Hi, did some testing and refined iptables conf following your suggestions :)
On Wed, 2005-05-25 at 18:34, Maciej Żenczykowski wrote:
I'd suggest dropping (or commenting out) the -p 50 and -p 51 rules if you're not using ipv6 and I'd suggest adding -i dev and -o dev to any rules where possible (-i in INPUT and FORWARD being input device and -o in FORWARD and OUTPUT being output device)
this seems _very_ dangerous, what is this supposed to achieve? is this needed?
$IPTABLES -A INPUT -i $EXTIF -s ${remotenetwork} -d $INTNET -j ACCEPT
Right, good for me it's a testing environment. In fact it is not needed.
drop these two:
$IPTABLES -A INPUT -p 51 -j ACCEPT $IPTABLES -A INPUT -p 50 -j ACCEPT
Looks like if I drop these it won't work. So I changed it to just catch packets coming from the cisco pix public IP at the other end:
$IPTABLES -A INPUT -i $EXTIF -s $PIX -p 51 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -s $PIX -p 50 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -s $PIX -p udp --sport 500 --dport 500 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -d $PIX -p 51 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -d $PIX -p 50 -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -d $PIX -p udp --sport 500 --dport 500 -j ACCEPT
this should have probably also have "-i $EXTIF" and "-s $OTHER-VPN-GLOBAL-IP"
$IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
OUTPUT is usually safe :)
you should add -i and -o here (using INTERNAL NET DEVICE and virtual proxy device as the parameters)
$IPTABLES -A FORWARD -s $INTNET -d ${remotenetwork} -j ACCEPT $IPTABLES -A FORWARD -s ${remotenetwork} -d $INTNET -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -s $INTNET -o $EXTIF -d ${remotenetwork} -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -s ${remotenetwork} -o $INTIF -d $INTNET -j ACCEPT
not sure about this...
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -d! 192.168.100.0/24 -j SNAT --to $EXTIP
Well, I added this not to Nat packets from INTNET to remotenet (there a needed rule on the pix on the other side), but it was not written right. I had to split this in two since I couldn't fine a one line way to do it, but it works now $IPTABLES -t nat -A POSTROUTING -s $INTNET -d $FBCMEDIA -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s $INTNET -o $EXTIF -j SNAT --to $EXTIP
First line accepting packets to remotenet without natting, second line natting all the rest.
anyways, cheers, MaZe.
Well, soon going to set this up on the remote linuxbox. This has been a really nice experience, I learned a lot thanks to everyone that partecipated in this topic.
Have a nice day Simone
-- Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor: Telefona con Email.it Phone Card, tanti minuti di conversazione con il massimo del risparmio, clicca qui Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2687&d=26-5