RE: VPN on Kernel 2.4.18

Wed, 06 Mar 2002 18:03:36 -0600 

Thanks Jeff.

Wow, I thought this was going to be an easy task. :(
Surely there must be thousands of others that have done just this.  

  |---------------------|
|-|----Client(9x,2K)----|
| |---------------------|
|           |DSL Modem
|           |
|           |
| |---------------------|
| |-----Internet--------|
| |---------------------|
|           |
VPN         |
|           |Public IP
| |--------------------------|    Nat   |------------|
| |----Firewall--------------|----------|Workstations|
| |--Debian 2.2 W2.4Kernel---|          |------------|
| |--------------------------|          192.168.0.10-200
|       NAT |192.168.0.1
|           |
|           |
| |----------------------------|
| |---Windows NT 4.0 Server----|
|-|---PP2P Installed-----------|
  |----------------------------|
           192.168.0.2

Need up to 6 VPN connections to the NT Server
Is this possible.  Or is there just a better way to go about this.
They don't have any money for Cisco or Hard Firewall.

At first I was going to use 2.2 Kernel because I read if you recompile
the kernel and install ipfwd you can GRE multi connections across, but
now I just read that 2.4 hasn't been configured to allow multi connects
across, but the date of the article is old.
Oh how confusing this is.


Cheers 
-Dave





           
-----Original Message-----
From: Jeff [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 06, 2002 10:14 AM
To: Debian User
Subject: Re: VPN on Kernel 2.4.18

Dave Scott, 2002-Mar-06 02:03 -0800:
>    Question on Kernel 2.4.18 and Netfilter
> 
>    Is there any way to forward GRE packets through Netfilter to a
specific
>    Server behind the firewall?
> 
>    Also, can you have multiple GRE connections through the firewall at
any
>    given time?
> 
>    -Dave

Dave,

You ought to be able to forward based on the protocol number
(47).  I don't know about the multiple connections.

I'm guessing here:

iptables -A PREROUTING -i $INETIF -p 47 -j ACCEPT
--to-destination 10.10.10.10

However, consider the security issues:
- you should consider terminating the tunnel at the firewall,
  then letting the firewall handle the packets from there
- GRE has no data encryption, so consider encryption prior to GRE
  encapsulation
  - if not encrypted, anyone can read the data in the packet
- if the MTU and Fragmentation settings are not set properly, DOS
  attacks (whether intentional or inadvertant) are possible



-- 
Jeff Coppock            Systems Engineer
Diggin' Debian          Admin and User


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]

Reply via email to