* [fwd] "IPsec-pass-through" with iptables? (from: ASkwar@email-server.info)
@ 2002-11-26 16:09 Alexander Skwar
0 siblings, 0 replies; only message in thread
From: Alexander Skwar @ 2002-11-26 16:09 UTC (permalink / raw)
To: netfilter
Hello!
I'm trying to connect with a Windows PC running a AT&T client software
to my companies VPN gateway and fail to do so. The Windows PC is
connected to my home LAN with a Linux gateway doing IP masquerading.
The setup is like this:
------- ------- ======== -------
- Win - -Lan-> - Lin - -DSL-> = Inet = -> - VPN -
------- / ------- ======== -------
/
------- /
- PC2 - -
-------
As you can see, the "Lin" Linux gateway is connected to the Internet
through a "dial-up" DSL connection. My DSL provider doesn't provide
static IPs, so it is using dynamic IPs ;)
For my internal LAN, I'm using IP masquerading, so that I'm able
to connect to the Internet with more than 1 PC.
The supporters here at my company tell me, that I'm unable to connect
to the companies VPN servers, because my Linux router doesn't do/support
"IPsec-pass through". Well, that might be the case, I don't know.
How do I have to setup my Linux 2.4.20 router using iptables v1.2.6a
so that it does "IPsec pass through"?
Here's the output of iptables-save:
# Generated by iptables-save v1.2.6a on Tue Nov 26 17:08:56 2002
*filter
:INPUT ACCEPT [154463:26208407]
:FORWARD ACCEPT [10780:550322]
:OUTPUT ACCEPT [170787:53607884]
-A INPUT -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -s 10.20.30.0/255.255.255.0 -j ACCEPT
COMMIT
# Completed on Tue Nov 26 17:08:56 2002
# Generated by iptables-save v1.2.6a on Tue Nov 26 17:08:56 2002
*nat
:PREROUTING ACCEPT [18806:973058]
:POSTROUTING ACCEPT [8453:605815]
:OUTPUT ACCEPT [5835:635949]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 1214 -j DNAT --to-destination 10.20.30.22:1214
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination 10.20.30.22:4662
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6346 -j DNAT --to-destination 10.20.30.22:6346
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6699 -j DNAT --to-destination 10.20.30.22:6699
-A PREROUTING -i ppp0 -p udp -m udp --dport 1214 -j DNAT --to-destination 10.20.30.22:1214
-A PREROUTING -i ppp0 -p udp -m udp --dport 6257 -j DNAT --to-destination 10.20.30.22:6257
-A PREROUTING -i ppp0 -p udp -m udp --dport 6346 -j DNAT --to-destination 10.20.30.22:6346
-A POSTROUTING -s 10.20.30.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Tue Nov 26 17:08:56 2002
Thanks a lot!
Alexander Skwar
--
How to quote: http://learn.to/quote (german) http://quote.6x.to (english)
Homepage: http://www.iso-top.biz | Jabber: askwar@a-message.de
iso-top.biz - Die günstige Art an Linux Distributionen zu kommen
Uptime: 8 hours 39 minutes
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2002-11-26 16:09 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-26 16:09 [fwd] "IPsec-pass-through" with iptables? (from: ASkwar@email-server.info) Alexander Skwar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.