On 18.10.2016 22:11, Brian O'Connor wrote:
> So, for forwarded traffic (as distinct from locally source packets), I 
> understand the packet to
> flow through the mangle and nat postrouting chains twice, and the other 
> iptables
> output chains for raw, mangle, nat and filter tables only once after 
> encryption.

That depends on where the packet originally came from. If it comes in an 
ESP/NAT-T packet,
it circulates through the INPUT PATH two times (Once as ESP/NAT-T packet and 
once as unprotected packet).
If it is an unprotected packet, it only goes through INPUT path once (as 
unproteced packet).

> On the first pass through the mangle and nat postrouting chains, iptables 
> rules would
> operate on the unencrypted payload packet and on the second pass on the IP 
> headers of
> the encrypted IPsec packet.

If the packet matches an IPsec policy with OUTPUT flag set, then yes.

We need to strongly differentiate in this discussion where the packet actually 
comes from and where it goes to
(If it was/is in an ESP/NAT-T/AH packet, if there is a matching INPUT policy 
for it in the SAD and SPD
and analog if it's a packet that is going to protected with IPsec (that is, if 
there's a matching policy in the SPD
for it with the correct mode and if it's a policy that has the correct mode).

A packet that goes through netfilter *4* times would be a packet that is 
received as an ESP/NAT-T/AH packet,
has a matching SA and SP, is allowed by your netfilter rules, is locally 
decapsulated, routed,
encapsulated and allowed again and then sent to another host again.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Attachment: signature.asc
Description: OpenPGP digital signature

Users mailing list

Reply via email to