layer two, iptables on layer three. Sadly, the nf-packet-flow diagram doesn't show the ebtables chains. > Something like this (but of course with ipsets) : > iptables -A FORWARD -d 10.0.0.0/8 -j LOG --log-level info > --log-prefix "IPTABLES-BLKO" > iptables -A FORWARD -d 10.0.0.0/8 -j DROp > > ? Yes, with -m set --match-set rfc1918 dst isntead of -d 10.0.0.0/8. - -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJV7h44AAoJEDg5KY9j7GZY38sP/2YCH44rKhMPQlexW9ka/3yQ /03FXNbpDYwpGDLG6BoemHWqdForLDGNG+4sYDCXppk3SWKPT0jA/CMsdabxTD5H 4SQdReg7geeMpBb+ZC1Pgb9/tM6NZ6UNDINJfGJp0EiVfx0IFbVRF1ka/+S6xLy9 6gl9KHh/58PhgRotRDKXN7kY8ffr+6eu/KVb7Dq6yaFi4uCBlsXuHapdxmvXa5Rq XP/sVA/8U5DqvBHuN7Gno1nUiAZbIeSAsNN4QWGhGmRufuRyISP/C3IgYYl5rp8Y TTJIKcqHKPkkXuwk1A4sNIdwOD7Q4N9Dt2oPW69fKaC/zwuRudU8HQgyRGXBvwUP 2h/WE+Kta2r/qs4QeRKFHVWCHQA4dVjhZsii0NyBpVs8I/YAyOzj5L8mu9Y3evVi B/Tc+f0BPxwpJFhmddEUpJ5XKbu+PVGl7WQYYHUqYClwAdA4Q9lUYwP1KyxNxs8u eeWZ1HHW3ouID37SWnTODAZl/Q0JMlXreGh90e4lcLrC/2TPsy8AUuN/LY6Ykm+r /j608Od4mntKONKjsKphcQDBYjm+9F41R12wUzNpUlyR5jvxVNjdw16cbR5IAo8c qPovDnJmyQ/VlvzIXQwwSfUoVxRMvVe4e8qqKr666nTTFND6mjLLWgNjy/khNFn0 sR/UyfzI0WL1bHm8JXzc =22+Y -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
