On 10/06/2014 03:08 PM, Eero Volotinen wrote: > 2014-10-06 22:02 GMT+03:00 Steve Clark <sclark at netwolves.com>: > >> On 10/06/2014 02:00 PM, Eero Volotinen wrote: >> >>> Hi List, >>> >>> Is there easy way to get klips ipsec stack into centos 6? As it makes >>> firewalling ipsec traffic much easier.. >>> >>> Eero >>> >> Hi Eero, >> >> If you are only concerned about firewalling incoming traffic why would you >> need more than: >> -A INPUT -p udp -s peerip/32 --sport 500 -d yourip/32 --dport 500 -j ACCEPT >> -A INPUT -p esp -s peerip/32 -d yourip/32 -j ACCEPT >> >> > Also need to filter outgoing ipsec traffic and it's a bit complex on netkey > stack? > > -- Hi Eero, We are using ipsec-tools which is based on netkey. I am not sure I see the issue. Why wouldn't the above rules work with those below: -A OUTPUT -o ethx -p udp -s yourip/32 --sport 500 -d peerip/32 --dport 500 -j ACCEPT -A OUTPUT -o ethx -p esp -s yourip/32 -d peerip/32 -j ACCEPT If you only want the rules against a certain interface. -- Stephen Clark *NetWolves Managed Services, LLC.* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark at netwolves.com http://www.netwolves.com