I have a docker swarm with encrypted network and would like to use could firewall but I don’t know how to enable IP Protocol 50 and 51 (ESP, AH) on the firewall. Is it even possible?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

The first answer to the question is faulty: Port 50 (UDP/TCP) is NOT the same as ESP Protocol 50. To allow for IPSec passthrough, the DigitalOcean Cloud Firewalls would need to support ESP Protocol 50 - which they don’t.

It is an important feature of any firewall, to allow for setting up point-to-point IPSec between two servers, and DigitalOcean should have implemented this a long time ago in my view. It’s a little embarrassing for them to not offer this feature in 2020.

If you feel the same, and want to vote for this to be supported, please vote for this idea ticket: https://ideas.digitalocean.com/ideas/DO-I-2955

Hi @milesich,

You can open any port you wish and use it to your needs. In your case to open ports 50 and 51, you’ll need to execute the following commands:

  • If you are using UFW, you can execute
sudo ufw allow 50
sudo ufw allow 51
  • If you are using only IPtables, you can execute
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 50 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 51 -j ACCEPT

All of the provided commands will help you with openning the port and allowing traffic. It’s possible however, you wish to enable traffic only for a certain IP address. In that case, you’ll need to modify your commands a bid.

  • UFW example with allowing IP access on a certain port
sudo ufw allow from XXX.XXX.XXX.XXX to any port 50
sudo ufw allow from XXX.XXX.XXX.XXX to any port 51
  • Iptables example with allowing IP access on a certain port
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d XXX.XXX.XXX.XXX --dport 50 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d XXX.XXX.XXX.XXX --dport 51 -m state --state NEW,ESTABLISHED -j ACCEPT

Please remember to change XXX.XXX.XXX.XXX in any of the commands with your own IP address.

Reards,
KDSys

  • Thank you for your reply but I was looking for how to configure it on DO cloud firewall service instead of on a particular host. Also I was talking about IP protocols not ports.

    • At the moment, using the mentioned IP Protocols is a feature that’s not included.

      Having said that, I’ll recommend going to the ideas board at https://ideas.digitalocean.com/ and post this as an Idea. Every post there gets sent to the product team for review.

      Hope that helps!

Submit an Answer