Hi, did some testing and refined iptables conf following your
suggestions :)
On Wed, 2005-05-25 at 18:34, Maciej Żenczykowski wrote:
> I'd suggest dropping (or commenting out) the -p 50 and -p 51 rules if
> you're not using ipv6 and I'd suggest adding -i dev and -o dev to any
> rules where possible (-i in INPUT and FORWARD being input device and -o in
> FORWARD and OUTPUT being output device)
>
> this seems _very_ dangerous, what is this supposed to achieve? is this
> needed?
> > $IPTABLES -A INPUT -i $EXTIF -s ${remotenetwork} -d $INTNET -j ACCEPT
Right, good for me it's a testing environment. In fact it is not needed.
>
> drop these two:
> > $IPTABLES -A INPUT -p 51 -j ACCEPT
> > $IPTABLES -A INPUT -p 50 -j ACCEPT
Looks like if I drop these it won't work. So I changed it to just catch
packets coming from the cisco pix public IP at the other end:
$IPTABLES -A INPUT -i $EXTIF -s $PIX -p 51 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $PIX -p 50 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $PIX -p udp --sport 500 --dport 500 -j
ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -d $PIX -p 51 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -d $PIX -p 50 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -d $PIX -p udp --sport 500 --dport 500 -j
ACCEPT
>
> this should have probably also have "-i $EXTIF"
> and "-s $OTHER-VPN-GLOBAL-IP"
> > $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
>
> OUTPUT is usually safe :)
>
> you should add -i and -o here (using INTERNAL NET DEVICE and virtual proxy
> device as the parameters)
> > $IPTABLES -A FORWARD -s $INTNET -d ${remotenetwork} -j ACCEPT
> > $IPTABLES -A FORWARD -s ${remotenetwork} -d $INTNET -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -s $INTNET -o $EXTIF -d ${remotenetwork}
-j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -s ${remotenetwork} -o $INTIF -d $INTNET
-j ACCEPT
>
> not sure about this...
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -d\! 192.168.100.0/24 -j SNAT
> > --to $EXTIP
>
Well, I added this not to Nat packets from INTNET to remotenet (there a
needed rule on the pix on the other side), but it was not written right.
I had to split this in two since I couldn't fine a one line way to do
it, but it works now
$IPTABLES -t nat -A POSTROUTING -s $INTNET -d $FBCMEDIA -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $INTNET -o $EXTIF -j SNAT --to $EXTIP
First line accepting packets to remotenet without natting, second line
natting all the rest.
> anyways, cheers,
> MaZe.
Well, soon going to set this up on the remote linuxbox. This has been a
really nice experience, I learned a lot thanks to everyone that
partecipated in this topic.
Have a nice day
Simone
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
Telefona con Email.it Phone Card, tanti minuti di conversazione con il massimo del risparmio, clicca qui
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2687&d=26-5
