Hi,
You need to authorize traffic and masquerade/SNAT connections and allow
forwarding.
Authorize :
iptables -A FORWARD -i eth1 -p udp -d $VPN_SERVER_IP -s
$INTERNAL_CLIENT_IP --dport 500 -m state NEW, ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -p udp -s $VPN_SERVER_IP -d
$INTERNAL_CLIENT_IP --sport 500 -m state ESTABLISHED -j ACCEPT
SNAT (change internal adress by a public one) :
iptables -t nat -A POSTROUTING -o eth0 -p udp -d $VPN_SERVER_IP --dport
500 -j SNAT --to-source $PUB_IP
It's look like udp port 4500 and 10000 are also used. And Client must be
a SecureNat one (i can't confirm, i'm not using cisco VPN).
Regards,
m.e.
Gergely Buday a écrit :
Dear All,
I would like to use a Cisco VPN client from behind my CentOS server,
which has an iptables firewall. The network topology is as follows:
eth0 is towards the ISP, eth1 heads the local clients. Up to now I
used
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-IPTABLES
but this clearly needs extension. What I know is that I should allow
the IPSec port (500) to be open. What else, and how? I'm not very
familiar with iptables, so some pointers would be more than welcome.
Best Wishes
- Gergely
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
