How to block incoming ESP traffic with ip6tables

belabrinel asked:

I would like to test my firewall configuration when IPsec traffic is received in my host and I also would like to know how to handle it (drop it at first).

For testing reasons, I have deployed two containers (with ipv6 enabled) and then I am creating an ESP packet with the use of scapy (taken from:

p = IPv6()
p /= TCP(sport=45012, dport=80)
p /= Raw('testdata')
p = IPv6(raw(p))
sa = SecurityAssociation(ESP, spi=0x222, crypt_algo='NULL', crypt_key=None, auth_algo='NULL', auth_key=None)
e = sa.encrypt(p)

I would like to add a firewall rule that shall drop this packet.

My current configuration is:

 # ip6tables -S
-A INPUT -d fe80::42:acff:fe10:ee04/64 -i eth0 -p esp -j DROP
-A INPUT -d fe80::/64 -i eth0 -p esp -j DROP
-A INPUT -m ipv6header --header esp --soft -j DROP

I also tried this but it fails:

# ip6tables -A INPUT -m esp --espspi 546 -j DROP
ip6tables: Invalid argument. Run `dmesg' for more information.

However I haven’t yet found a way to do this.
My tcpdump shows that the packet is received:

# tcpdump -i eth0 dst fe80::42:acff:fe10:ee04 -vvv
14:16:33.971545 IP6 (hlim 64, next-header ESP (50) payload length: 40) fe80::42:acff:fe10:ee03 > b4f9f118b0e7: ESP(spi=0x00000222,seq=0x1), length 40

Some important information:

# uname -r
# cat /etc/system-release
CentOS Linux release 7.5.1804 (Core)
# ip6tables -V
ip6tables v1.4.21

My answer:

You can’t use tcpdump to determine whether the firewall is working, because it receives packets before iptables processes them.

Instead, you can write iptables rules that log the traffic of interest, or you can check the rule hit counters for each rule to see if traffic is hitting them.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.