[Gllug] iptables & cisco vpn
Alain Williams
addw at phcomp.co.uk
Tue Jun 29 13:27:23 UTC 2010
Setup:
Internet --> Linux box --> Internal network
Internet side
eth0
IP address 1.2.3.4 (I'm lying)
Internal side
eth1
IP address 10.1.0.2
What is wanted is that visitor has a laptop that he wants to connect to his home, the laptop is
effectively an internal PC (IP 10.1.0.229). At home he has a cisco router that implements
(I think) an IPsec VPN. I want to allow this through the linux box.
The linux box is running CentOS 5.5.
I can see the PC making connections home on port isakmp (500).
I don't know anything about an IPsec VPN. What should I be adding ?
TIA
I have modified/added to the firewall setup:
iptables -A INPUT -p udp --dport isakmp -j ACCEPT # Needed for Cisco VPN
iptables -A INPUT -p udp --sport isakmp -j ACCEPT # Needed for Cisco VPN
iptables -A INPUT -p udp --dport ipsec-nat-t -j ACCEPT # Needed for Cisco VPN
# allow ipsec traffic:
iptables -A INPUT -p esp -j ACCEPT # allow IPSEC
# SNAT stuff that we forward going out, but not stuff which may be
# for a cisco VPN (we should not have the addresses anyway):
iptables -t nat -A POSTROUTING -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list