[svlug] Opening up ipchains for ipsec

Larry Colen lrclug at red4est.com
Thu May 1 12:06:15 PDT 2003


The company I work at has the policy that employees can only access
the network from offsite via company owned (read windows) hardware
running the company vpn software (symantec/defender).

It seems as if red4est is not allowing the packets through that it
needs on ports 50 and 51. I'm not very well versed with ipchains and a
quick rotfm isn't very illuminating.

eth1 is the static address to the outside world.
eth0 goes to the lan.

Any clues as to what I need to do to my /etc/sysconfig/ipchains file
to make things happy?

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT
# added 04/13/03 - dkw - for POP3 over SSL
-A input -s 0/0 -d 0/0 995 -p tcp -y -j ACCEPT
# -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
# -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT
# -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -i eth0 -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
# -y for these - ?
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

-P forward DENY
-A forward -i eth1 -j MASQ


=========

 thanks.
   Larry


-- 
I've found something worse than oldies station that play the music I used to
listen to. Oldies stations that play the "new" music I used to complain about.
lrc at red4est.com                                    http://www.red4est.com/lrc




More information about the svlug mailing list