Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a VPN setup on a Windows 2000 server. The network is a private network behind a Linux firewall. I have to configure the firewall in such a way that it forwards all the packets destined for the VPN server to the VPN server. Did anyone of you have any experience of doing this?
Distribution: Redhat, Fedora, Open BSD, FreeBSD, SlackWare
Posts: 115
Rep:
hi, thisw is rizwan from karachi, Pakistan. I am also try to do this that I have WIN 2000 VPN server behind Linux 8 router/ firewall, and can not access it from internet (but i can access it from my local LAN ) if u or anyone have some idea about this then plzzzzzzzzzzz inform me thanks aloooooooot.
First thing I want to know, which firewall package r u using, if u r using iptables, then it can be done by forwarding the ports to the IP of VPN Server on the external interface for incoming request...
Input chain should be used here................
Check out the ip of VPN and did u ping the ip of firewall from your vpn.......give me some detail about your ip and ports........and your iptable rules............
These are the rules I use for a forward from my linux firewall to my exchange server, i guess all you have to do is change the dport.
iptables -A INPUT -p tcp -i $ext_if -d $ext_ip --dport 25 -s $mailservers -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s $mailservers -d $ext_ip --dport 25 -j DNAT --to $masq_machine_ip:25
iptables -A FORWARD -p tcp -i $ext_if -o $local_if -d $masq_machine_ip --dport 25 -m state --state NEW -j ACCEPT
$ext_if is the ethernetcard connected to the internet
$ext_ip is the external ip
$local_if is the ethernetcatd connected to my internal network
$mailservers is the iprange of my bsmtp incoming servers
$masq_machine_ip is the exchangeserver behind my firewall
Distribution: Redhat, Fedora, Open BSD, FreeBSD, SlackWare
Posts: 115
Rep:
its still not working what i have to do now plz help me as i am using these commands. In iptables FORWARD rules i this therer is any mistake by me plz let me know how can i see my FORWARD or etc rules after setting them.
you can view your current iptables tules with iptables -L
If you have many rules it's easier to pipe them to a file with something like iptables -L >firewall this way a file calles firewall is created and you can view all your current active rules.
i forward & accept 1723 port but nothisg happeen pllzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz help me
plzzzzzzzzzzz give me write command line to accept/ forward /input for Gateway machine redhat 8 so my VPN Server accept connection through internet
One thing to check in your Rules is that the ORDER is correct... make sure that these packets are not relevent to any rules before you try to forward it.
also remember you must open the ports to the internet to
eg $iptables -A INPUT -i $OUTSIDE -s 0/0 -d $vpn -p tcp --dport 1723 -j ACCEPT
HOWEVER
I was under the impression that a VPN must be external??
when passing through the firewall the packets get changed which will then mean they are not certified to access the VPN?? I think it has something to do with the NAT etc
I could be wrong of course... I dont know much about VPN's though so yeah :P try the above first
Last edited by chrisfirestar; 12-02-2003 at 09:24 PM.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Depends what VPN software you're using. I've used both Nortel IPSec and Microsoft PPTP from behind a NAT (not even static NAT) and it worked fine. The only thing I had to do was make sure GRE was open.
Other things, like Free S/WAN are very picky about NAT. Also you need 500/UDP open if the remote side is going to start the handshake. Actually, this brings up a good point... Which side is initiating the VPN? If your side is recieving the connection attempt then you do need a global, non-NAT'd IP and you do need 500/UDP open I'm fairly sure.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.