I would like to test my firewall configuration when IPsec traffic is received in my host and I also would like to know how to handle it (drop it at first).
For testing reasons, I have deployed two containers (with ipv6 enabled) and then I am creating an ESP packet with the use of scapy (taken from: https://github.com/secdev/scapy/blob/master/test/ipsec.uts#L2730):
p = IPv6() p.dst="fe80::42:acff:fe10:ee04" p /= TCP(sport=45012, dport=80) p /= Raw('testdata') p = IPv6(raw(p)) sa = SecurityAssociation(ESP, spi=0x222, crypt_algo='NULL', crypt_key=None, auth_algo='NULL', auth_key=None) e = sa.encrypt(p)
I would like to add a firewall rule that shall drop this packet.
My current configuration is:
# ip6tables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -d fe80::42:acff:fe10:ee04/64 -i eth0 -p esp -j DROP -A INPUT -d fe80::/64 -i eth0 -p esp -j DROP -A INPUT -m ipv6header --header esp --soft -j DROP
I also tried this but it fails:
# ip6tables -A INPUT -m esp --espspi 546 -j DROP ip6tables: Invalid argument. Run `dmesg' for more information.
However I haven’t yet found a way to do this.
My tcpdump shows that the packet is received:
# tcpdump -i eth0 dst fe80::42:acff:fe10:ee04 -vvv 14:16:33.971545 IP6 (hlim 64, next-header ESP (50) payload length: 40) fe80::42:acff:fe10:ee03 > b4f9f118b0e7: ESP(spi=0x00000222,seq=0x1), length 40
Some important information:
# uname -r 5.0.8-1.el7.elrepo.x86_64 # cat /etc/system-release CentOS Linux release 7.5.1804 (Core) # ip6tables -V ip6tables v1.4.21
You can’t use tcpdump to determine whether the firewall is working, because it receives packets before iptables processes them.
Instead, you can write iptables rules that log the traffic of interest, or you can check the rule hit counters for each rule to see if traffic is hitting them.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.