Connecting to a VPN from a NAT, ipchain'd address

chibione · 10-06-2004, 04:01 PM

Greetings, Programs.

I inherited a small office network. The clients (Windows) connect via DHCP to the Internet by means of a Linux gateway/router. This old box provides these services with ipchains.

Now, a consultant needs to connect to a server on a customer's VPN using "Cisco VPN Client" from our office ("IPSec over NAT/UDP", I believe). The client establishes a [seemingly] successful connection to the VPN, yet when I ping its internal addresses, or try to acces a corporate web server within..... nothing. Browser says "Host not found", ping get "no reply".

I know the problem is my Linux box, because I tried connecting using other "internet viewable" connections (one including a dial-up ISP) and voilá: flawless access to the mentioned webserver.

I read elsewhere that I should enable ports 47,1723,50,264 and UDP 500. I tried doing that adding the following to my ipchains script:

Code:

#Allow VPN
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 47 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1723 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 50 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 264 -j ACCEPT 
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 500 -j ACCEPT

But still... nothing. VPN connection is established, but can't access anything within the VPN.

Am I on the right track or is it something else? Perhaps it's a problem with my "core" ipchains configuration?

Please bear with me, as I am not well versed in the subject.

Any help would be mostly appreciated.

My ipchains script is as follows. XXX.XX.XXX.XX is my GWs viewable IP.

Code:

#!/bin/sh
   echo "Starting firewalling....."

   # Flush and set default policy of ACCEPT

   # Remove all existing rules belonging to this filter
   ipchains -F input
   ipchains -F output
   ipchains -F forward

   # Set the default rules belonging to this filter
   ipchains -P input ACCEPT
   ipchains -P output ACCEPT
   ipchains -P forward ACCEPT

   # Enable TCP SYN Cookie Protection
   echo 1 >/proc/sys/net/ipv4/tcp_syncookies

   # enable ip spoofing protection

   # turn on source address verification
   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo 1 > $f
   done

   # disable ICMP Redirect Acceptance
   for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo > $f
   done

   # disable source routed packets
   for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo 0 > $f
   done
   
   # habilitamos enmascaramiento
   ipchains -P forward DENY
   ipchains -A forward -s 192.168.1.0/24 -j MASQ

		# prueba de regla en mail linux
		ipchains -A input -p tcp -s 192.168.1.0/24 -d 0/0 ! 1863:8888 -j ACCEPT

   # rules for standard unroutables
   ipchains -A input -i eth0 -s 255.255.255.255/32 -b -j DENY 
   ipchains -A input -i eth0 -s 127.0.0.0/8 -b -j DENY

   # rules for private (RFC1918) addresses
   #ipchains -A input -i eth0 -s 10.0.0.0/8 -b -j DENY
   #ipchains -A input -i eth0 -s 172.16.0.0/12 -b -j DENY
   #ipchains -A input -i eth0 -s 192.168.0.0/16 -b -j DENY


   #rule for reserved addresses
   ipchains -A input -i eth0 -s 240.0.0.0/5 -b -j DENY

   # rule for protecting internal network from spoofing
   ipchains -A input -i eth0 -s 192.168.1.0/24 -j DENY

   # rule to block incoming and outgoing telnet connections
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 23 -j DENY

   # rule to block incoming and outgoing ssh connections
   #ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 22 -j DENY

   #rule to block incoming and outgoing FTP connections
 ##  ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 21 -j DENY

   # rule to block incoming and outgoing WinNT 4.0 NetBIOS connections
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 139 -j DENY
   ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -j DENY
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY
   ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY

   # rule to block incoming and outgoing Win2000 NetBIOS connections
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -j DENY
   ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -j DENY

   #rule to block incoming and outgoing rlogon connections
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 512:514 -j DENY
   ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 512:514 -j DENY
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 513 -j DENY
   ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 513 -j DENY

   # rule to block incoming and outgoing connections for Portmap/rpcbind
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 111 -j DENY
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 111 -j DENY

   # rule to block incoming and outgoing connections for NFS (default port)
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY

   # rule to block incoming and outgoing lockd requests
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 4045 -j DENY

   # rule for blocking inbound and outbound Windows NT 4.0 NetBIOS queries
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -j DENY
   ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -j DENY
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY
   ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY

   # rule for blocking inbound and outbound Windows 2000 NetBIOS queries
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -j DENY
   ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -j DENY
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY
   ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -j DENY
   ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -j DENY

   # rule to block incoming and outgoing X session establishment
   ipchains -A output -i eth0 -p tcp -s 192.168.1.0/24 -d 0.0.0.0/0 6000:6255 -j REJECT
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 6000:6255 -j DENY

   # rule to block incoming dns queries to all but one internal master server (192.168.0.1)
##   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d ! 192.168.0.1/24 53 -j DENY
 ##  ipchains -A output -i eth0 -p udp -s ! 192.168.0.1 53 -d 0.0.0.0/0 -j DENY

   # rule to allow outgoing dns queries from our internal name server (192.168.0.1)
##   ipchains -A output -i eth0 -p udp -s 192.168.0.1/24 -d 0.0.0.0/0 53 -j ACCEPT
##   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 53 -d 192.168.0.1/32 -j ACCEPT

   # rule to allow incoming zone transfer requests from our external slave server (192.168.1.1)
##   ipchains -A input -i eth0 -p tcp -s ! 192.168.1.1/32 -d ! 192.168.0.1/32 53 -j DENY
##   ipchains -A output -i eth0 -p udp -s ! 192.168.0.1/32 53 -d ! 192.168.1.1/32 -j DENY

   # rule to block incoming and outgoing LDAP service requests
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 389 -j DENY
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 192.168.1.0/24 389 -j DENY

   # rule to block incoming SMTP traffic except to the internal mail server ( 192.168.0.1) from the external mail relay 192.168.1.1
   ##ipchains -A input -i eth0 -p tcp -s ! 192.168.1.1/32 -d ! 192.168.0.1/32 25 -j DENY 
   

   ipchains -A input -i eth0 -p tcp -s 192.168.1.0/24 -d XXX.XX.XXX.XXX/32 110 -j ACCEPT
  ipchains -A input -i eth0 -p tcp -s 192.168.1.0/24 -d XXX.XX.XXX.XXX/32 143 -j ACCEPT
   ipchains -A output -i eth0 -p tcp -s XXX.XX.XXX.XXX/32 -d  192.168.1.0/24 110 -j ACCEPT
   ipchains -A output -i eth0 -p tcp -s XXX.XX.XXX.XXX/32 -d  192.168.1.0/24 143 -j ACCEPT

   ipchains -A output -i eth0 -p tcp -s ! 192.168.0.1/32 25 -d ! 192.168.1.1/32  -j ACCEPT
   # rule to block incoming POP and IMAP traffic
   #ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 109:110  -j DENY
   #ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 25 -j DENY
   #ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 143  -j DENY

   # rule to block all incoming HTTP server requests

   # ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 80  -j DENY
   #ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 80 443 -j DENY

   # rule to block all other HTTP server request ports
   #ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 8000 -j DENY
   #ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 8080 -j DENY
   #ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 8888 -j DENY
   #ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 81 -j DENY

   # rule to block incoming and outgoing small services 
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 0:19  -j DENY
   ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 0:19 -d 0.0.0.0/0 -j DENY
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 0:19  -j DENY
   ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 0:19 -d 0.0.0.0/0  -j DENY

   # rule to block incoming and outgoingTFTP server requests
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 69 -j DENY

   # rule to block incoming and outgoing finger requests
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 79 -j DENY

   # rule to block incoming and outing NNTP server requests
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 119 -j DENY

   # rule to block incoming and outgoing NTP server requests
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 123 -j DENY

   # rule to block incoming and outgoing LPD printer jobs
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 515 -j DENY

   # rule to block incoming and outgoing syslog messages
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 514 -j DENY

   # rules to block incoming and outgoing SNMP polling requests
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 161:162 -j DENY
   ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 161:162 -j DENY

   # rule to block incoming and outgoing BGP route messages
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 179 -j DENY

   # rule to block incoming and outgoing SOCKS server connections
   ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1080 -j DENY

   # rule to block incoming ICMP echo requests 
   ipchains -A input -i eth0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 8 -j DENY

   # rule to block outgoing ICMP echo replies
   #ipchains -A output -i eth0 -p icmp -s 0.0.0.0/0 0 -d 0.0.0.0/0 -j DENY

   # rule to block outgoing time exceeded and unreachable messages
   ipchains -A output -i eth0 -p icmp -s 192.168.1.0/24 11 -d 0.0.0.0/0  -j DENY
   ipchains -A output -i eth0 -p icmp -s 192.168.1.0/24 3 -d 0.0.0.0/0 -j DENY

Sutekh · 10-06-2004, 05:29 PM

I don't have any experience with the cisco VPN's but I can make some general observations...

Generally when your machine connects to an external box it attaches to a known port on there end (say port 80 for http) and generates a (psuedo) random port at your end. So the rules you inserted yo open up your input chain wont really help - those would be required if your linux box was running the cisco VPN but it's not.

You can open all the oprts above 1024 to return traffic, but seeings as the default policy is ACCEPT that probably isn't required. It would be well worth the effort to update to iptables to for what it's worth. I realise that is not a simple task (presumably you are runnig a 2.2.x kernel) and you probably don't want to break something that is already working, but it will simplify and secure you ruleset quite a bit (default policy of allow always worries me).

now form memory a packets to another machine travels thorugh input, forward and output, so if there are any impediments to that packets in any of those chains there might be a prob (mind you having a quick look I couldn't see anything).

you probably should read the ipchains howto as well to get to grips with ipchains et al.

I will re-read though the rules and try to get ipchains back in my head (it has been several years after all ;-))

if there is a possibility of upgraing to 2.4.x and iptables and you need help doing so let me know - it will make life a lot easier for you in the long run (IMHO)

rich