[ale] VPN connections through firewall
Wandered Inn
esoteric at denali.atlnet.com
Thu Mar 1 20:45:53 EST 2001
Gary S MacKay wrote:
>
> Don't know if I've seen the exact doc you mention, but yes, I've
> searched/read everything I can find. I've added ipchains accept and masq
> rules to my firewall script but still no luck. I did not custom compile
> the kernel yet, as I was going on the understanding that RedHat had
> included the patch(s) already. I'm just using the stock 7.0 kernel that
> was installed by default.
check out the following url:
http://linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO-3.html#ss3.4
Here's the actual ipchains they use, but you really want to read this
doc.
# Set the default policy to DENY:
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
# Allow local-network traffic
ipchains -A input -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 -i eth0
ipchains -A output -j ACCEPT -s 0.0.0.0/0 -d 10.0.0.0/8 -i eth0
# Masquerade only VPN traffic between the VPN client and the VPN server
# PPTP
ipchains -A forward -j MASQ -p tcp -s 10.0.0.2/32 -d 199.0.0.1/32
1723 -i ppp0
ipchains -A output -j ACCEPT -p tcp -s 200.200.200.0/24 -d
199.0.0.1/32 1723 -i ppp0
ipchains -A input -j ACCEPT -p tcp -s 199.0.0.1/32 1723 -d
200.200.200.0/24 -i ppp0
ipchains -A forward -j MASQ -p 47 -s 10.0.0.2/32 -d 199.0.0.1/32 -i
ppp0
ipchains -A output -j ACCEPT -p 47 -s 200.200.200.0/24 -d
199.0.0.1/32 -i ppp0
ipchains -A input -j ACCEPT -p 47 -s 199.0.0.1/32 -d
200.200.200.0/24 -i ppp0
This doc will also tell you how to determine if your kernel has the
support for pptp or not:
"To determine whether the running kernel includes VPN Masquerade
support, run the following command: "
grep -i masq /proc/ksyms
...and look for the following entries:
IPsec masquerade: ip_masq_esp and ip_demasq_esp
PPTP masquerade: ip_masq_pptp_tcp and ip_demasq_pptp_tcp
>
> - Gary
>
> Wandered Inn wrote:
> >
> > Gary S MacKay wrote:
> > >
> > > I have a Win2K pro machine behine a linux machine running RedHat 7.0
> > > with 2.2.16-22 kernel. I've installed the ip_masq_pptp module also. When
> > > I try to connect to the remote site, it will get to the point of
> > > "Verifing password..." and then timeout. I have verified that the remote
> > > site works by dialing into the internet via modem from the Win box and I
> > > can connect to the VPN just fine.
> >
> > I'm doing much the same, although mine is behind two separate firewall
> > machines. You should have added some ipchains to properly pass the
> > transactions. There's a really good description in one of the howto's,
> > vpn-howto or vpn-masq-howto, or something like that.
> >
> > Have you seen this doc?
> >
> > >
> > > Problem:
> > > Whenever I try to connect to a Netopia R910 router at a client site, I
> > > get these entries from a tcpdump on my firewall:
> > >
> > > 10:51:00.823238 > myIP > remoteIP: icmp: myIP protocol 47 unreachable
> > > [tos 0xc0]
> > > 10:51:03.463238 > gre-proto-0x880B (gre encap)
> > > 10:51:03.813238 < gre-proto-0x880B (gre encap)
> > > 10:51:03.813238 > myIP > remoteIP: icmp: myIP protocol 47 unreachable
> > > [tos 0xc0]
> > >
> > > It just repeats until the Win box times out with an error that a port
> > > was not connected.
> > >
> > > Question:
> > > What piece of the puzzle am I missing?
> > >
> > > - Gary
> > > --
> > > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> >
> > --
> > Until later: Geoffrey esoteric at denali.atlnet.com
> >
> > "Great spirits have always found violent opposition from mediocre minds.
> > The
> > latter cannot understand it when a man does not thoughtlessly submit to
> > hereditary prejudices but honestly and courageously uses his
> > intelligence."
> > - Albert Einstein
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
--
Until later: Geoffrey esoteric at denali.atlnet.com
"Great spirits have always found violent opposition from mediocre minds.
The
latter cannot understand it when a man does not thoughtlessly submit to
hereditary prejudices but honestly and courageously uses his
intelligence."
- Albert Einstein
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list