0

I would like to test my firewall configuration when IPsec traffic is received in my host and I also would like to know how to handle it (drop it at first).

For testing reasons, I have deployed two containers (with ipv6 enabled) and then I am creating an ESP packet with the use of scapy (taken from: https://github.com/secdev/scapy/blob/master/test/ipsec.uts#L2730):

p = IPv6()
p.dst="fe80::42:acff:fe10:ee04"
p /= TCP(sport=45012, dport=80)
p /= Raw('testdata')
p = IPv6(raw(p))
sa = SecurityAssociation(ESP, spi=0x222, crypt_algo='NULL', crypt_key=None, auth_algo='NULL', auth_key=None)
e = sa.encrypt(p)

I would like to add a firewall rule that shall drop this packet.

My current configuration is:

 # ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -d fe80::42:acff:fe10:ee04/64 -i eth0 -p esp -j DROP
-A INPUT -d fe80::/64 -i eth0 -p esp -j DROP
-A INPUT -m ipv6header --header esp --soft -j DROP

I also tried this but it fails:

# ip6tables -A INPUT -m esp --espspi 546 -j DROP
ip6tables: Invalid argument. Run `dmesg' for more information.

However I haven't yet found a way to do this. My tcpdump shows that the packet is received:

# tcpdump -i eth0 dst fe80::42:acff:fe10:ee04 -vvv
14:16:33.971545 IP6 (hlim 64, next-header ESP (50) payload length: 40) fe80::42:acff:fe10:ee03 > b4f9f118b0e7: ESP(spi=0x00000222,seq=0x1), length 40

Some important information:

# uname -r
5.0.8-1.el7.elrepo.x86_64
# cat /etc/system-release
CentOS Linux release 7.5.1804 (Core)
# ip6tables -V
ip6tables v1.4.21
belabrinel
  • 125
  • 1
  • 6
  • Why do you think the packet isn't being dropped? – Michael Hampton Apr 23 '19 at 15:14
  • Because tcpdump on the interface still lists the packet. Shouldn't it be blank? – belabrinel Apr 23 '19 at 15:22
  • 1
    tcpdump always shows incoming traffic, because it's picked up before the firewall processes it. You have to check the iptables rule counters to see if the rules are getting hit. Or you can write iptables rules that write log entries, and then check the log. – Michael Hampton Apr 23 '19 at 15:24
  • I use ulogd and chain LOGGING in my original design. When I check the `/var/log/ulogd/ulogd.log` file, it doesn't contain any dropped packets... Also, `Chain LOGGING (0 references)` – belabrinel Apr 23 '19 at 15:38
  • I rechecked after new test and the hit counts increased! However, again the ulogd.log doesn't contain anything. – belabrinel Apr 23 '19 at 15:42
  • The LOGGING chain has 0 references, i.e. no iptables rules point there. That's why it is not being hit. – Michael Hampton Apr 23 '19 at 15:43
  • Thank you @MichaelHampton! Using tcpdump for verification was wrong!!! – belabrinel Apr 23 '19 at 15:55

1 Answers1

2

You can't use tcpdump to determine whether the firewall is working, because it receives packets before iptables processes them.

Instead, you can write iptables rules that log the traffic of interest, or you can check the rule hit counters for each rule to see if traffic is hitting them.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940