LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-08-2014, 11:35 PM   #1
Zinko
LQ Newbie
 
Registered: Oct 2008
Posts: 2

Rep: Reputation: 0
Help w/ iptables: can't get the Cisco VPN client to work behind proxy


Hi,
I followed the tutorial here,

http://sharadchhetri.com/2014/03/15/...helcentos-6-x/

I've setup a transparent proxy using squid and iptables, browsing and other tcp/udp services does work, however, I can't get the Cisco VPN client to work behind proxy.

Any input will be appreciated. Thanks in advance!

Below is the iptables script


Quote:
#!/bin/bash
#
#
#

# Ethernet device name connected to LAN
ETHERNET_LAN="eth2"

# Ethernet device name connected to Internet
ETHERNET_INTERNET="eth0"

# Squid Server IP Address
SQUID_SERVER_IP="172.16.15.1"

# Squid port number
SQUID_PORT="3128"

### Multiple Port Number - TCP based
MULTI_PORT="22,20,21"

#### Flush iptables
iptables -F

##### Delete a user-defined chain
iptables -X

### -t defines table ###

#### Flush NAT Rules/user-defined NAT chain
iptables -t nat -F
iptables -t nat -X

#### Flush Mangle Rules/user-defined NAT chain (mangle — Used for specific types of packet alteration. ) #####
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack
modprobe ip_conntrack
modprobe ip_conntrack_ftp

##### Enable IP forwarding for IPV4 ####
echo 1 > /proc/sys/net/ipv4/ip_forward

##
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

## INPUT/OUTPUT rules for loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i $ETHERNET_INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --table nat --append POSTROUTING --out-interface $ETHERNET_INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $ETHERNET_LAN -j ACCEPT

iptables -A INPUT -i $ETHERNET_LAN -j ACCEPT
iptables -A OUTPUT -o $ETHERNET_LAN -j ACCEPT

iptables -t nat -A PREROUTING -i $ETHERNET_LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER_IP:$SQUID_PORT

iptables -t nat -A PREROUTING -i $ETHERNET_INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

###### IPTABLE Allow rule for tcp based multiple port
#### To disable - Use # in front of below given line
iptables -A INPUT -p tcp -m multiport --dports $MULTI_PORT -j ACCEPT

iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
 
Old 05-09-2014, 05:03 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
First of all, since this is about a proprietary, closed source product, you should check its documentation (esp. the FAQ). (Also note the vendor has its own support forum.) Then you should know what type of protocol and ports the application uses. Then the single simplest quickest way to start troubleshooting iptables rule sets is to make "-j LOG" rules precede any other type of "decision" rule. And since you're routing specific traffic through another service you're expected to look at its log file and enable debug logging if it doesn't show any clues.
 
2 members found this post helpful.
Old 05-12-2014, 06:00 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,610
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Also ... the Cisco device will know that it is operating behind a proxy. It might not like that. In fact, it might refuse to (or, be unable to) negotiate a connection that way. (Remember that, for example, the IP-address perceived by the client is now different from the address that will be perceived by the host as being "that client's address.") You should therefore examine logs on all fronts: what does the client say (e.g. with a "-v" command-line parameter or maybe several; what does the host say; and so on.

VPN is specifically designed to be absolutely obtuse and uninformative ... until ... "*click!* the lock quietly falls open" when exactly the proper sequence of events takes place.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco VPN Client rgbeard Linux - Software 12 04-02-2008 11:44 PM
Cisco VPN Client? How to get it to work. Jesgrew SUSE / openSUSE 1 11-26-2007 01:51 AM
Cisco VPN Client 4.01 does not work in RH 9 xmongra Linux - Software 10 08-05-2003 07:56 PM
Connect to Cisco VPN w/o Cisco VPN Client gboutwel Linux - Networking 4 02-07-2003 12:46 PM
cisco vpn client aqoliveira Linux - Networking 4 07-19-2002 08:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration