Help - Search - Members - Calendar
Full Version: Vpn Server Behind Suse Linux 9.2 Firewall
Linuxhelp > Support > Technical Support
gem124
Hi all,

i have installed suse linux 9.2 on my new server.
It's a server directly connected to the internet so it has only one nic.
The NIC has got a direct internet ip.


I have the suse firewall 2 up and running.

I want to allow the service pptp on port 1723 to pass the firewall.
I want to connect from any windows machine to this vpn server.

Services like SSH or SAMBA need to work over/through this vpn.
When i open up port 1723 i can connect to the vpn server but there is no traffic possible over this connection.

What am i doing wrong?

Also ip port 47 GRE is forwarded and 1723 udp too but still no go.

Without the firewall everything is working fine.

Any ideas?

Thanks.
Robert83
Hi,

I'm not sure (100%) of this thing you wanna accomplish here but if you want something like this :

LAN computer (TRUSTED smile.gif ) ----- FIREWALL (SAMBA,SSH,DHCP,DNS,SQUID etc...) --- INTERNET

then you can do this :

open up a console and as root

CODE
cd /root
vi iptables-home


type in this
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# with these 3 rules we make the default policy drop everything
# lets imagine that our internal lan is connected to eth0, and the internet is available via eth1
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# we let everybody freely out to the internet
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# we only allow already established or related connections
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# these rules are the input rules, they go directly into the firewall, we allow loopback here, lan, and only allow connections that are already established or related.nothing else.
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.200 -j ACCEPT
iptables -A OUTPUT -s xxx.xxx.xxx.xxx -j ACCEPT
# we allow all connections from the firewall eth0,eth1 and loopback out

iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j SNAT --to-source xxx.xxx.xxx.xxx
# this is a very important part of the setup, here we transulate local private ips to public firewall ip, and back, without this other machines on the internet would not know where to send packets.

xxx.xxx.xxx.xxx = public ip address eth1
192.168.0.0/255.255.255.0 is the lan, offcourse you can use other numbers here
192.168.0.200 = firewall's eth0

with this setup you are fairly secure, and the firewall is freely accessible from the lan, so samba and other stuff will have no problems.

as for the internet part we don't allow anything at all to go trough our firewall.

CODE
/etc/init.d/iptables stop
source /root/iptables-home
iptables-save > /etc/sysconfig/iptables
/etc/init.d/iptables start


www.grc.com

if you did this properly all is accessible from inside the lan, and you are running in FULL STEALTH mode.

Sincerely
Robert B
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.