Betr.: [CentOS] VPN - Solved - HUGE THANKS

Thu May 26 10:30:59 UTC 2005
simone <simone72 at email.it>

Hi, did some testing and refined iptables conf following your
suggestions :)

On Wed, 2005-05-25 at 18:34, Maciej Żenczykowski wrote:
> I'd suggest dropping (or commenting out) the -p 50 and -p 51 rules if 
> you're not using ipv6 and I'd suggest adding -i dev and -o dev to any 
> rules where possible (-i in INPUT and FORWARD being input device and -o in 
> FORWARD and OUTPUT being output device)
> 
> this seems _very_ dangerous, what is this supposed to achieve? is this 
> needed?
> > $IPTABLES -A INPUT -i $EXTIF -s ${remotenetwork} -d $INTNET -j ACCEPT

Right, good for me it's a testing environment. In fact it is not needed.

> 
> drop these two:
> > $IPTABLES -A INPUT -p 51 -j ACCEPT
> > $IPTABLES -A INPUT -p 50 -j ACCEPT

Looks like if I drop these it won't work. So I changed it to just catch
packets coming from the cisco pix public IP at the other end:

$IPTABLES -A INPUT -i $EXTIF -s $PIX -p 51 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $PIX -p 50 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $PIX -p udp --sport 500 --dport 500 -j
ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -d $PIX -p 51 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -d $PIX -p 50 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -d $PIX -p udp --sport 500 --dport 500 -j
ACCEPT
> 
> this should have probably also have "-i $EXTIF"
> and "-s $OTHER-VPN-GLOBAL-IP"
> > $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> 
> OUTPUT is usually safe :)
> 
> you should add -i and -o here (using INTERNAL NET DEVICE and virtual proxy 
> device as the parameters)
> > $IPTABLES -A FORWARD -s $INTNET -d ${remotenetwork} -j ACCEPT
> > $IPTABLES -A FORWARD -s ${remotenetwork} -d $INTNET -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -s $INTNET -o $EXTIF -d ${remotenetwork}
-j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -s ${remotenetwork} -o $INTIF -d $INTNET
-j ACCEPT

> 
> not sure about this...
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -d\! 192.168.100.0/24 -j SNAT
> > --to $EXTIP
> 

Well, I added this not to Nat packets from INTNET to remotenet (there a
needed rule on the pix on the other side), but it was not written right.
I had to split this in two since I couldn't fine a one line way to do
it, but it works now
$IPTABLES -t nat -A POSTROUTING -s $INTNET -d $FBCMEDIA -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $INTNET -o $EXTIF -j SNAT --to $EXTIP

First line accepting packets to remotenet without natting, second line
natting all the rest. 


> anyways, cheers,
> MaZe.

Well, soon going to set this up on the remote linuxbox. This has been a
really nice experience, I learned a lot thanks to everyone that
partecipated in this topic. 

Have a nice day
Simone

 
 
 --
 Email.it, the professional e-mail, gratis per te: http://www.email.it/f
 
 Sponsor:
 Telefona con Email.it Phone Card, tanti minuti di conversazione con il massimo del risparmio, clicca qui
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2687&d=26-5