From: Mick Smothers (mick@midsouth.rr.com)
Date: Tue Jan 16 2001 - 07:00:05 PST
Here's what I have in my pmfirewall.rules.local file for handling
forwarding IPSec traffic to a client behind my firewall. PPTP should
work similarly, but with a different port/protocol.
----------------------< clip here >------------------------
#===VPN Setup
# IP setup
IPSECSVR=x.x.x.x/32
IPSECCLIENT=y.y.y.y/32
# UDP port 500 packets
$IPCHAINS -A forward -p udp -s $IPSECCLIENT 500 -d $IPSECSVR 500 -i
$OUTERIF -j MASQ
$IPCHAINS -A output -p udp -s $OUTERIP 500 -d $IPSECSVR 500 -i $OUTERIF
-j ACCEPT
$IPCHAINS -A input -p udp -s $IPSECSVR 500 -d $OUTERIP 500 -i $OUTERIF
-j ACCEPT
# Protocol 50 Packets
$IPCHAINS -A forward -p 50 -s $IPSECCLIENT -d $IPSECSVR -i $OUTERIF -j MASQ
$IPCHAINS -A output -p 50 -s $OUTERIP -d $IPSECSVR -i $OUTERIF -j ACCEPT
$IPCHAINS -A input -p 50 -s $IPSECSVR -d $OUTERIP -i $OUTERIF -j ACCEPT
# Forwarding
/usr/sbin/ipmasqadm portfw -a -Pudp -L $OUTERIP 500 -R $IPSECCLIENT 500
/usr/sbin/ipfwd $IPSECCLIENT 50 &
----------------------< clip here >------------------------
Hope this helps.
- Mick Smothers
Jean-Paul Felix wrote:
> I have the following in my rules.local but an internal (masq'd) client
> attempting a VPN connection with a machine on the Internet doesn't work.
> Using tcpdump -i eth0 -n proto 47 or port 1723 I've noticed that 'gre encap'
> packets arrive at the internal nic but tcpdump -i eth1 -n proto 47 or port
> 1723 doesn't show them going out on the external nic. Port 1723 seems to
> negotiate okay.
> Anyone any ideas please?
>
> #VPN
>
> $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1723 -j ACCEPT
>
> $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 1723 -j ACCEPT
>
> $IPCHAINS -A input -p 47 -s $REMOTENET -d $OUTERNET -j ACCEPT
>
> -----Original Message-----
> From: thc@www.c0wz.com [mailto:thc@www.c0wz.com]
> Sent: Friday, January 12, 2001 1:40 PM
> To: pmfirewall@pointman.org
> Subject: Re: [pmfirewall] Protocol filter ?
>
>
> On Fri, Jan 12, 2001 at 11:36:19AM -0500, Johannes B. Ullrich scribbled:
>
>> to filter a protocol: $IPCHAINS -A input -p 47 -s (ip of vpn server) -j
>> ALLOW
>
>
> You can use protocol numbers? And all this time, I've been doing it
> the hard way, using names...
>
> Anyway, I was under the impression that Zaf needed to port forward,
> but if he only needed to filter..
>
> BTW, it's ACCEPT, not ALLOW, right?
>
>> ---
>> jullrich@euclidian.com - http://www.dshield.org
>> ---
>>
>> On Fri, 12 Jan 2001 zaf@munters.co.uk wrote:
>>
>>> Dear All,
>>>
>>> I have been reading about VPNs and have decided to setup a VPN server
>>> behind my firewall on an NT4.0 server. To enable this to work apparently
>>
> I
>
>>> have to do the following to my firewall ...
>>>
>>> "PPTP can be set up behind a firewall. The firewall must be configured
>>
> to
>
>>> allow port 1723 and protocol 47 (GRE) to pass through. Most users make
>>
> the
>
>>> mistake of configuring only port 1723 and not protocol 47. Many older
>>> firewalls do not support protocol 47 and are not compatible."
>>>
>>> I have done the first part with port 1723 but can't seem to understand
>>
> how
>
>>> ipchains+pmfirewall can filter on protocol 47??!!
>>>
>>> What commands would I use if any ?
>>>
>>> Any help would be gratefully appreciated.
>>>
>>> I have considered the possibility of installing a VPN server on my
>>> firewall but would prefer the VPN server being behind the firewall.
>>>
>>>
>>>
>>> kind regards,
>>>
>>>
>>>
>>> Zaf Iqbal
>>> IT Technical Support
>>> Munters UK Limited
>>>
>>> Tel: 01480 442332
>>> Fax: 01480 454043
>>> Web: http://www.munters.co.uk
>>>
>>> This e-mail and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they are
>>
>>> addressed. If you have received this email in error please notify the
>>> system administrator - info@munters.co.uk. Any views or opinions
>>
> expressed in this e-mail are those of the sender
>
>>> and do not necessarily coincide with those of Munters UK Limited.
>>
> ****************************************************************************
>
>> * To UNSUBSCRIBE from the list, send a message with "unsubscribe
>
> pmfirewall"
>
>> * in the message body to majordomo@pointman.org. Please direct other
>> * questions, comments, or problems to pmfirewall-owner@pointman.org.
>> *
>> * Need answers fast? Check the list archive located at:
>> * http://www.pointman.org/PMFirewall/list-archive/
>> *
>
-- Mick Smothers Memphis, TN USA mick@midsouth.rr.com**************************************************************************** * To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall" * in the message body to majordomo@pointman.org. Please direct other * questions, comments, or problems to pmfirewall-owner@pointman.org. * * Need answers fast? Check the list archive located at: * http://www.pointman.org/PMFirewall/list-archive/ *
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:38:49 PDT