[CentOS] Still VPN

Fri May 27 15:14:41 UTC 2005
Simone <simone72 at email.it>

Yes, unfortunately I can :)

this is tricky isn't it? It could be a security hole I think, so I'll 
have some more googling around and see if I can find anything related. 
If I do I will share it.
Btw, the VPN is up and running, thanks to your help.

[root at srvgwvpn01 simone]# /sbin/ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue

inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

inet xxx.xxx.xxx.xxx/28 brd xxx.xxx.xxx.xxx scope global eth0
5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000

inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1

Have a nice day
Simone


Maciej Żenczykowski wrote:

> Can you verify that indeed the "ip addr" command shows no virtual 
> interfaces?
>
> Cheers,
> MaZe
>
> On Fri, 27 May 2005, Simone wrote:
>
>> Hi, still trying to understand one thing. I would definitely like to 
>> tell iptables to accept all packets coming from remote vpn only if 
>> they hit the $VIRTUALVPNINTERFACE. I tried -o ipsec0 but this is not 
>> working, looks like ipsec0 device doesn't exist or it is not 
>> recognized. I red on the Openswan users list, that Linux kernel 2.6 
>> native ipsec don't create ipsec* interface (if I am not wrong this is 
>> something backported on kernel 2.4 RHEL3) just add a route to remote 
>> network through eth0, so if I want to ssh the vpn server on his 
>> internal ip from the other side of the vpn I need
>>
>> $IPTABLES -A INPUT -i *$EXTIF* -s $MYEXTNETWORK -d $INTIP -p tcp -m 
>> tcp --dport 22 -j ACCEPT
>>
>> and this is true for any other rule I would use ipsec0 in, I have to 
>> use $EXTIF.
>>
>> Even if I am going to set sshd to listen on a different port, I am a 
>> little worried this could harm my machine in any way.
>>
>> Comments are welcome
>>
>> Have a nice day
>> Simone
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>