Here is an example to show how to allow only smb protocol through IPsec on a server with netfilter (iptables) rules. We will use the --pol ipsec parameter to match.
#INPUT ##ACCEPT iptables -A INPUT -d 192.168.1.200 -p udp --match multiport --dport 137,138 -m policy --dir in --pol ipsec -j ACCEPT iptables -A INPUT -d 192.168.1.200 -p tcp --match multiport --dport 139,445,137 -m policy --dir in --pol ipsec -j ACCEPT ##DROP smb if not through IPsec iptables -A INPUT -d 192.168.1.200 -p udp --match multiport --dport 137,138 -j DROP iptables -A INPUT -d 192.168.1.200 -p tcp --match multiport --dport 139,445,137 -j DROP #OUTPUT ##ACCEPT iptables -A OUTPUT -s 192.168.1.200 -p tcp --match multiport --sport 139,445,137 -m policy --dir out --pol ipsec -j ACCEPT iptables -A OUTPUT -s 192.168.1.200 -p udp --match multiport --sport 137,138 -m policy --dir out --pol ipsec -j ACCEPT ##DROP smb if not through IPsec iptables -A OUTPUT -s 192.168.1.200 -p tcp --match multiport --sport 139,445,137 -j DROP iptables -A OUTPUT -s 192.168.1.200 -p udp --match multiport --sport 137,138 -j DROP
Contact :
Fr