Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
06-24-2002, 05:54 PM
|
#1
|
LQ Newbie
Registered: Jun 2002
Posts: 2
Rep:
|
Configuring VPN behind a Linux firewall
I have a VPN setup on a Windows 2000 server. The network is a private network behind a Linux firewall. I have to configure the firewall in such a way that it forwards all the packets destined for the VPN server to the VPN server. Did anyone of you have any experience of doing this?
Thanks
|
|
|
10-22-2003, 02:52 AM
|
#2
|
Member
Registered: Oct 2003
Location: Karachi, PAKISTAN
Distribution: Redhat, Fedora, Open BSD, FreeBSD, SlackWare
Posts: 115
Rep:
|
hi, thisw is rizwan from karachi, Pakistan. I am also try to do this that I have WIN 2000 VPN server behind Linux 8 router/ firewall, and can not access it from internet (but i can access it from my local LAN  ) if u or anyone have some idea about this then plzzzzzzzzzzz inform me thanks aloooooooot.
Rizwan.
|
|
|
10-22-2003, 09:44 PM
|
#3
|
LQ Newbie
Registered: Oct 2003
Location: Canada
Distribution: Debian
Posts: 11
Rep:
|
Well Guys ,
First thing I want to know, which firewall package r u using, if u r using iptables, then it can be done by forwarding the ports to the IP of VPN Server on the external interface for incoming request...
Input chain should be used here................
|
|
|
10-23-2003, 01:38 AM
|
#4
|
Member
Registered: Oct 2003
Location: Karachi, PAKISTAN
Distribution: Redhat, Fedora, Open BSD, FreeBSD, SlackWare
Posts: 115
Rep:
|
WIN 2000 VPN server behind linux firewall
thanks for reply riaz2000,
i am using iptables for this and use this command in PREROUTING ------->
iptables -I PREROUTING -t nat -p tcp -d (sourceIP) --destination-port 1723 -j DNAT --to-destination (destinationIP)
and also use in POSTROUTING --------->
iptables -I POSTROUTING -t nat -s (sourceIP/32) -d ! (destinationIP/24) -j SNAT --to-source (2nd sourceIP)
but nothing works and client from internet not receiving any responce from VPN server plzz help me ?????????????????
Rizwan.
|
|
|
10-25-2003, 12:20 AM
|
#5
|
LQ Newbie
Registered: Oct 2003
Location: Canada
Distribution: Debian
Posts: 11
Rep:
|
Check out the ip of VPN and did u ping the ip of firewall from your vpn.......give me some detail about your ip and ports........and your iptable rules............
|
|
|
10-27-2003, 12:22 AM
|
#6
|
LQ Newbie
Registered: Oct 2003
Distribution: RedHat 6-9 Gentoo Slackware 9.1
Posts: 26
Rep:
|
These are the rules I use for a forward from my linux firewall to my exchange server, i guess all you have to do is change the dport.
iptables -A INPUT -p tcp -i $ext_if -d $ext_ip --dport 25 -s $mailservers -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s $mailservers -d $ext_ip --dport 25 -j DNAT --to $masq_machine_ip:25
iptables -A FORWARD -p tcp -i $ext_if -o $local_if -d $masq_machine_ip --dport 25 -m state --state NEW -j ACCEPT
$ext_if is the ethernetcard connected to the internet
$ext_ip is the external ip
$local_if is the ethernetcatd connected to my internal network
$mailservers is the iprange of my bsmtp incoming servers
$masq_machine_ip is the exchangeserver behind my firewall
Hope this helps ...
GJ
|
|
|
11-21-2003, 02:04 AM
|
#7
|
Member
Registered: Oct 2003
Location: Karachi, PAKISTAN
Distribution: Redhat, Fedora, Open BSD, FreeBSD, SlackWare
Posts: 115
Rep:
|
its still not working what i have to do now plz help me as i am using these commands. In iptables FORWARD rules i this therer is any mistake by me plz let me know how can i see my FORWARD or etc rules after setting them.
|
|
|
11-21-2003, 06:41 AM
|
#8
|
LQ Newbie
Registered: Oct 2003
Distribution: RedHat 6-9 Gentoo Slackware 9.1
Posts: 26
Rep:
|
you can view your current iptables tules with iptables -L
If you have many rules it's easier to pipe them to a file with something like iptables -L >firewall this way a file calles firewall is created and you can view all your current active rules.
GJB
|
|
|
12-02-2003, 02:36 AM
|
#9
|
Member
Registered: Oct 2003
Location: Karachi, PAKISTAN
Distribution: Redhat, Fedora, Open BSD, FreeBSD, SlackWare
Posts: 115
Rep:
|
iptables -I PREROUTING -t nat -p tcp -d 10.10.10.10 --destination-port
25 -j DNAT --to-destination 192.168.1.3:25
iptables -I PREROUTING -t nat -p udp -d 10.10.10.10 --destination-port
25 -j DNAT --to-destination 192.168.1.3:25
iptables -I PREROUTING -t nat -p udp -d 10.10.10.10 --destination-port
110 -j DNAT --to-destination 192.168.1.3:110
iptables -I PREROUTING -t nat -p tcp -d 10.10.10.10 --destination-port
110 -j DNAT --to-destination 192.168.1.3:110
iptables -I PREROUTING -t nat -p tcp -d 10.10.10.10 --destination-port
21 -j DNAT --to-destination 192.168.1.8:21
i also use PREROUTE port 1723 but no hope  command is below
iptables -I PREROUTING -t nat -p tcp -d 10.10.10.10 --destination-port
1723 -j DNAT --to-destination 192.168.1.45:1723
i forward & accept 1723 port but nothisg happeen pllzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz help me
plzzzzzzzzzzz give me write command line to accept/ forward /input for Gateway machine redhat 8 so my VPN Server accept connection through internet

|
|
|
12-02-2003, 03:16 AM
|
#10
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
You need to alow all GRE traffic. It's protocol 47. You can't just use port rules because GRE encapsulates IP, so normal IP port rules are worthless.
|
|
|
12-02-2003, 03:21 AM
|
#11
|
Member
Registered: Oct 2003
Location: Karachi, PAKISTAN
Distribution: Redhat, Fedora, Open BSD, FreeBSD, SlackWare
Posts: 115
Rep:
|
HOW ?????????????? 
|
|
|
12-02-2003, 03:46 AM
|
#12
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
-p gre something I guess... I dunno, I never stuck with iptables long enough to figure that out. Not that it helps, but in pf it looks like this:
pass in on $INET proto gre all
|
|
|
12-02-2003, 10:17 PM
|
#13
|
Member
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231
Rep:
|
One thing to check in your Rules is that the ORDER is correct... make sure that these packets are not relevent to any rules before you try to forward it.
also remember you must open the ports to the internet to
eg $iptables -A INPUT -i $OUTSIDE -s 0/0 -d $vpn -p tcp --dport 1723 -j ACCEPT
HOWEVER
I was under the impression that a VPN must be external??
when passing through the firewall the packets get changed which will then mean they are not certified to access the VPN?? I think it has something to do with the NAT etc
I could be wrong of course... I dont know much about VPN's though so yeah :P try the above first
Last edited by chrisfirestar; 12-02-2003 at 10:24 PM.
|
|
|
12-03-2003, 02:17 AM
|
#14
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
Depends what VPN software you're using. I've used both Nortel IPSec and Microsoft PPTP from behind a NAT (not even static NAT) and it worked fine. The only thing I had to do was make sure GRE was open.
Other things, like Free S/WAN are very picky about NAT. Also you need 500/UDP open if the remote side is going to start the handshake. Actually, this brings up a good point... Which side is initiating the VPN? If your side is recieving the connection attempt then you do need a global, non-NAT'd IP and you do need 500/UDP open I'm fairly sure.
|
|
|
12-03-2003, 02:39 AM
|
#15
|
Member
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231
Rep:
|
yes this sounds more like it... so if someone is connecting TO YOU then must be global okay thanks
my thing for the day i've learnt aye 
|
|
|
All times are GMT -5. The time now is 09:30 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|