VPN client from behind a firewall

VPN client from behind a firewall

[Gergely Buday]

Dear All,

I would like to use a Cisco VPN client from behind my CentOS server,
which has an iptables firewall. The network topology is as follows:
eth0 is towards the ISP, eth1 heads the local clients. Up to now I
used

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-IPTABLES

but this clearly needs extension. What I know is that I should allow
the IPSec port (500) to be open. What else, and how? I'm not very
familiar with iptables, so some pointers would be more than welcome.

Best Wishes

- Gergely

Re: VPN client from behind a firewall

[mathieu]

Hi,

	You need to authorize traffic and masquerade/SNAT connections and allow 
forwarding.

Authorize :

iptables -A FORWARD -i eth1 -p udp -d $VPN_SERVER_IP -s 
$INTERNAL_CLIENT_IP --dport 500 -m state NEW, ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -p udp -s $VPN_SERVER_IP -d 
$INTERNAL_CLIENT_IP --sport 500 -m state ESTABLISHED -j ACCEPT

SNAT (change internal adress by a public one) :

iptables -t nat -A POSTROUTING -o eth0 -p udp -d $VPN_SERVER_IP --dport 
  500 -j SNAT --to-source $PUB_IP

It's look like udp port 4500 and 10000 are also used. And Client must be 
a SecureNat one (i can't confirm, i'm not using cisco VPN).

Regards,

m.e.

Gergely Buday a écrit :
> Dear All,
> 
> I would like to use a Cisco VPN client from behind my CentOS server,
> which has an iptables firewall. The network topology is as follows:
> eth0 is towards the ISP, eth1 heads the local clients. Up to now I
> used
> 
> http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-IPTABLES
> 
> but this clearly needs extension. What I know is that I should allow
> the IPSec port (500) to be open. What else, and how? I'm not very
> familiar with iptables, so some pointers would be more than welcome.
> 
> Best Wishes
> 
> - Gergely
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: VPN client from behind a firewall

[Jan Engelhardt]

On Monday 2008-06-16 14:09, mathieu wrote:

> Hi,
>
> 	You need to authorize traffic and masquerade/SNAT connections and allow
> forwarding.
>
> Authorize :
>
> iptables -A FORWARD -i eth1 -p udp -d $VPN_SERVER_IP -s $INTERNAL_CLIENT_IP
> --dport 500 -m state NEW, ESTABLISHED -j ACCEPT
>
> iptables -A FORWARD -i eth0 -p udp -s $VPN_SERVER_IP -d $INTERNAL_CLIENT_IP
> --sport 500 -m state ESTABLISHED -j ACCEPT
>
> SNAT (change internal adress by a public one) :

But only if you have a NAT. A firewall is not a NAT, and vice-versa.

As such -p udp 500 and -p esp will be needed for a firewall;
and only -p udp 4500 for a NAT.

Re: VPN client from behind a firewall

[Gergely Buday]

2008/6/16 Jan Engelhardt <jengelh@medozas.de>:
>
> On Monday 2008-06-16 14:09, mathieu wrote:
>
>> Hi,
>>
>>       You need to authorize traffic and masquerade/SNAT connections and allow
>> forwarding.
>>
>> Authorize :
>>
>> iptables -A FORWARD -i eth1 -p udp -d $VPN_SERVER_IP -s $INTERNAL_CLIENT_IP
>> --dport 500 -m state NEW, ESTABLISHED -j ACCEPT
>>
>> iptables -A FORWARD -i eth0 -p udp -s $VPN_SERVER_IP -d $INTERNAL_CLIENT_IP
>> --sport 500 -m state ESTABLISHED -j ACCEPT
>>
>> SNAT (change internal adress by a public one) :
>
> But only if you have a NAT. A firewall is not a NAT, and vice-versa.
>
> As such -p udp 500 and -p esp will be needed for a firewall;
> and only -p udp 4500 for a NAT.

Thanks for your help. I made it work by adding "500" after -p udp in
the first command. Does this make a security risk?

- Gergely

Re: VPN client from behind a firewall

[Jan Engelhardt]

On Tuesday 2008-06-24 10:36, Gergely Buday wrote:
>> As such -p udp 500 and -p esp will be needed for a firewall;
>> and only -p udp 4500 for a NAT.
>
>Thanks for your help. I made it work by adding "500" after -p udp in
>the first command. Does this make a security risk?

Rent a security guy who will talk you into it being either
"yeah that's secure" or "well but that opens holes"? :-)

Re: VPN client from behind a firewall

[Gergely Buday]

2008/6/24 Jan Engelhardt <jengelh@medozas.de>:
>
> On Tuesday 2008-06-24 10:36, Gergely Buday wrote:
>>> As such -p udp 500 and -p esp will be needed for a firewall;
>>> and only -p udp 4500 for a NAT.
>>
>>Thanks for your help. I made it work by adding "500" after -p udp in
>>the first command. Does this make a security risk?
>
> Rent a security guy who will talk you into it being either
> "yeah that's secure" or "well but that opens holes"? :-)

Oh, thanks. I thought that it was just me who did not understand security :-)

- Gergely