LinuxQuestions.org - Help w/ iptables: can't get the Cisco VPN client to work behind proxy

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Help w/ iptables: can't get the Cisco VPN client to work behind proxy (https://www.linuxquestions.org/questions/linux-security-4/help-w-iptables-cant-get-the-cisco-vpn-client-to-work-behind-proxy-4175504401/)

Help w/ iptables: can't get the Cisco VPN client to work behind proxy

Hi,
I followed the tutorial here,

http://sharadchhetri.com/2014/03/15/...helcentos-6-x/

I've setup a transparent proxy using squid and iptables, browsing and other tcp/udp services does work, however, I can't get the Cisco VPN client to work behind proxy.

Any input will be appreciated. Thanks in advance!

Below is the iptables script

Quote:

#!/bin/bash
#
#
#

# Ethernet device name connected to LAN
ETHERNET_LAN="eth2"

# Ethernet device name connected to Internet
ETHERNET_INTERNET="eth0"

# Squid Server IP Address
SQUID_SERVER_IP="172.16.15.1"

# Squid port number
SQUID_PORT="3128"

### Multiple Port Number - TCP based
MULTI_PORT="22,20,21"

#### Flush iptables
iptables -F

##### Delete a user-defined chain
iptables -X

### -t defines table ###

#### Flush NAT Rules/user-defined NAT chain
iptables -t nat -F
iptables -t nat -X

#### Flush Mangle Rules/user-defined NAT chain (mangle — Used for specific types of packet alteration. ) #####
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack
modprobe ip_conntrack
modprobe ip_conntrack_ftp

##### Enable IP forwarding for IPV4 ####
echo 1 > /proc/sys/net/ipv4/ip_forward

##
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

## INPUT/OUTPUT rules for loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i $ETHERNET_INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --table nat --append POSTROUTING --out-interface $ETHERNET_INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $ETHERNET_LAN -j ACCEPT

iptables -A INPUT -i $ETHERNET_LAN -j ACCEPT
iptables -A OUTPUT -o $ETHERNET_LAN -j ACCEPT

iptables -t nat -A PREROUTING -i $ETHERNET_LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER_IP:$SQUID_PORT

iptables -t nat -A PREROUTING -i $ETHERNET_INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

###### IPTABLE Allow rule for tcp based multiple port
#### To disable - Use # in front of below given line
iptables -A INPUT -p tcp -m multiport --dports $MULTI_PORT -j ACCEPT

iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

First of all, since this is about a proprietary, closed source product, you should check its documentation (esp. the FAQ). (Also note the vendor has its own support forum.) Then you should know what type of protocol and ports the application uses. Then the single simplest quickest way to start troubleshooting iptables rule sets is to make "-j LOG" rules precede any other type of "decision" rule. And since you're routing specific traffic through another service you're expected to look at its log file and enable debug logging if it doesn't show any clues.

Also ... the Cisco device will know that it is operating behind a proxy. It might not like that. In fact, it might refuse to (or, be unable to) negotiate a connection that way. (Remember that, for example, the IP-address perceived by the client is now different from the address that will be perceived by the host as being "that client's address.") You should therefore examine logs on all fronts: what does the client say (e.g. with a "-v" command-line parameter or maybe several; what does the host say; and so on.

VPN is specifically designed to be absolutely obtuse and uninformative ... until ... "*click!* the lock quietly falls open" when exactly the proper sequence of events takes place.