How to block incoming ESP traffic with ip6tables

0

I would like to test my firewall configuration when IPsec traffic is received in my host and I also would like to know how to handle it (drop it at first).

For testing reasons, I have deployed two containers (with ipv6 enabled) and then I am creating an ESP packet with the use of scapy (taken from: https://github.com/secdev/scapy/blob/master/test/ipsec.uts#L2730):

p = IPv6()
p.dst="fe80::42:acff:fe10:ee04"
p /= TCP(sport=45012, dport=80)
p /= Raw('testdata')
p = IPv6(raw(p))
sa = SecurityAssociation(ESP, spi=0x222, crypt_algo='NULL', crypt_key=None, auth_algo='NULL', auth_key=None)
e = sa.encrypt(p)

I would like to add a firewall rule that shall drop this packet.

My current configuration is:

 # ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -d fe80::42:acff:fe10:ee04/64 -i eth0 -p esp -j DROP
-A INPUT -d fe80::/64 -i eth0 -p esp -j DROP
-A INPUT -m ipv6header --header esp --soft -j DROP

I also tried this but it fails:

# ip6tables -A INPUT -m esp --espspi 546 -j DROP
ip6tables: Invalid argument. Run `dmesg' for more information.

However I haven't yet found a way to do this. My tcpdump shows that the packet is received:

# tcpdump -i eth0 dst fe80::42:acff:fe10:ee04 -vvv
14:16:33.971545 IP6 (hlim 64, next-header ESP (50) payload length: 40) fe80::42:acff:fe10:ee03 > b4f9f118b0e7: ESP(spi=0x00000222,seq=0x1), length 40

Some important information:

# uname -r
5.0.8-1.el7.elrepo.x86_64
# cat /etc/system-release
CentOS Linux release 7.5.1804 (Core)
# ip6tables -V
ip6tables v1.4.21
ipsec
ip6tables
asked on Server Fault Apr 23, 2019 by belabrinel

1 Answer

2

You can't use tcpdump to determine whether the firewall is working, because it receives packets before iptables processes them.

Instead, you can write iptables rules that log the traffic of interest, or you can check the rule hit counters for each rule to see if traffic is hitting them.

answered on Server Fault Apr 23, 2019 by Michael Hampton

User contributions licensed under CC BY-SA 3.0