[Gllug] iptables & cisco vpn

Alain Williams addw at phcomp.co.uk
Tue Jun 29 13:27:23 UTC 2010


Setup:
  Internet --> Linux box --> Internal network

Internet side
  eth0
  IP address 1.2.3.4 (I'm lying)

Internal side
  eth1
  IP address 10.1.0.2

What is wanted is that visitor has a laptop that he wants to connect to his home, the laptop is
effectively an internal PC (IP 10.1.0.229). At home he has a cisco router that implements
(I think) an IPsec VPN. I want to allow this through the linux box.

The linux box is running CentOS 5.5.

I can see the PC making connections home on port isakmp (500).

I don't know anything about an IPsec VPN. What should I be adding ?
TIA




I have modified/added to the firewall setup:

iptables -A INPUT -p udp --dport isakmp         -j ACCEPT    # Needed for Cisco VPN
iptables -A INPUT -p udp --sport isakmp		-j ACCEPT    # Needed for Cisco VPN
iptables -A INPUT -p udp --dport ipsec-nat-t    -j ACCEPT # Needed for Cisco VPN

# allow ipsec traffic:
iptables -A INPUT -p esp                              -j ACCEPT # allow IPSEC

# SNAT stuff that we forward going out, but not stuff which may be
# for a cisco VPN (we should not have the addresses anyway):
iptables -t nat -A POSTROUTING -d 192.168.0.0/16      -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list