Greetings, Programs.
I inherited a small office network. The clients (Windows) connect via DHCP to the Internet by means of a Linux gateway/router. This old box provides these services with ipchains.
Now, a consultant needs to connect to a server on a customer's VPN using "Cisco VPN Client" from our office ("IPSec over NAT/UDP", I believe). The client establishes a [seemingly] successful connection to the VPN, yet when I ping its internal addresses, or try to acces a corporate web server within..... nothing. Browser says "Host not found", ping get "no reply".
I know the problem is my Linux box, because I tried connecting using other "internet viewable" connections (one including a dial-up ISP) and voilá: flawless access to the mentioned webserver.
I read elsewhere that I should enable ports 47,1723,50,264 and UDP 500. I tried doing that adding the following to my ipchains script:
Code:
#Allow VPN
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 47 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1723 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 50 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 264 -j ACCEPT
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 500 -j ACCEPT
But still... nothing. VPN connection is established, but can't access anything within the VPN.
Am I on the right track or is it something else? Perhaps it's a problem with my "core" ipchains configuration?
Please bear with me, as I am not well versed in the subject.
Any help would be mostly appreciated.
My ipchains script is as follows. XXX.XX.XXX.XX is my GWs viewable IP.
Code:
#!/bin/sh
echo "Starting firewalling....."
# Flush and set default policy of ACCEPT
# Remove all existing rules belonging to this filter
ipchains -F input
ipchains -F output
ipchains -F forward
# Set the default rules belonging to this filter
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
# Enable TCP SYN Cookie Protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
# enable ip spoofing protection
# turn on source address verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo > $f
done
# disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# habilitamos enmascaramiento
ipchains -P forward DENY
ipchains -A forward -s 192.168.1.0/24 -j MASQ
# prueba de regla en mail linux
ipchains -A input -p tcp -s 192.168.1.0/24 -d 0/0 ! 1863:8888 -j ACCEPT
# rules for standard unroutables
ipchains -A input -i eth0 -s 255.255.255.255/32 -b -j DENY
ipchains -A input -i eth0 -s 127.0.0.0/8 -b -j DENY
# rules for private (RFC1918) addresses
#ipchains -A input -i eth0 -s 10.0.0.0/8 -b -j DENY
#ipchains -A input -i eth0 -s 172.16.0.0/12 -b -j DENY
#ipchains -A input -i eth0 -s 192.168.0.0/16 -b -j DENY
#rule for reserved addresses
ipchains -A input -i eth0 -s 240.0.0.0/5 -b -j DENY
# rule for protecting internal network from spoofing
ipchains -A input -i eth0 -s 192.168.1.0/24 -j DENY
# rule to block incoming and outgoing telnet connections
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 23 -j DENY
# rule to block incoming and outgoing ssh connections
#ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 22 -j DENY
#rule to block incoming and outgoing FTP connections
## ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 21 -j DENY
# rule to block incoming and outgoing WinNT 4.0 NetBIOS connections
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 139 -j DENY
ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -j DENY
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY
ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY
# rule to block incoming and outgoing Win2000 NetBIOS connections
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -j DENY
ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -j DENY
#rule to block incoming and outgoing rlogon connections
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 512:514 -j DENY
ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 512:514 -j DENY
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 513 -j DENY
ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 513 -j DENY
# rule to block incoming and outgoing connections for Portmap/rpcbind
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 111 -j DENY
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 111 -j DENY
# rule to block incoming and outgoing connections for NFS (default port)
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY
# rule to block incoming and outgoing lockd requests
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 4045 -j DENY
# rule for blocking inbound and outbound Windows NT 4.0 NetBIOS queries
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -j DENY
ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -j DENY
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY
ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY
# rule for blocking inbound and outbound Windows 2000 NetBIOS queries
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -j DENY
ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 135:139 -j DENY
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY
ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 137:138 -j DENY
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -j DENY
ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 445 -j DENY
# rule to block incoming and outgoing X session establishment
ipchains -A output -i eth0 -p tcp -s 192.168.1.0/24 -d 0.0.0.0/0 6000:6255 -j REJECT
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 6000:6255 -j DENY
# rule to block incoming dns queries to all but one internal master server (192.168.0.1)
## ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d ! 192.168.0.1/24 53 -j DENY
## ipchains -A output -i eth0 -p udp -s ! 192.168.0.1 53 -d 0.0.0.0/0 -j DENY
# rule to allow outgoing dns queries from our internal name server (192.168.0.1)
## ipchains -A output -i eth0 -p udp -s 192.168.0.1/24 -d 0.0.0.0/0 53 -j ACCEPT
## ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 53 -d 192.168.0.1/32 -j ACCEPT
# rule to allow incoming zone transfer requests from our external slave server (192.168.1.1)
## ipchains -A input -i eth0 -p tcp -s ! 192.168.1.1/32 -d ! 192.168.0.1/32 53 -j DENY
## ipchains -A output -i eth0 -p udp -s ! 192.168.0.1/32 53 -d ! 192.168.1.1/32 -j DENY
# rule to block incoming and outgoing LDAP service requests
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 389 -j DENY
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 192.168.1.0/24 389 -j DENY
# rule to block incoming SMTP traffic except to the internal mail server ( 192.168.0.1) from the external mail relay 192.168.1.1
##ipchains -A input -i eth0 -p tcp -s ! 192.168.1.1/32 -d ! 192.168.0.1/32 25 -j DENY
ipchains -A input -i eth0 -p tcp -s 192.168.1.0/24 -d XXX.XX.XXX.XXX/32 110 -j ACCEPT
ipchains -A input -i eth0 -p tcp -s 192.168.1.0/24 -d XXX.XX.XXX.XXX/32 143 -j ACCEPT
ipchains -A output -i eth0 -p tcp -s XXX.XX.XXX.XXX/32 -d 192.168.1.0/24 110 -j ACCEPT
ipchains -A output -i eth0 -p tcp -s XXX.XX.XXX.XXX/32 -d 192.168.1.0/24 143 -j ACCEPT
ipchains -A output -i eth0 -p tcp -s ! 192.168.0.1/32 25 -d ! 192.168.1.1/32 -j ACCEPT
# rule to block incoming POP and IMAP traffic
#ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 109:110 -j DENY
#ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 25 -j DENY
#ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 143 -j DENY
# rule to block all incoming HTTP server requests
# ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 80 -j DENY
#ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 80 443 -j DENY
# rule to block all other HTTP server request ports
#ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 8000 -j DENY
#ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 8080 -j DENY
#ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 8888 -j DENY
#ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 192.168.1.0/24 81 -j DENY
# rule to block incoming and outgoing small services
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 0:19 -j DENY
ipchains -A output -i eth0 -p tcp -s 0.0.0.0/0 0:19 -d 0.0.0.0/0 -j DENY
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 0:19 -j DENY
ipchains -A output -i eth0 -p udp -s 0.0.0.0/0 0:19 -d 0.0.0.0/0 -j DENY
# rule to block incoming and outgoingTFTP server requests
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 69 -j DENY
# rule to block incoming and outgoing finger requests
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 79 -j DENY
# rule to block incoming and outing NNTP server requests
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 119 -j DENY
# rule to block incoming and outgoing NTP server requests
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 123 -j DENY
# rule to block incoming and outgoing LPD printer jobs
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 515 -j DENY
# rule to block incoming and outgoing syslog messages
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 514 -j DENY
# rules to block incoming and outgoing SNMP polling requests
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 161:162 -j DENY
ipchains -A input -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 161:162 -j DENY
# rule to block incoming and outgoing BGP route messages
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 179 -j DENY
# rule to block incoming and outgoing SOCKS server connections
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1080 -j DENY
# rule to block incoming ICMP echo requests
ipchains -A input -i eth0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 8 -j DENY
# rule to block outgoing ICMP echo replies
#ipchains -A output -i eth0 -p icmp -s 0.0.0.0/0 0 -d 0.0.0.0/0 -j DENY
# rule to block outgoing time exceeded and unreachable messages
ipchains -A output -i eth0 -p icmp -s 192.168.1.0/24 11 -d 0.0.0.0/0 -j DENY
ipchains -A output -i eth0 -p icmp -s 192.168.1.0/24 3 -d 0.0.0.0/0 -j DENY