-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andy,
Here is what I added here at VQA to get VPN to work.
network.conf
# TCP services open to outside world
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
EXTERN_TCP_PORT0="0/0 1723 0/0"
# Generic Services open to outside world
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
EXTERN_PROTO0="47 0/0 0/0" # VPN
{These sections open the ports needed from the Internet and can be used to
limit
who can access your VPN service if you wish.}
############################################################################
###
# Port Forwarding
############################################################################
###
INTERN_VPN_SERVER=192.168.45.5 # Internal VPN server to make available
EXTERN_VPN_PORT=1723 # External port to use for internal VPN access
{This defines which server and allows for easy changes as I have 5 firewalls
on
different sites. This allows a single change to define the server when I
set up
a new site.}
ipfilter.conf
{original section, about 2 thirds of the way down the file}
if [ -n "$INTERN_SSH_SERVER" ] ; then
if [ -n "$EXTERN_SSH_PORT" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP $EXTERN_SSH_PORT \
-R $INTERN_SSH_SERVER ssh
else
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP ssh \
-R $INTERN_SSH_SERVER ssh
fi
fi
{Added section imediately follows. This section adds the required rules.}
if [ -n "$INTERN_VPN_SERVER" ] ; then
if [ -n "$EXTERN_VPN_PORT" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP $EXTERN_VPN_PORT \
-R $INTERN_VPN_SERVER vpn
else
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP vpn \
-R $INTERN_VPN_SERVER vpn
fi
ipfwd --masq $INTERN_VPN_SERVER 47 &
fi
Hope this helps you.
Andrew Gray
System Administrator / Senior Technician
Operations
VQA Australasia
Phone: (07) 3804 9822
Fax: (07) 3807 8633
Mob: 0418 734 078
___________________________________________
NOTICE
The information contained in this electronic mail message is privileged and
confidential, and is intended only for use of the addressee. If you are not
the intended recipient, any disclosure, reproduction, distribution or other
use of this communication is strictly prohibited. If you have received this
communication in error, please notify the sender by reply transmission and
delete the message without copying or disclosing it.
- -----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Andy
Smith-Petersen -- Not Entered --
Sent: Fri, 28 Jun 2002 09:56
To: [EMAIL PROTECTED]
Subject: Re: [leaf-user] VPN Through Dachstein and SSH problems
Thanks for that tip, guitarlynn. That wasn't the answer - or I have
something else wrong
or incomplete - and I still wasn't seeing anything in the log to help. So I
added the
last line, below, to ipchains.input (I have nothing in ipchains.forward or
ipchains.output):
$IPCH -I input -j DENY -p all -s 0/0 -d 224.0.0.10 -i $EXTERN_IF
$IPCH -I input -j DENY -p all -s 0/0 -d 255.255.255.255 -i $EXTERN_IF
$IPCH -I
input -j DENY -p all -s 0/0 -d 224.0.0.0/4 -i $EXTERN_IF
$IPCH -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT
...and now I see the following in the log...
Jun 27 19:45:26 firewall kernel: Packet log: input ACCEPT eth1 PROTO=6
192.168.1.1:1256
130.111.135.159:1723 L=48 S=0x00 I=6602 F=0x4000 T=128 SYN (#34)
I haven't read anything indicating that I would need to add entries to a
basic Dachstein
setup... but wonder if I need to explicitly "ipmasq portfw...." something?
And in which
file would that go?
Thanks very much,
Andy
>>> guitarlynn >>>>
>Try this instead of the UDP port:
>EXTERN_TCP_PORTS="130.111.135.159/32_1723"
>
>> and
>>
>> EXTERN_PROTO0="47 130.111.135.159/32"
>
>--
>
>~Lynn Avants
>aka Guitarlynn
>
>guitarlynn at users.sourceforge.net
>http://leaf.sourceforge.net
>
>If linux isn't the answer, you've probably got the wrong >question!
- --
_______________________________________________
Download the free Opera browser at http://www.opera.com/
Free OperaMail at http://www.operamail.com/
Powered by Outblaze
- -------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
http://thinkgeek.com/sf
- ------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPRvXpifv/7x7n0CPEQKfDgCgimhpNLvjrunnHIypETfuhNU0rRQAn07u
RHdwrbE6iNH/tQI8OZw7lYTb
=dETK
-----END PGP SIGNATURE-----
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
