 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
|||||||
 |
|
|
Thread Tools | Display Modes |
|
#1
05-18-2005, 04:21 AM
|
linux router using iptables: how to allow vpnc from lan
Hi, I am running an old computer as a router using Debian Sarge and kernel 2.6.10 kernel and iptables 1.2.11-10. Here is my setup: CompR ,-----------. (INTERNET) -->ppp0--->eth1 eth0 ---->SWITCH--->192.168.0.0/24 `-----------' CompR is the router computer running iptables and doing masquerading. Before I set up this computer I had a D-Link router in its place with the option of VPN enabled. At that time, a Windows machine in my LAN was able to connect to an external VPN server(at my university) using a VPN client (Cisco's) and was able to sustain the connection. After I set up my router computer(and removed D-Link router), the Windows client can connect to the external VPN server but cannot sustain the connection. The connection seems to be breaking multiple times every hour. I have been trying various rules (searched from google) and have this stanza relating to this: # --- IN --- for VPNS in $VPN_SERVERS; do $IPTABLES -A INPUT -p udp -s $VPNS \ -i $EXTIF --dport 500 -j ACCEPT done # --- OUT --- for VPNS in $VPN_SERVERS; do $IPTABLES -A OUTPUT -p udp -d $VPNS \ -o $EXTIF --dport 500 -j ACCEPT done $IPTABLES -A FORWARD -i ${EXTIF} -p tcp --dport 500 -j ACCEPT $IPTABLES -A FORWARD -i ${EXTIF} -p udp --dport 500 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p udp -i ${EXTIF} \ --dport 500 -j DNAT --to-destination 192.168.0.15:500 After the Windows client (192.168.0.15) connects, I do not see any traffic on 500 port: ~# iptables -nvL | grep 500 0 0 ACCEPT udp -- ppp0 * 132.216.1.135 0.0.0.0/0 udp dpt:500 0 0 ACCEPT udp -- ppp0 * 132.216.1.136 0.0.0.0/0 udp dpt:500 0 0 ACCEPT udp -- ppp0 * 132.216.1.137 0.0.0.0/0 udp dpt:500 0 0 ACCEPT udp -- ppp0 * 132.216.1.138 0.0.0.0/0 udp dpt:500 0 0 ACCEPT udp -- ppp0 * 132.216.1.139 0.0.0.0/0 udp dpt:500 0 0 ACCEPT udp -- ppp0 * 132.216.1.140 0.0.0.0/0 udp dpt:500 0 0 ACCEPT udp -- ppp0 * 132.216.1.132 0.0.0.0/0 udp dpt:500 0 0 ACCEPT udp -- ppp0 * 132.216.1.133 0.0.0.0/0 udp dpt:500 0 0 ACCEPT udp -- ppp0 * 132.216.1.134 0.0.0.0/0 udp dpt:500 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 132.216.1.132 udp dpt:500 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 132.216.1.133 udp dpt:500 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 132.216.1.134 udp dpt:500 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 132.216.1.135 udp dpt:500 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 132.216.1.136 udp dpt:500 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 132.216.1.137 udp dpt:500 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 132.216.1.138 udp dpt:500 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 132.216.1.139 udp dpt:500 0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 132.216.1.140 udp dpt:500 What am I doing wrong here? I have never dealt with this, VPN, situation before. If somebody could shed some light on this, it would be great. thanks, ->HS -- Please remove the underscores ( the '_' symbols) from my email address to obtain the correct one. Apologies, but the fudging is to remove spam. H. S. 
|
|
#2
05-19-2005, 01:48 AM
|
|||
|
|||
|
Re: linux router using iptables: how to allow vpnc from lan
Apparently, _H. S._, on 17/05/05 23:21,typed:
> Hi, > > I am running an old computer as a router using Debian Sarge and kernel > 2.6.10 kernel and iptables 1.2.11-10. Here is my setup: > > CompR > ,-----------. > (INTERNET) -->ppp0--->eth1 eth0 ---->SWITCH--->192.168.0.0/24 > `-----------' > > CompR is the router computer running iptables and doing masquerading. > > Before I set up this computer I had a D-Link router in its place with > the option of VPN enabled. At that time, a Windows machine in my LAN was > able to connect to an external VPN server(at my university) using a VPN > client (Cisco's) and was able to sustain the connection. > > After I set up my router computer(and removed D-Link router), the > Windows client can connect to the external VPN server but cannot sustain > the connection. The connection seems to be breaking multiple times every > hour. I have been trying various rules (searched from google) and have > this stanza relating to this: > # --- IN --- > for VPNS in $VPN_SERVERS; do > $IPTABLES -A INPUT -p udp -s $VPNS \ > -i $EXTIF --dport 500 -j ACCEPT > done > # --- OUT --- > for VPNS in $VPN_SERVERS; do > $IPTABLES -A OUTPUT -p udp -d $VPNS \ > -o $EXTIF --dport 500 -j ACCEPT > done > $IPTABLES -A FORWARD -i ${EXTIF} -p tcp --dport 500 -j ACCEPT > $IPTABLES -A FORWARD -i ${EXTIF} -p udp --dport 500 -j ACCEPT > $IPTABLES -t nat -A PREROUTING -p udp -i ${EXTIF} \ > --dport 500 -j DNAT --to-destination 192.168.0.15:500 <SNIP><SNIP> > > What am I doing wrong here? I have never dealt with this, VPN, situation > before. If somebody could shed some light on this, it would be great. > > thanks, > ->HS > > Quite strangely, the VPN clients from within my private network have a sustained connection with the VPN servers at my school. Things seem to have improved today and maybe even the problem is all gone. But I am not sure why. Here are the rules that I have in my iptables script now: ################################################## ############## # VPN # if [ "$VPN_ALLOW" -eq "1" ];then # --- IN --- for VPNS in $VPN_SERVERS; do $IPTABLES -A INPUT -p udp -s $VPNS \ -i $EXTIF --dport 500 -j ACCEPT $IPTABLES -A FORWARD -i ${EXTIF} -s $VPNS \ -p tcp --dport 1723 -j ACCEPT $IPTABLES -A FORWARD -i ${EXTIF} -s $VPNS \ -p udp --dport 500 -j ACCEPT done # --- OUT --- for VPNS in $VPN_SERVERS; do $IPTABLES -A OUTPUT -p udp -d $VPNS \ -o $EXTIF --dport 500 -j ACCEPT done fi for VPNS in $VPN_SERVERS; do $IPTABLES -A FORWARD -i ${EXTIF} -s $VPNS -p udp -j DnR_VPN $IPTABLES -A INPUT -i ${EXTIF} -s $VPNS -p udp -j DnR_VPN done I added the last for loop just to log the remaining packets to see if iptables registers some activity (DnR_VPN is a chain that logs the packets and rejects them). Even through the VPN client connection of a Windows computer is working, I still do not see any number of packets arriving at or going out from port 500 or 1723 of ppp0: "pkts" and "bytes" counter in the output of "iptables -nvL" is still zero of VPN related rules. What am I missing here? ->HS -- Please remove the underscores ( the '_' symbols) from my email address to obtain the correct one. Apologies, but the fudging is to remove spam.
|
|
| Tags |
| iptables, lan, linux, router, vpnc |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
