Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Vpn Server Behind Suse Linux 9.2 Firewall
gem124
post Mar 30 2005, 05:16 AM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 1
Joined: 30-March 05
Member No.: 4,803



Hi all,

i have installed suse linux 9.2 on my new server.
It's a server directly connected to the internet so it has only one nic.
The NIC has got a direct internet ip.


I have the suse firewall 2 up and running.

I want to allow the service pptp on port 1723 to pass the firewall.
I want to connect from any windows machine to this vpn server.

Services like SSH or SAMBA need to work over/through this vpn.
When i open up port 1723 i can connect to the vpn server but there is no traffic possible over this connection.

What am i doing wrong?

Also ip port 47 GRE is forwarded and 1723 udp too but still no go.

Without the firewall everything is working fine.

Any ideas?

Thanks.
Go to the top of the page
 
+Quote Post
Robert83
post Mar 30 2005, 08:45 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I'm not sure (100%) of this thing you wanna accomplish here but if you want something like this :

LAN computer (TRUSTED smile.gif ) ----- FIREWALL (SAMBA,SSH,DHCP,DNS,SQUID etc...) --- INTERNET

then you can do this :

open up a console and as root

CODE
cd /root
vi iptables-home


type in this
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# with these 3 rules we make the default policy drop everything
# lets imagine that our internal lan is connected to eth0, and the internet is available via eth1
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# we let everybody freely out to the internet
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# we only allow already established or related connections
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# these rules are the input rules, they go directly into the firewall, we allow loopback here, lan, and only allow connections that are already established or related.nothing else.
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.200 -j ACCEPT
iptables -A OUTPUT -s xxx.xxx.xxx.xxx -j ACCEPT
# we allow all connections from the firewall eth0,eth1 and loopback out

iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j SNAT --to-source xxx.xxx.xxx.xxx
# this is a very important part of the setup, here we transulate local private ips to public firewall ip, and back, without this other machines on the internet would not know where to send packets.

xxx.xxx.xxx.xxx = public ip address eth1
192.168.0.0/255.255.255.0 is the lan, offcourse you can use other numbers here
192.168.0.200 = firewall's eth0

with this setup you are fairly secure, and the firewall is freely accessible from the lan, so samba and other stuff will have no problems.

as for the internet part we don't allow anything at all to go trough our firewall.

CODE
/etc/init.d/iptables stop
source /root/iptables-home
iptables-save > /etc/sysconfig/iptables
/etc/init.d/iptables start


www.grc.com

if you did this properly all is accessible from inside the lan, and you are running in FULL STEALTH mode.

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 11th December 2017 - 12:44 AM