Hi, still trying to understand one thing. I would definitely like to tell iptables to accept all packets coming from remote vpn only if they hit the $VIRTUALVPNINTERFACE. I tried -o ipsec0 but this is not working, looks like ipsec0 device doesn't exist or it is not recognized. I red on the Openswan users list, that Linux kernel 2.6 native ipsec don't create ipsec* interface (if I am not wrong this is something backported on kernel 2.4 RHEL3) just add a route to remote network through eth0, so if I want to ssh the vpn server on his internal ip from the other side of the vpn I need
$IPTABLES -A INPUT -i *$EXTIF* -s $MYEXTNETWORK -d $INTIP -p tcp -m tcp --dport 22 -j ACCEPT
and this is true for any other rule I would use ipsec0 in, I have to use $EXTIF.
Even if I am going to set sshd to listen on a different port, I am a little worried this could harm my machine in any way.
Comments are welcome
Have a nice day Simone
Can you verify that indeed the "ip addr" command shows no virtual interfaces?
Cheers, MaZe
On Fri, 27 May 2005, Simone wrote:
Hi, still trying to understand one thing. I would definitely like to tell iptables to accept all packets coming from remote vpn only if they hit the $VIRTUALVPNINTERFACE. I tried -o ipsec0 but this is not working, looks like ipsec0 device doesn't exist or it is not recognized. I red on the Openswan users list, that Linux kernel 2.6 native ipsec don't create ipsec* interface (if I am not wrong this is something backported on kernel 2.4 RHEL3) just add a route to remote network through eth0, so if I want to ssh the vpn server on his internal ip from the other side of the vpn I need
$IPTABLES -A INPUT -i *$EXTIF* -s $MYEXTNETWORK -d $INTIP -p tcp -m tcp --dport 22 -j ACCEPT
and this is true for any other rule I would use ipsec0 in, I have to use $EXTIF.
Even if I am going to set sshd to listen on a different port, I am a little worried this could harm my machine in any way.
Comments are welcome
Have a nice day Simone _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Yes, unfortunately I can :)
this is tricky isn't it? It could be a security hole I think, so I'll have some more googling around and see if I can find anything related. If I do I will share it. Btw, the VPN is up and running, thanks to your help.
[root@srvgwvpn01 simone]# /sbin/ip addr 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
inet xxx.xxx.xxx.xxx/28 brd xxx.xxx.xxx.xxx scope global eth0 5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
Have a nice day Simone
Maciej Żenczykowski wrote:
Can you verify that indeed the "ip addr" command shows no virtual interfaces?
Cheers, MaZe
On Fri, 27 May 2005, Simone wrote:
Hi, still trying to understand one thing. I would definitely like to tell iptables to accept all packets coming from remote vpn only if they hit the $VIRTUALVPNINTERFACE. I tried -o ipsec0 but this is not working, looks like ipsec0 device doesn't exist or it is not recognized. I red on the Openswan users list, that Linux kernel 2.6 native ipsec don't create ipsec* interface (if I am not wrong this is something backported on kernel 2.4 RHEL3) just add a route to remote network through eth0, so if I want to ssh the vpn server on his internal ip from the other side of the vpn I need
$IPTABLES -A INPUT -i *$EXTIF* -s $MYEXTNETWORK -d $INTIP -p tcp -m tcp --dport 22 -j ACCEPT
and this is true for any other rule I would use ipsec0 in, I have to use $EXTIF.
Even if I am going to set sshd to listen on a different port, I am a little worried this could harm my machine in any way.
Comments are welcome
Have a nice day Simone _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Maciej Żenczykowski -
Simone