I have an iptables v.1.2.3 on Redhat 7.2 currently running with IP masq, ssh and squid and apache. Everything is fine in the UNIX world, that is people can securely log in to the firewall box from the internet and a telnet session from there is started to a UNIX box. Now we need to add a Windows 2000 server and allow some people to tunnel in to it from DSL connections at hone and run a client app and the VPN must use IPsec and 3DES to conform to government regulations. So, is using Shorewall a good choice for me? Getting rid of Windows 2000 is not an option for me unfortunately. Is there a problem with having IP masq? Thanks to all
Kelly Watts at Ring''s End wrote:> I have an iptables v.1.2.3 on Redhat 7.2 currently running with IP masq, > ssh and squid and apache. Everything is fine in the UNIX world, that is > people can securely log in to the firewall box from the internet and a > telnet session from there is started to a UNIX box. Now we need to add a > Windows 2000 server and allow some people to tunnel in to it from DSL > connections at hone and run a client app and the VPN must use IPsec and > 3DES to conform to government regulations. So, is using Shorewall a good > choice for me? Getting rid of Windows 2000 is not an option for me > unfortunately. Is there a problem with having IP masq? Thanks to all(I didn''t see anyone else reply to this - did it get missed?) Kelly, the bottom line is that shorewall is a frontend/preprocessor for iptables. Thus, what iptables can do, shorewall can do. You may find some areas of iptables which shorewall doesn''t handle natively, but these are typically fairly exotic things that are not normally required, and they can be implemented using manual iptables commands in conjunction with shorewall. Paul http://paulgear.webhop.net
On Mon, 24 Jun 2002, Paul Gear wrote:> Kelly Watts at Ring''s End wrote: > > > I have an iptables v.1.2.3 on Redhat 7.2 currently running with IP masq, > > ssh and squid and apache. Everything is fine in the UNIX world, that is > > people can securely log in to the firewall box from the internet and a > > telnet session from there is started to a UNIX box. Now we need to add a > > Windows 2000 server and allow some people to tunnel in to it from DSL > > connections at hone and run a client app and the VPN must use IPsec and > > 3DES to conform to government regulations. So, is using Shorewall a good > > choice for me? Getting rid of Windows 2000 is not an option for me > > unfortunately. Is there a problem with having IP masq? Thanks to all > > (I didn''t see anyone else reply to this - did it get missed?) > > Kelly, the bottom line is that shorewall is a frontend/preprocessor for > iptables. Thus, what iptables can do, shorewall can do. You may find some > areas of iptables which shorewall doesn''t handle natively, but these are > typically fairly exotic things that are not normally required, and they can > be implemented using manual iptables commands in conjunction with shorewall. >As for masquerading an IPSEC endpoint, if you forward protocol 50 (ESP) and UDP port 500 to the server, it should work. Note that you can''t use AH (Protocol 51) since AH incorporates a cryptographic checksum that includes the IP addresses in the IP header. Since any form of NAT (including masquerade) rewrites those IP addresses, the NATed packets will fail the checksum test and will be discarded by the destination IPSEC gateway. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net