Hi, I want a Win-Box in my LAN with it''s SafeNet VPN-Client connect to a VPN-Gateway outside through my shorewalled gateway (Mandrake MNF). Does anybody know how to define the rules? Thanx Marco
--On Thursday, December 26, 2002 10:35:21 PM +0100 m.schierle@t-online.de wrote:> Hi, > > I want a Win-Box in my LAN with it''s SafeNet VPN-Client connect to a > VPN-Gateway outside through my shorewalled gateway (Mandrake MNF). Does > anybody know how to define the rules? >http://shorewall.sf.net/VPN.htm -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Thanx for your answer. But is there no other solution? When shorewall is iptables-based I''m looking for something like this: $IPTABLES -A INPUT -p udp -s 192.168.177.0/24 --source-port 500 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p 50 -s 192.168.177.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -s 192.168.177.0/24 --source-port 500 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p 50 -s 192.168.177.0/24 -m state --state NEW -j ACCEPT This worked for me, when I used devil-linux and a iptables-script generated by fwbuilder.=20 Is shorewall able to do this? Thanx marco -----Urspr=FCngliche Nachricht----- Von: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] Im Auftrag von Tom Eastep Gesendet: Freitag, 27. Dezember 2002 01:40 An: shorewall-users@shorewall.net Betreff: Re: [Shorewall-users] Ipsec passthrough --On Thursday, December 26, 2002 10:35:21 PM +0100 m.schierle@t-online.de=20 wrote:> Hi, > > I want a Win-Box in my LAN with it''s SafeNet VPN-Client connect to a=20 > VPN-Gateway outside through my shorewalled gateway (Mandrake MNF).=20 > Does anybody know how to define the rules? >http://shorewall.sf.net/VPN.htm -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
--On Friday, December 27, 2002 11:01:13 PM +0100 m.schierle@t-online.de wrote:> Thanx for your answer. But is there no other solution? When shorewall is > iptables-based I''m looking for something like this: > > $IPTABLES -A INPUT -p udp -s 192.168.177.0/24 --source-port 500 -m > state --state NEW -j ACCEPT > > $IPTABLES -A INPUT -p 50 -s 192.168.177.0/24 -m state --state NEW -j > ACCEPT > > $IPTABLES -A FORWARD -p udp -s 192.168.177.0/24 --source-port 500 -m > state --state NEW -j ACCEPT > > $IPTABLES -A FORWARD -p 50 -s 192.168.177.0/24 -m state --state NEW -j > ACCEPT > > This worked for me, when I used devil-linux and a iptables-script > generated by fwbuilder. > Is shorewall able to do this? >Sure but the above four rules don''t make much sense given that the first two assume that the IPSEC endpoint is on the firewall system and the second two assume that it is somewhere else. In the above rules, where is the 192.168.177.0/24 subnet? In the local network? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Thanx for the quick reply! Great! Sorry, I''m not a iptables specialist. I just copied the iptables-rules I found in my old iptables-script generated by fwbuilder. To your next point: You are right. 192.168.177.0/24 is the LAN. All clients in that LAN should be able to use their own ipsec-clients to connect to remote-vpns. It would be great, if you could give me some more hints... Thanx Marco -----Urspr=FCngliche Nachricht----- Von: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] Im Auftrag von Tom Eastep Gesendet: Freitag, 27. Dezember 2002 23:17 An: shorewall-users@shorewall.net Betreff: Re: AW: [Shorewall-users] Ipsec passthrough --On Friday, December 27, 2002 11:01:13 PM +0100 m.schierle@t-online.de=20 wrote:> Thanx for your answer. But is there no other solution? When shorewall=20 > is iptables-based I''m looking for something like this: > > $IPTABLES -A INPUT -p udp -s 192.168.177.0/24 --source-port 500 -m=20 > state --state NEW -j ACCEPT > > $IPTABLES -A INPUT -p 50 -s 192.168.177.0/24 -m state --state NEW -j=20 > ACCEPT > > $IPTABLES -A FORWARD -p udp -s 192.168.177.0/24 --source-port 500 -m=20 > state --state NEW -j ACCEPT > > $IPTABLES -A FORWARD -p 50 -s 192.168.177.0/24 -m state --state NEW=20 > -j ACCEPT > > This worked for me, when I used devil-linux and a iptables-script=20 > generated by fwbuilder. Is shorewall able to do this? >Sure but the above four rules don''t make much sense given that the first two assume that the IPSEC endpoint is on the firewall system and the second=20 two assume that it is somewhere else. In the above rules, where is the 192.168.177.0/24 subnet? In the local=20 network? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
--On Friday, December 27, 2002 11:56:08 PM +0100 m.schierle@t-online.de=20 wrote:> Thanx for the quick reply! Great! > > Sorry, I''m not a iptables specialist. I just copied the iptables-rules I > found in my old iptables-script generated by fwbuilder. > > To your next point: > You are right. 192.168.177.0/24 is the LAN. All clients in that LAN > should be able to use their own ipsec-clients to connect to remote-vpns. > > It would be great, if you could give me some more hints...The page that I referred you to (http://shorewall.sf.net/VPN.htm) gives you all of the rules you need to run an ipsec client behind Shorewall UNLESS=20 you have a loc->net policy of DROP or REJECT. In that case, you will also=20 need: ACCEPT loc net[:<ip of remote endpoint> udp 500 500 ACCEPT loc net[:<ip of remote endpoint>] 50 If you omit the ":<ip of remote endpoint>", local clients will be able to=20 try to connect to any internet host. If you are having problems using those rules then who don''t you tell us=20 what problems you are seeing and we''ll try to help? -Tom> > > -----Urspr=FCngliche Nachricht----- > Von: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] Im Auftrag von Tom Eastep > Gesendet: Freitag, 27. Dezember 2002 23:17 > An: shorewall-users@shorewall.net > Betreff: Re: AW: [Shorewall-users] Ipsec passthrough > > > > > --On Friday, December 27, 2002 11:01:13 PM +0100 m.schierle@t-online.de > wrote: > >> Thanx for your answer. But is there no other solution? When shorewall >> is iptables-based I''m looking for something like this: >> >> $IPTABLES -A INPUT -p udp -s 192.168.177.0/24 --source-port 500 -m >> state --state NEW -j ACCEPT >> >> $IPTABLES -A INPUT -p 50 -s 192.168.177.0/24 -m state --state NEW -j >> ACCEPT >> >> $IPTABLES -A FORWARD -p udp -s 192.168.177.0/24 --source-port 500 -m >> state --state NEW -j ACCEPT >> >> $IPTABLES -A FORWARD -p 50 -s 192.168.177.0/24 -m state --state NEW >> -j ACCEPT >> >> This worked for me, when I used devil-linux and a iptables-script >> generated by fwbuilder. Is shorewall able to do this? >> > > Sure but the above four rules don''t make much sense given that the first > > two assume that the IPSEC endpoint is on the firewall system and the > second > two assume that it is somewhere else. > > In the above rules, where is the 192.168.177.0/24 subnet? In the local > network? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users-- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
--On Saturday, December 28, 2002 07:10:30 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > If you are having problems using those rules then who don''t you tell us > what problems you are seeing and we''ll try to help?Make that "If you are having problems using those rules then _why_ don''t you ..." -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net