VPN client from behind a firewall

Linux Netfilter discussions
 help / color / mirror / Atom feed

* VPN client from behind a firewall
@ 2008-06-16 11:44 Gergely Buday
  2008-06-16 12:09 ` mathieu
  0 siblings, 1 reply; 6+ messages in thread
From: Gergely Buday @ 2008-06-16 11:44 UTC (permalink / raw)
  To: netfilter

Dear All,

I would like to use a Cisco VPN client from behind my CentOS server,
which has an iptables firewall. The network topology is as follows:
eth0 is towards the ISP, eth1 heads the local clients. Up to now I
used

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-IPTABLES

but this clearly needs extension. What I know is that I should allow
the IPSec port (500) to be open. What else, and how? I'm not very
familiar with iptables, so some pointers would be more than welcome.

Best Wishes

- Gergely

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: VPN client from behind a firewall
  2008-06-16 11:44 VPN client from behind a firewall Gergely Buday
@ 2008-06-16 12:09 ` mathieu
  2008-06-16 15:21   ` Jan Engelhardt
  0 siblings, 1 reply; 6+ messages in thread
From: mathieu @ 2008-06-16 12:09 UTC (permalink / raw)
  To: netfilter

Hi,

	You need to authorize traffic and masquerade/SNAT connections and allow 
forwarding.

Authorize :

iptables -A FORWARD -i eth1 -p udp -d $VPN_SERVER_IP -s 
$INTERNAL_CLIENT_IP --dport 500 -m state NEW, ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -p udp -s $VPN_SERVER_IP -d 
$INTERNAL_CLIENT_IP --sport 500 -m state ESTABLISHED -j ACCEPT

SNAT (change internal adress by a public one) :

iptables -t nat -A POSTROUTING -o eth0 -p udp -d $VPN_SERVER_IP --dport 
  500 -j SNAT --to-source $PUB_IP

It's look like udp port 4500 and 10000 are also used. And Client must be 
a SecureNat one (i can't confirm, i'm not using cisco VPN).

Regards,

m.e.

Gergely Buday a écrit :
> Dear All,
> 
> I would like to use a Cisco VPN client from behind my CentOS server,
> which has an iptables firewall. The network topology is as follows:
> eth0 is towards the ISP, eth1 heads the local clients. Up to now I
> used
> 
> http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-IPTABLES
> 
> but this clearly needs extension. What I know is that I should allow
> the IPSec port (500) to be open. What else, and how? I'm not very
> familiar with iptables, so some pointers would be more than welcome.
> 
> Best Wishes
> 
> - Gergely
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: VPN client from behind a firewall
  2008-06-16 12:09 ` mathieu
@ 2008-06-16 15:21   ` Jan Engelhardt
  2008-06-24  8:36     ` Gergely Buday
  0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2008-06-16 15:21 UTC (permalink / raw)
  To: mathieu; +Cc: netfilter


On Monday 2008-06-16 14:09, mathieu wrote:

> Hi,
>
> 	You need to authorize traffic and masquerade/SNAT connections and allow
> forwarding.
>
> Authorize :
>
> iptables -A FORWARD -i eth1 -p udp -d $VPN_SERVER_IP -s $INTERNAL_CLIENT_IP
> --dport 500 -m state NEW, ESTABLISHED -j ACCEPT
>
> iptables -A FORWARD -i eth0 -p udp -s $VPN_SERVER_IP -d $INTERNAL_CLIENT_IP
> --sport 500 -m state ESTABLISHED -j ACCEPT
>
> SNAT (change internal adress by a public one) :

But only if you have a NAT. A firewall is not a NAT, and vice-versa.

As such -p udp 500 and -p esp will be needed for a firewall;
and only -p udp 4500 for a NAT.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: VPN client from behind a firewall
  2008-06-16 15:21   ` Jan Engelhardt
@ 2008-06-24  8:36     ` Gergely Buday
  2008-06-24  8:58       ` Jan Engelhardt
  0 siblings, 1 reply; 6+ messages in thread
From: Gergely Buday @ 2008-06-24  8:36 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: mathieu, netfilter

2008/6/16 Jan Engelhardt <jengelh@medozas.de>:
>
> On Monday 2008-06-16 14:09, mathieu wrote:
>
>> Hi,
>>
>>       You need to authorize traffic and masquerade/SNAT connections and allow
>> forwarding.
>>
>> Authorize :
>>
>> iptables -A FORWARD -i eth1 -p udp -d $VPN_SERVER_IP -s $INTERNAL_CLIENT_IP
>> --dport 500 -m state NEW, ESTABLISHED -j ACCEPT
>>
>> iptables -A FORWARD -i eth0 -p udp -s $VPN_SERVER_IP -d $INTERNAL_CLIENT_IP
>> --sport 500 -m state ESTABLISHED -j ACCEPT
>>
>> SNAT (change internal adress by a public one) :
>
> But only if you have a NAT. A firewall is not a NAT, and vice-versa.
>
> As such -p udp 500 and -p esp will be needed for a firewall;
> and only -p udp 4500 for a NAT.

Thanks for your help. I made it work by adding "500" after -p udp in
the first command. Does this make a security risk?

- Gergely

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: VPN client from behind a firewall
  2008-06-24  8:36     ` Gergely Buday
@ 2008-06-24  8:58       ` Jan Engelhardt
  2008-06-24 10:14         ` Gergely Buday
  0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2008-06-24  8:58 UTC (permalink / raw)
  To: Gergely Buday; +Cc: mathieu, netfilter


On Tuesday 2008-06-24 10:36, Gergely Buday wrote:
>> As such -p udp 500 and -p esp will be needed for a firewall;
>> and only -p udp 4500 for a NAT.
>
>Thanks for your help. I made it work by adding "500" after -p udp in
>the first command. Does this make a security risk?

Rent a security guy who will talk you into it being either
"yeah that's secure" or "well but that opens holes"? :-)

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: VPN client from behind a firewall
  2008-06-24  8:58       ` Jan Engelhardt
@ 2008-06-24 10:14         ` Gergely Buday
  0 siblings, 0 replies; 6+ messages in thread
From: Gergely Buday @ 2008-06-24 10:14 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: mathieu, netfilter

2008/6/24 Jan Engelhardt <jengelh@medozas.de>:
>
> On Tuesday 2008-06-24 10:36, Gergely Buday wrote:
>>> As such -p udp 500 and -p esp will be needed for a firewall;
>>> and only -p udp 4500 for a NAT.
>>
>>Thanks for your help. I made it work by adding "500" after -p udp in
>>the first command. Does this make a security risk?
>
> Rent a security guy who will talk you into it being either
> "yeah that's secure" or "well but that opens holes"? :-)

Oh, thanks. I thought that it was just me who did not understand security :-)

- Gergely

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2008-06-24 10:14 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-16 11:44 VPN client from behind a firewall Gergely Buday
2008-06-16 12:09 ` mathieu
2008-06-16 15:21   ` Jan Engelhardt
2008-06-24  8:36     ` Gergely Buday
2008-06-24  8:58       ` Jan Engelhardt
2008-06-24 10:14         ` Gergely Buday

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox