I simply use the following in the scripts which allows for both outbound and/or
inbound VPNs through several Dachstien Firewalls:
Firstly in netwoork.conf add
#INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH access
INTERN_VPN_SERVER=192.168.2.10 # Internal VPN server to make available
EXTERN_VPN_PORT=1723 # External port to use for internal VPN access
then in ipfilter.conf (I usually add this after the ssh section again)
if [ -n "$INTERN_VPN_SERVER" ] ; then
if [ -n "$EXTERN_VPN_PORT" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP $EXTERN_VPN_PORT \
-R $INTERN_VPN_SERVER vpn
else
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP vpn \
-R $INTERN_VPN_SERVER vpn
fi
ipfwd --masq $INTERN_VPN_SERVER 47 &
fi
I have several firewalls using this method and all are working well. If an
internal VPN Server is not defined, I only open the input chain for protocol 47
in network.conf and have had no problems yet.
Andrew Gray
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Chad Carr
Sent: Fri, 26 Apr 2002 13:47 PM
To: Morgan Reed
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [Leaf-user] VPN behind Dachstein
On Thu, 25 Apr 2002 23:09:38 -0400
"Morgan Reed" <[EMAIL PROTECTED]> wrote:
> Scott,
>
> A quick follow-up question regarding allowing protocol 47 packets
> though, I attempted to manually set the IPCHAINS rules just to do a
> quick test, and this is what I got:
>
> firewall: -root-
> # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT
>
> firewall: -root-
> # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT
> ipchains: can only specify ports for icmp, tcp or udp
> Try `ipchains -h' or 'ipchains --help' for more information.
This ipchains rule should not specify port 1723. Ports are not a part of
the GRE header, so they cannot be specified as targets for ipchains. The
rule should read:
ipchains -A input -p 47 -j ACCEPT
To be absolutely minimal about it. If no source or destination address is
given, the default is everything.
HTH,
Chad
p.s. take a look at http://www.protocols.com/pbook/tcpip3-1.htm and
http://www.protocols.com/pbook/tcpip.htm#TCP for more details on this.
This is pretty heavy stuff if you're not used to it, but it tells you what
is in the headers of the packets you are trying to filter. It is
invaluable if you want to really nkow what you can do with ipchains.
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
