2014-10-06 22:02 GMT+03:00 Steve Clark <sclark at netwolves.com>: > On 10/06/2014 02:00 PM, Eero Volotinen wrote: > >> Hi List, >> >> Is there easy way to get klips ipsec stack into centos 6? As it makes >> firewalling ipsec traffic much easier.. >> >> Eero >> > Hi Eero, > > If you are only concerned about firewalling incoming traffic why would you > need more than: > -A INPUT -p udp -s peerip/32 --sport 500 -d yourip/32 --dport 500 -j ACCEPT > -A INPUT -p esp -s peerip/32 -d yourip/32 -j ACCEPT > > Also need to filter outgoing ipsec traffic and it's a bit complex on netkey stack? -- Eero