I have set up strongswan for IPsec connection (remote Win10 to my Linux router). IPsec does not have interface by default but I don't want to risk exposing VPN traffic on my WAN interface. So I setup VTI interface with mark (https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Configuration) and I see traffic going through this virtual interface and not WAN. But there is still some traffic going through WAN interface. tcpdump on WAN (10.1.0.2 is Win10 client):
IP 10.1.0.2.137 > 255.255.255.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
IP 10.1.0.2.137 > 255.255.255.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
IP 10.1.0.2.137 > 255.255.255.255.137: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
IP 10.1.0.2.54995 > 239.255.255.250.3702: UDP, length 1072
IP 10.1.0.2.53313 > 239.255.255.250.1900: UDP, length 137
IP 10.1.0.2.54995 > 239.255.255.250.3702: UDP, length 1072
Private LAN sending packets to ISP interface is really bad. This packets nor marked nor have ipsec policy applied (iptables -A INPUT/OUTPUT/FORWARD -m policy --dir in/out --pol ipsec -j LOG-DROP-IPSEC does not see it). Filtering by source
iptables -t mangle -A POSTROUTING -s 10.1.0.2 -j LOG-DROP-IPSEC
cause no effect.
This packets seems actually go to WAN network: journalctl -k
...
... host *.*.*.*/if2 ignores redirects for 10.1.0.2 to 10.1.0.2
...
Where is this packets injected so that mangle POSTROUTING missing it and how to block them?
0 Answers