Security :: How To Set Iptables For IPSec Tunnel?
Jan 7, 2010
I want to setup firewall protection with iptables to support IPSec tunnels. That is, the firewall will drop anything from any host if it is not from an established IPSec tunnel. And it will accept anything (any protocols) if it's from an IPSec tunnel.
That is, I need also to open up ping to make ping work. But if I open up icmp, I cannot prevent pings from hosts that's outside my IPSec tunnels. This defeats my purpose.So if my purpose is to allow "anything" within the tunnel and disallow/drop anything outside the IPSec tunnels, how should I setup the iptables rules?
View 3 Replies
ADVERTISEMENT
Feb 17, 2010
I am getting this error when I try to bring up IPSec Tunnel.Starting connection with command /usr/sbin/ipsec auto --up 'paycode-to-vivacom' ..
104 "paycode-to-vivacom" #7: STATE_MAIN_I1: initiate
003 "paycode-to-vivacom" #7: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "paycode-to-vivacom" #7: ignoring Vendor ID payload [FRAGMENTATION c0000000]
[code]....
View 3 Replies
View Related
Jun 22, 2011
While I successfully configured an IPsec-VPN (I use a similar tho modified setup like this:[URL].. I am now stuck on the next steps. While I can connect to everything I want, I need to configure "access-groups" and/or "users".
The scenario is similar to this: Lets say Host A, B and C allow SSH-Connections and some weird non-standard UDP-Connection from Host-VPN, and are also accessible on other ports with public IP's (like http).
I now want to limit, that an admin-user has access to all of them, while trainee-admin only can access everything on Host B and C, and CEO only can connect via telnet to Host C - and all users can be roadwarriors
(I made this example up to give you an idea what i'm trying to do - hope it makes sense). Now my question is, if someone can point me towards a direction, as I'm quite clueless at the current moment as to what to try. I know that commercial IPsec-Implementations can do this, but can OpenSWAN/... give me something similar?
View 1 Replies
View Related
Jun 4, 2010
I had configured IPSEC/L2Tp on my Centos 5.4 gateway machine .For testing i had disabled firewall and Ipsec is working fine.I am able to connect from client etc...Now i want to allow Ipsec and l2tp throught Firewall.here is my Current Working Firewall.Only Openvpn is allowed and is Redirected.
eth0=XXXSTATICIPXXX
eth1=192.168.1.81
OpenVpn IP Range = 172.24.0.16/4
Ipsec Ip Range = 192.168.1.0/24
[Code].....
View 2 Replies
View Related
Feb 27, 2011
I have a Ubuntu 10.10 box which i've developed an IPTables Firewall script and is forwarding my ports correctly. This service also runs Openswan VPN Server with 2 VPN's, which is also working well.
I have come across a small snag with excluding the multiple VPN subnets I have from the NAT on this box.
I have the line in my configuration file:
-A POSTROUTING -o eth1 -s 10.172.1.0/24 -d ! 192.168.5.0/24 -j MASQUERADE
Which when added to IPTables does make the VPN come to life. But I can't seem to get it to add the second subnet. Unfortunately, I can't do a blanket exclusion such as 192.168.0.0/16 because the second VPN is on a Class B subnet address which I cannot change.
View 1 Replies
View Related
Oct 6, 2010
I've been running a DebLenny system on the network which acts as the local gateway. It has 2 network cards and traffic is directed as follows:
Code:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
However, I'd now like to put all the outgoing traffic through a remote system which will further handle the outgoing data (Squid, etc) via the PPPTP device. What would be the most efficient way by which I could achieve this?
View 1 Replies
View Related
Nov 3, 2010
I've set up two security associations(in and out) on two hosts, and then set up two policies per host that should filter traffic to those SA's. Yet when I try to ping one host from the other I get no response, meaning that the filters on one side work and drop unprotected packets, but both hosts are configured to communicate using ipsec. Can anyone point me in the right direction?
Code:
ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)"
[code]...
View 1 Replies
View Related
Aug 6, 2010
As part of the project I'm working on, I need to set up a server with IPSec authentication only connections to a large number of low bandwidth clients. I'm making use of the PF_KEY interface to populate the keys on the server and while prototyping things I've found that the initial setup is taking longer than I had expected. At the start of my test, entries are being added to the database at a rate of around 30/second, but as time goes on this is dropping significantly. I ran a test up to around 100k entries and by then the rate had dropped to 10/second. It's key to me that if I reboot my server that the Security Associations can be repopulated in a very short period, so I do genuinely need this to be much faster.
Two questions:
1) Does anyone have any experience of running with a large number of SAs set up, and if so what sort of setup rate did you get?
2) Are there things I can do to speed up the provisioning of these SAs? I'd really like to see a rate in the thousands per second.
We've been doing the prototyping on the 2.6 kernel.
View 1 Replies
View Related
Jun 25, 2011
I have been trying to setup IPSEC encryption between two linux boxes. I have a server application which runs on Linux Box A and a client application which runs on Linux Box B. The client sends the data to server. I have captured wireshark logs at both server and client end. In the wireshark logs I can see that the Box B send ESP packets to the Box A.
But the server Application running at Box A is is not able to get any packets. If I turn the policy off at Box B, Box B sends normal UDP data packets to Box A, but still the Server Application running at box A doesn't get any packets.( Expected behavior since policy at Box A enforces that all packets coming from Box B should be encrypted.)
If I turn the policy off at Box A and Box B both, the server application receives the unencrypted data which is also expected behavior. But when the policy is turned on at both the boxes the encrypted packets reach the Box A but are not delivered to the server application. If anyone has faced such issue please help me to debug this issue. I have attached the ifconfig and policy settings at Box A and Box B for your reference.
View 2 Replies
View Related
Feb 25, 2009
How can I track IPsec module's operations? Can I find such a log file or entries in Linux?
View 1 Replies
View Related
Jun 15, 2011
I have set up a Ubuntu 10.10 server. I have been using ssh tunnels to encrypt my web traffic at public wifi. I am trying to make this server as secure as posible so I enabled ufw. I allowed SSH and HTTP traffic in and denied everything else. But when I do that I can not use SSH -D because when I try to visit a webpage it does not load and I get the following.
Code:
uname@mybox:~$ channel 3: open failed: connect failed: Connection timed out
^C
uname@mybox:~$ fclchannel 4: open failed: connect failed: Connection timed out
^C
uname@mybox:~$ exit
logout
What do I have to do to allow ufw to allow ssh tunnels through?
View 4 Replies
View Related
Dec 16, 2010
I have an SSH tunnel setup between a local server and a remote postfix relay VPS. This is so we can route all our outgoing mail through this SSH tunnel to a private relay VPS, this seems to give us much more consistent mail delivery than using our ISP's relay. So the SSH tunnel is set to route port 1025 on machine A to port 25 on the VPS This part of it is working perfectly and has been for months. However today I wanted to set our e-mail newsletter software (on the same network as the SSH tunnel start-point) to send through the SSH tunnel. So I punched in the IP/port... 192.168.1.5:1025 but it doesn't work. Is there something I need to do to allow connections from other machines on the LAN to access the start-point of the SSH tunnel? Or are SSH tunnels restricted to localhost connections only?
View 6 Replies
View Related
Feb 18, 2011
I have an sshd server up and running (F13 64bit) I'd like to connect to a pc that's behind a firewall using ssh tunnelling, so I have something like
ssh -R 1234:127.0.0.1:22 myuser@mypc
then from mypc I can succesfully login to the remote pc. I have just une question. How can I list the ssh active connections and the forwarded ports ?
I've only got to
netstat -tunva
but this returns only (filtered)
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN
tcp 0 0 ::ffff:172.16.0.XXX:22 ::ffff:172.16.1.XXX:60744 ESTABLISHED
Now I know that the first is the tunnel end but how can I connect the two lines if I don't know the port number (ie: someone else estabilieshes another tunnel)
View 4 Replies
View Related
May 12, 2010
I have an ssh tunnel with my ubuntu (vps) server. On my local computer I have proxifier, to redirect everything with socks5.
Everything works fine, I can browse websites and that. Email also works.
But when I want to visit a website that uses https it doesn't work. I do not get to see the website, or receive an internal server error.
View 7 Replies
View Related
Mar 1, 2010
I'm using Postgresql 8.4.2-2. I'm trying to remote into my server securely. I figure I could do so with ssh. Apparently I figured correctly, as per, [URL] and [URL] I setup the ssh tunnel. ssh -L 5432:serverip:5432 Then I setup pgadmin3 to connect as follows:
host: localhost
port: 5432
user: postgres
maintenance db: postgres
And I receive the following error:
An error has occurred: Quote: An error has occurred: Error connecting to the server: server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request.
I'm not sure what the problem is. I can connect with Code: psql from the cli after connecting to the terminal via ssh. So I know that I'm using the correct password.
View 3 Replies
View Related
Mar 7, 2011
I need to have a group of computers that connect to a remote site and run lynx to view some php pages that interface with mysql (that's a mouthful)For version control, I would like to keep only one central copy of the web files.
Personal data is sent, so rather than setup https server or SSL mysql encryption, I decided to create a "tunnel" to a Terminal Server using SSH.
I flirted with the idea of setting up VPN tunnels between the clients and a DMZ network but I don't want to add a bunch of complexity.
I just wanted to make sure that I wasn't creating a gaping security hole.
View 2 Replies
View Related
Feb 1, 2009
I have been struggling with this for a very long time now. I have installed Fedora Core 9 on my computer. I have set it up as a caching-nameserver and this is working.
Then I wanted to secure my server with iptables, and I have so far made this script:
# Load the connection tracker kernel module
modprobe ip_conntrack
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
[Code]....
I can reach the dns server with ping. When trying Nslookup it says that it got SERVFAIL from 127.0.0.1 trying next server, and then it times out.
My resolv.conf file lists:
nameserver 127.0.0.1
nameserver DNS-server
View 13 Replies
View Related
Dec 14, 2009
Im pulling my hair out trying to get ftp to work through iptables.Im using vsftpd
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
View 3 Replies
View Related
Feb 25, 2010
I have a problem with iptables, when I execute
[code]....
View 5 Replies
View Related
Apr 4, 2010
I am trying to figure out how I can configure IPtables to only allow VNC traffic to an internal server over SSH.
My configuration is WAN < --- > Gateway (Ubuntu 9.10 Server) < --- > Internal Server (that I want to control with VNC over SSH)
View 12 Replies
View Related
Dec 5, 2010
I am using Fedora on my desktop pc. I want to know how can i protact my PC from outside world. What firewall policy should i implement in iptables to keep it more secure.
View 5 Replies
View Related
Jan 5, 2010
I'm following an openvpn installtion how to and it says to add this to the iptables:
Quote:
# External Interface for VPN
# VPN Interface
VPNIF="tun0"
VPNNET="172.16.0.0/24"
VPNIP="172.16.0.1"
### OpenVPN
[Code]....
Any thoughts as the whole formatting is separate and has the addition of FORWARD rules, etc. I need the VPN running on the .199 address
View 16 Replies
View Related
Jun 3, 2010
i set up a dmz to have a internet web server and ftp server, and ssh only from local network, so i wrote a iptables script to load during boot :
[Code]...
The problem is that everything works fine ( i have the same rules for other services such as samba, nfs, mysql on another server) BUT ftp there is no way to make it work. not even locally.when i try to connect, i log in, but while listing the directory i get MLSD ... and it hangs like this for a moment, then i get error message "connection time out" , "impossible to list directory". if i turn off the iptables script no problem,ftp works fine.. but why all services work and ftp no?
how do i have to modify the rules? what is strange also is that if i set as OUTPUT policy "accept", the server seems to be offline."host unknown" error message. I was thinking the rule INPUT is fine cause at least i can login, but the dir list is not going out, so gotta modify output rules. or state?
View 7 Replies
View Related
Mar 19, 2010
I've started a new job and have inherited a couple of RHEL4 64-bit servers. The firewall on them is currently disabled. I'm struggling to get them up and running as iptables is not the most user-friendly application. This lead me to downloading and trying a GUI front-end: Guarddog. Great app! But it doesn't have the default behavior I'm looking for. Here is what I need:
Default behavior: Firewall should be wide open, allowing ALL ports/IP's/TCP/UDP in and out of the server.
Blacklist: Oracle TCP port 1521 needs to be blocked in/out of the server.
This will help get us passed our company's security vulnerability scan. (We aren't able to patch/upgrade Oracle at this time because we'd lose vedor support with a legacy app). I will use these settings as a starting point, and then once I learn more and get more comfortable with iptables (or a GUI app) then I can fine tune things to make them more secure. As far as I know (correct me if I'm wrong) once I get a script I just copy it into /etc/rc.firewall and it will load when iptables starts.
View 14 Replies
View Related
Mar 6, 2010
Is this how I would do that?
iptables -A INPUT -p tcp --destination-port 21 -d ! 168.192.1.2 -j DROP
This should block all incoming connections on port 21 from 192.168.1.2, correct? Thus preventing that IP from logging into my FTP.
View 1 Replies
View Related
Mar 17, 2009
What i wanted to do was block everything from getting in my pc but still be able to surf the web and still use instant messenger.
View 2 Replies
View Related
Jan 14, 2010
i ran this
Code:
iptables -N rate-limit
iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN
iptables -A rate-limit -j DROP
iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit
i am no longer able to ssh in to the machine , how can i reset iptables and firestarted back to default?
View 3 Replies
View Related
Jul 24, 2010
i need to open this address ftp.nai.com, is there a way to use address not ip in iptables?
View 7 Replies
View Related
Sep 17, 2010
I've recently moved from Firestarter to UFW/GUFW, and I wonder if someone could confirm if my iptables configuration is secure.
When I enter sudo iptables -L i get:
Code:
View 3 Replies
View Related
Dec 29, 2010
eth1 has connection to the net via gateway ..eth0 on the same machine has users on a intranet and needs access to the internet, i need to allow internet connection and prevent packets which logically originate from the internet getting into the intranet
View 1 Replies
View Related
