Post #86,226
3/6/03 6:13:53 PM
|
Linux ipchains firewall and VPN
Heeelp!
I am stuck...
I have DSL at home, and I was recently given a laptop to do my work on. Most of the work I have to do can only be done when I am connected to company's VPN. So here are my VPN woes:
When I plug DSL directly into the laptop, VPN client can connect just fine. When I go through my Linux-based firewall (an old computer running RH 7.0 (yes I know..)), the VPN server doesn't even respond to my isakmp requests (UDP port 500). When I look at the packets with tcpdump, I see that my damned firewall replaced source port 500 in the packet with some garbage. Well, on one hand, that's how IP masquerading works. On the other hand, Cisco VPN that my company uses has a bug/feature quirk: they will only accept connections with source port 500. Apparently, this will be relaxed in some future version, but in the meantime: how can I tell Linux to only replace source IP address, nad leave port alone?
Help will be greatly appreciated. I killed half a day on this crap today...
--
It made Ketchup!
Sweet Ketchup!
Put it on a hot dog, put it on a burger,
Put it on your sister and she'll holler blody murder!
Sweet Ketchup.
--Tom Paxton.
|
Post #86,228
3/6/03 6:17:43 PM
|
why not vpn from the linux box?
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
\ufffdOmni Gaul Delenda est!\ufffd Ceasar
|
Post #86,265
3/6/03 8:16:48 PM
|
Not really a good idea with IPCHAINS...
IPCHAINS really has sucky support for PORT forwarding...
Use IPTABLES... you can force it :)
Of course that means getting a 2.4.x kernel to be on the box.
Why you should probably use Debian Woody... or Sarge... :)
b4k4^2
| [link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT | | [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] [link|http://pascal.rockford.com:8888/SSK@kQMsmc74S0Tw3KHQiRQmDem0gAIPAgM/edcurry/1//|ED'S GHOST SPEAKS!] | | [link|http://www.eweek.com/article2/0,3959,857673,00.asp|Writing on wall, Microsoft to develop apps for Linux by 2004] | Heimatland Geheime Staatspolizei reminds:
These [link|http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf|Civilian General Orders], please memorize them.
"Questions" will be asked at safety checkpoints. |
|
Post #86,386
3/7/03 8:15:50 AM
|
IP Tables is the newest incarnation?
--
It made Ketchup!
Sweet Ketchup!
Put it on a hot dog, put it on a burger,
Put it on your sister and she'll holler blody murder!
Sweet Ketchup.
--Tom Paxton.
|
Post #86,409
3/7/03 9:29:18 AM
|
Yep... IPTABLES == IPCHAINS on Massive Steroids
You get three TYPES of tables each possible of doing CHAINS... plus you can apply them PRE-ROUTING or POST-ROUTING... AWESOME...
And... AND... it is tremendously more scalable... it is actually less processor intensive as well...
For IPTABLES, you can do SNAT, DNAT, plain-ole NAT, MASQUERADING, Virtual Address Forwarding, Port forwarding, Address Mapping... defaults can be used to be Open - Except or Closed - Except... it is Stateful (wonderful there) and even that can be turned off... logging has 7 settings (no logging to "OHMYGAWD my 1TiB LOG Volume is Full Already in 20 minutes" setting)
Overall it can make traffic do anything you REALLY want it to do.
b4k4^2
| [link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT | | [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] [link|http://pascal.rockford.com:8888/SSK@kQMsmc74S0Tw3KHQiRQmDem0gAIPAgM/edcurry/1//|ED'S GHOST SPEAKS!] | | [link|http://www.eweek.com/article2/0,3959,857673,00.asp|Writing on wall, Microsoft to develop apps for Linux by 2004] | Heimatland Geheime Staatspolizei reminds:
These [link|http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf|Civilian General Orders], please memorize them.
"Questions" will be asked at safety checkpoints. |
|
Post #86,385
3/7/03 8:14:59 AM
|
VPN client runs on the laptop, linux box is my firewall
--
It made Ketchup!
Sweet Ketchup!
Put it on a hot dog, put it on a burger,
Put it on your sister and she'll holler blody murder!
Sweet Ketchup.
--Tom Paxton.
|
Post #86,591
3/7/03 7:09:17 PM
|
Very similar to my setup.
Except I'm running IPChains on a Debian box.
What version of the client are you using? 3.6.3.a is what I have and it seems to work fine. Even with the IP Masq'ing.
|
Post #86,614
3/7/03 8:53:43 PM
|
Re: Very similar to my setup.
ipchains 1.3.9, 17-Mar-1999
Ouch.
--
It made Ketchup!
Sweet Ketchup!
Put it on a hot dog, put it on a burger,
Put it on your sister and she'll holler blody murder!
Sweet Ketchup.
--Tom Paxton.
|
Post #86,661
3/7/03 11:34:26 PM
|
Whoops. Correction.
IPTables on mine.
What version of the Cisco VPN client are you running? That's the 3.6.3.a version. Is it the "easy" VPN client or the "secure" VPN client?
|
Post #86,831
3/9/03 12:01:52 AM
|
The restriction on source port is in server
Looks like I'll have to bit the effing bullet and use iptables.
I hate to touch that machine: 5G hardrive, Pentium CPU, dead fan in power supply, floppy stuffed full of crap by my dear tax deductions, no CDROM.
That is going to be "interesting" weekend (next one, I hope).
--
It made Ketchup!
Sweet Ketchup!
Put it on a hot dog, put it on a burger,
Put it on your sister and she'll holler blody murder!
Sweet Ketchup.
--Tom Paxton.
|
