On 12/13/2017 08:55 AM, Tom Eastep wrote:
> On 12/13/2017 08:47 AM, cac...@quantum-sci.com wrote:
>> On 12/12/2017 03:22 PM, cac...@quantum-sci.com wrote:
>>> I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM)
>>>
>>> At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse
>>> SSH tunneled from another machine).
>>>
>>> Rather than flanging those ports directly to the outside interface in
>>> the router, I'm hoping for a little added protection by listening them
>>> on localhost, and then DNATing from the outside interface.
>>>
>>> - Does this give any added protection?
>>>
>>> - Does DNAT even work with UDP? If not, what can I do?
>>>
>>> - Is there a better way?
>>>
>> Can anyone advise?
>>
>> I have many problems already, trying to get ipsec working. Trying to
>> anticipate this one.
>>
> I believe it adds additional complexity with no benefit to security. But
> to answer your other question, UDP can be DNATted; that is why IPSEC Nat
> Traversal encapsulates the ESP packets in UDP (port 4500).
>
> -Tom
Ah, good to know. I'd previously found that I can not encapsulate DNS
in a reverse SSH tunnel as SSH can not do UDP, so I wasn't sure whether
that also applies to DNAT.
But I now find that trying to reverse SSH tunnel my IPSec ports from the
left VM to the router, will not work for the same reason -- they are
both UDP.
Is there a way to use Shorewall to get my ipsec ports from one KVM VM,
to another's outside interface?
I have a designated VM as ipsec server as, in case it's compromised, I'd
rather it be a minimal CentOS VM rather than my router.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
