From: Mark Dalton (mwd@sgi.com)
Date: Wed Apr 12 2000 - 14:43:31 PDT
There are probably a couple of posibilities. You are using IP Masquerading.
Some of the VPN solutions you have a '-n' option which is NAT (Network Address
Translation flag), which I believe tries to go over port 80.
The port 500 is udp
The ports 50 & 51 should be both (udp and tcp).
My guess is it should end up something like this for a conservative site.
VPN_SERVER=[VPN Server IP address]
$IPCHAINS -A input -p tcp -s $VPN_SERVER -d $REMOTENET 50 -i $OUTERIF -j ACCEPT
$IPCHAINS -A input -p udp -s $VPN_SERVER -d $REMOTENET 50 -i $OUTERIF -j ACCEPT
$IPCHAINS -A input -p tcp -s $VPN_SERVER -d $REMOTENET 51 -i $OUTERIF -j ACCEPT
$IPCHAINS -A input -p udp -s $VPN_SERVER -d $REMOTENET 51 -i $OUTERIF -j ACCEPT
$IPCHAINS -A input -p udp -s $VPN_SERVER -d $REMOTENET 500 -i $OUTERIF -j ACCEPT
Or for the more liberal..
$IPCHAINS -A input -i eth0 -s $VPN_SERVER -d 0/0 -j ACCEPT
$IPCHAINS -A output -i eth0 -s 0/0 -d $VPN_SERVER -j ACCEPT
$IPCHAINS -A input -i eth1 -s $VPN_SERVER -d 0/0 -j ACCEPT
$IPCHAINS -A output -i eth1 -s 0/0 -d $VPN_SERVER -j ACCEPT
I need to think about it more, but perhaps this will get some ideas started.
I did not need to tweak the 'kernel', but we are using:
VPN from compatable systems (now owned by Cisco)
Which does have its own module that is loaded into the kernel.
Which VPN solution are you using?
- Some proprietary version?
- The open linux solutions?
Also this is assuming that you do not have another firewall between you and
the server (besides the firewalls you control), some ISPs have their own
firewall (which I ran into for one of my home ISPs).
Mark
>
> I am using a tunneling software to access my company's intranet from my
> home's network. I am running ipchains configured with pmfirewall (1.1.2) and
> all access will take place from an NT machine on my home's network.
>
> Specifically, assume that
> -The NT machine is (right now) at IP 198.162.1.2
> -The server running linux has two nics: eth1 is at say 111.111.111.111
> and eth1 at 192.168.1.1.
> -The NT machine gets its IP via dhcpd on the 198.162.1 segment and
> finally,
> -The gateway to my company's intranet is at fixed IP address, say
> 555.555.555.555
>
> The tunneling software needs:
> 1. port UDP 500 not be redirected
> 2. IPSEC Type 50 and 51 not be filtered. Note that IPSEC Type 50 and 51
> are also known as AAgent ESP
> (at least that's what I have been told)
>
> Given the above details, I suspect I need to add to pmfirewall.
>
> $IPCHAINS -A input -s 555.555.555.555 -d $OUTERNET 500 -j ACCEPT
> to allow the 555.555.555.555 machine to talk to my network, but
>
> 1. how do I make sure that the packets are not redirected, and
> 2. how do I configure pmfirewall to all those IPSEC ports without filtering
> them?
>
> Thanks for any help you may have on this.
>
> Naji.
>
>
>
> ****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
> * in the message body to majordomo@pointman.org. Please direct other
> * questions, comments, or problems to pmfirewall-owner@pointman.org.
>
--
Mark Dalton CH3-S-CH2 H H O H
Cray Research (SGI) | | | \ |
Eagan, MN 55121 CH2-C-COO //\ ---C--CH2-C-COO C-CH2-C-COO
mwd@sgi.com | | || || | // |
NH3 \\/ \ / CH NH3 O NH3
NH
My home page: http://www.cbc.umn.edu/~mwd/mwd.html
Cell Biology: http://www.cbc.umn.edu/~mwd/cell.html
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:34:28 PDT