Betr.: [CentOS] VPN - Solved - HUGE THANKS
Maciej Żenczykowski
maze at cela.pl
Wed May 25 16:34:25 UTC 2005
I'd suggest dropping (or commenting out) the -p 50 and -p 51 rules if
you're not using ipv6 and I'd suggest adding -i dev and -o dev to any
rules where possible (-i in INPUT and FORWARD being input device and -o in
FORWARD and OUTPUT being output device)
this seems _very_ dangerous, what is this supposed to achieve? is this
needed?
> $IPTABLES -A INPUT -i $EXTIF -s ${remotenetwork} -d $INTNET -j ACCEPT
drop these two:
> $IPTABLES -A INPUT -p 51 -j ACCEPT
> $IPTABLES -A INPUT -p 50 -j ACCEPT
this should have probably also have "-i $EXTIF"
and "-s $OTHER-VPN-GLOBAL-IP"
> $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
OUTPUT is usually safe :)
you should add -i and -o here (using INTERNAL NET DEVICE and virtual proxy
device as the parameters)
> $IPTABLES -A FORWARD -s $INTNET -d ${remotenetwork} -j ACCEPT
> $IPTABLES -A FORWARD -s ${remotenetwork} -d $INTNET -j ACCEPT
not sure about this...
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -d\! 192.168.100.0/24 -j SNAT
> --to $EXTIP
anyways, cheers,
MaZe.
More information about the CentOS
mailing list