Книга: Iptables Tutorial 1.2.2
AH/ESP match
AH/ESP match
These matches are used for the IPSEC AH and ESP protocols. IPSEC is used to create secure tunnels over an insecure Internet connection. The AH and ESP protocols are used by IPSEC to create these secure connections. The AH and ESP matches are really two separate matches, but are both described here since they look very much alike, and both are used in the same function.
I will not go into detail to describe IPSEC here, instead look at the following pages and documents for more information:
• RFC 2401 - Security Architecture for the Internet Protocol
• Linux Advanced Routing and Traffic Control HOW-TO
There is also a ton more documentation on the Internet on this, but you are free to look it up as needed.
To use the AH/ESP matches, you need to use -m ah to load the AH matches, and -m esp to load the ESP matches.
Note In 2.2 and 2.4 kernels, Linux used something called FreeS/WAN for the IPSEC implementation, but as of Linux kernel 2.5.47 and up, Linux kernels have a direct implementation of IPSEC that requires no patching of the kernel. This is a total rewrite of the IPSEC implementation on Linux.
Table 10-8. AH match options
| Match | --ahspi |
| Kernel | 2.5 and 2.6 |
| Example | iptables -A INPUT -p 51 -m ah --ahspi 500 |
| Explanation | This matches the AH Security Parameter Index (SPI) number of the AH packets. Please note that you must specify the protocol as well, since AH runs on a different protocol than the standard TCP, UDP or ICMP protocols. The SPI number is used in conjunction with the source and destination address and the secret keys to create a security association (SA). The SA uniquely identifies each and every one of the IPSEC tunnels to all hosts. The SPI is used to uniquely distinguish each IPSEC tunnel connected between the same two peers. Using the --ahspi match, we can match a packet based on the SPI of the packets. This match can match a whole range of SPI values by using a : sign, such as 500:520, which will match the whole range of SPI's. |
Table 10-9. ESP match options
| Match | --espspi |
| Kernel | 2.5 and 2.6 |
| Example | iptables -A INPUT -p 50 -m esp --espspi 500 |
| Explanation | The ESP counterpart Security Parameter Index (SPI) is used exactly the same way as the AH variant. The match looks exactly the same, with the esp/ah difference. Of course, this match can match a whole range of SPI numbers as well as the AH variant of the SPI match, such as --espspi 200:250 which matches the whole range of SPI's. |
Оглавление книги
- Addrtype match
- AH/ESP match
- Comment match
- Connmark match
- Conntrack match
- Dscp match
- Ecn match
- Hashlimit match
- Helper match
- IP range match
- Length match
- Limit match
- Mac match
- Mark match
- Multiport match
- Owner match
- Packet type match
- Realm match
- Recent match
- State match
- Tcpmss match
- Tos match
- Ttl match
- Unclean match
- Чему посвящен сайт
- Использование объектов Excel
- Distributing the Documentation
- Простой пример реализации контроллера
- Трудный клиент – это ваш учитель
- Функция Фото экрана
- Декларативная безопасность
- 16.3.6. Установка домашней страницы
- Способы интеграции графики с кодом пользовательского интерфейса
- Глава шестая Средства воздействия
- Запутанность
- 7.7.7. Некоторые комментарии