| Linode Forum https://forum.linode.com/ |
|
| VPN iptables rules https://forum.linode.com/viewtopic.php?f=19&t=9340 |
Page 1 of 1 |
| Author: | tbaker [ Sun Sep 02, 2012 11:00 am ] |
| Post subject: | VPN iptables rules |
Hi, Ive been following this guide on setting up a VPN, which is nearly working. [url]http://wiki.nikoforge.org/L2TP/IPSec_VPN_Setup_on_Centos_6_(64-bit)_for_use_with_Android_ICS_and_iOS_5_Clients#Firewall.2FRouter_Configuration [/url] The only issue im having is if i disable iptables, I can connect but any sites I request on my ipad dont get forwarded out to the internet. If I turn on iptables, I cant connect at all. I havent setup any port forwarding, which I belive I need to be able to do. Could someone provide me some points on what my iptables should look like? The site above says I need to forward the following ports - Port Protocol Description 500 UDP L2TP IKE 4500 UDP L2TP NAT-T 1701 UDP L2TP Traffic Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 38 3582 ACCEPT all -- lo any anywhere anywhere 0 0 REJECT all -- any any anywhere loopback/8 reject-with icmp-port-unreachable 333 25029 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:isakmp 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipsec-nat-t 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:l2tp 9 540 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 18 5422 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 400 74181 ACCEPT all -- any any anywhere anywhere Thanks! |
|
| Author: | hoopycat [ Sun Sep 02, 2012 12:36 pm ] |
| Post subject: | Re: VPN iptables rules |
You'll want to allow UDP ports 500, 1701, and 4500 instead of the TCP ports. The sole REJECT rule in the FORWARD chain is most likely going to be a problem, as well. |
|
| Author: | tbaker [ Sun Sep 02, 2012 12:46 pm ] |
| Post subject: | Re: VPN iptables rules |
Thanks - I can now connect with iptables running, but still cant get out externally on my ipad. Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT udp -- anywhere anywhere state NEW udp dpt:isakmp ACCEPT udp -- anywhere anywhere state NEW udp dpt:l2tp ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipsec-nat-t REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere This is what I see in /var/log/messages Sep 2 16:43:57 server pppd[19239]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[500] used for NAT-T Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[500] used as isakmp port (fd=21) Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[4500] used for NAT-T Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[4500] used as isakmp port (fd=22) Sep 2 16:43:57 server pppd[19239]: Cannot determine ethernet address for proxy ARP Sep 2 16:43:57 server pppd[19239]: local IP address 192.168.0.50 Sep 2 16:43:57 server pppd[19239]: remote IP address 192.168.0.99 |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|