Betr.: VPN - Solved - HUGE THANKS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

I'd suggest dropping (or commenting out) the -p 50 and -p 51 rules if 
you're not using ipv6 and I'd suggest adding -i dev and -o dev to any 
rules where possible (-i in INPUT and FORWARD being input device and -o in 
FORWARD and OUTPUT being output device)

this seems _very_ dangerous, what is this supposed to achieve? is this 
needed?
> $IPTABLES -A INPUT -i $EXTIF -s ${remotenetwork} -d $INTNET -j ACCEPT

drop these two:
> $IPTABLES -A INPUT -p 51 -j ACCEPT
> $IPTABLES -A INPUT -p 50 -j ACCEPT

this should have probably also have "-i $EXTIF"
and "-s $OTHER-VPN-GLOBAL-IP"
> $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT

OUTPUT is usually safe :)

you should add -i and -o here (using INTERNAL NET DEVICE and virtual proxy 
device as the parameters)
> $IPTABLES -A FORWARD -s $INTNET -d ${remotenetwork} -j ACCEPT
> $IPTABLES -A FORWARD -s ${remotenetwork} -d $INTNET -j ACCEPT

not sure about this...
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -d\! 192.168.100.0/24 -j SNAT
> --to $EXTIP


anyways, cheers,
MaZe.
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux