|
I have a LINUX firewall protecting my local LAN. I
have 2 computers that use the Nortel VPN client to connect to my office. I can
make the VPN connection, but I can't seem to stay connected for more than 10 to
15 min. Suddenly the system stops responding. If you look at the VPN icon, only
the top half of the icon blinks. When things are working properly, both the top
and bottom half of the VPN icon flash. While this is happening, other computers
connected to the Internet continue to work without a problem. I was looking in
/proc/net/ip_conntrack file and notice that I seem to lose my connection every
time I get an entry like the following in that file:
unknown 50 523 src="192.168.XX.X"
dst=192.128.166.44 src="192.128.166.44" dst=XX.XXX.XXX.XX use=1
I'm not sure why I'm getting an unknown packet. I'm
also not sure how iptables should handle an unknown packet. If anyone can shed
some light on this subject, I'd greatly appreciate it.
192.168.XX.X = Local LAN
address
XX.XXX.XXX.XX = My IP address
LINUX OS:
Redhat Kernel 2.4.18-3
iptables:
1.2.5
VPN Client:
Nortel 2.62.33
IPTables Setup File:
#!/bin/sh
#Path of the iptables program
IPTABLES="/sbin/iptables" #Private LAN address
IN_LAN="192.168.XX.X/24" # Private LAN Interface
IN_LAN_INTERFACE="eth0" # Private LAN Interace
Address
IN_LAN_INTERFACE_ADDR="192.168.XX.X" # External LAN Interface EXT_LAN_INTERFACE="eth1" # External LAN Interface
address
EXT_LAN_INTERFACE_ADDR="XX.XXX.XXX.XX" # Flush all the current packet filtering rules
$IPTABLES -F #Set Default policy to deny everything
$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP # Allow packets from the interal LAN to the firewall
$IPTABLES -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $IN_LAN_INTERFACE -j ACCEPT # Allow packets coming to the external interface only if already
established or related to a current session
$IPTABLES -A INPUT -i $EXT_LAN_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow packets generated from the firewall.
$IPTABLES -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -j ACCEPT # Allow packets coming from the internal LAN to the external
interface
$IPTABLES -A FORWARD -s $IN_LAN -j ACCEPT # Allow packetes coming to the external interface only if already
established or related to a current session
$IPTABLES -A FORWARD -j LOG $IPTABLES -A FORWARD -i $EXT_LAN_INTERFACE -o $IN_LAN_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $IN_LAN_INTERFACE -o $EXT_LAN_INTERFACE -j ACCEPT # Set up Network Translation
$IPTABLES -t nat -A POSTROUTING -o $EXT_LAN_INTERFACE -j SNAT --to $EXT_LAN_INTERFACE_ADDR |
- Re: VPN behind Linux Firewall kayegee
- Re: VPN behind Linux Firewall Antony Stone
- Re: VPN behind Linux Firewall Antony Stone
- RE: VPN behind Linux Firewall Rowan Reid
