On 09/07/2015 07:31 PM, Noel Kuntze wrote:
>> The distribution which I have used did not have ebtables-svae and
>> ebtables-restore scripts.
>> Strange enough: http://packages.ubuntu.com/precise/amd64/ebtables/filelist
>> I agree with your points. I think my script can be useful to initialize the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Vitaly,
> But I need to have similar rules for other RFC1918 networks? I thought that
> one rule is enough if IPsec-based VPN network is known.
You need to shunt every network that is reachable through the tunnel.
> Agree with your. But s
Hello,
2015-09-07 17:54 GMT+03:00 Vitaly Repin :
>
> Something like this (but of course with ipsets) :
>
> iptables -A FORWARD -d 10.0.0.0/8 -j LOG --log-level info
> --log-prefix "IPTABLES-BLKO"
> iptables -A FORWARD -d 10.0.0.0/8 -j DROP
>
> ?
>
> Have not had opportunity to test this idea ye
Hello,
Thanks a lot for your criticisms. I am rewriting an article now and
have some questions about your points.
2015-07-31 16:49 GMT+03:00 Noel Kuntze :
> You should drop all packets with no matching IPsec policy,
> if their target is an RFC1918 address space and the interface
> the packet go
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Vitaly,
I read through your post and have criticism for you:
You should drop all packets with no matching IPsec policy,
if their target is an RFC1918 address space and the interface
the packet goes out of is attached to the WAN.
The reason
Hello,
I've recently faced an issue with package leakage from the clients
connected through IPSEC. (The packages addressed to VPN address space
were "leaking" through external interface).
The problem is now solved and I've documented complete solution here:
http://vrepin.org/vr/IPsec-PacketLeakag
