How to match IPsec with iptables rules

Intro

Here is an example to show how to allow only smb protocol through IPsec on a server with netfilter rules. We use the --pol ipsec parameter to match.

Network Diagram

Netfilter Rules

#INPUT
##ACCEPT
iptables -A INPUT -d 192.168.1.200 -p udp --match multiport --dport 137,138 -m policy --dir in --pol ipsec -j ACCEPT
iptables -A INPUT -d 192.168.1.200 -p tcp --match multiport --dport 139,445,137 -m policy --dir in --pol ipsec -j ACCEPT
##DROP smb if not through IPsec
iptables -A INPUT -d 192.168.1.200 -p udp --match multiport --dport 137,138 -j DROP
iptables -A INPUT -d 192.168.1.200 -p tcp --match multiport --dport 139,445,137 -j DROP

#OUTPUT
##ACCEPT
iptables -A OUTPUT -s 192.168.1.200 -p tcp --match multiport --sport 139,445,137 -m policy --dir out --pol ipsec -j ACCEPT
iptables -A OUTPUT -s 192.168.1.200 -p udp --match multiport --sport 137,138 -m policy --dir out --pol ipsec -j ACCEPT
##DROP smb if not through IPsec
iptables -A OUTPUT -s 192.168.1.200 -p tcp --match multiport --sport 139,445,137 -j DROP
iptables -A OUTPUT -s 192.168.1.200 -p udp --match multiport --sport 137,138 -j DROP
					
Licence Creative Commons
This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.
Contact :