Re: FW: Question about linux firewall

[Aaron C. Springer]

To really answer your question.. you will need to let these through your
firewall..

AH protocol 51
ESP protocol 50
IKE port 500/udp

acs

On 28-Feb-00 Aaron C. Springer wrote:
> NAT works fine with IPSEC as long as you do your NAT first and then tunnel or
> do your NAT after the tunnel terminates.
> 
> If you are using the Nortel client you won't be able to any NAT. You will
> have
> to pass the tunnel through your FW.
> 
> acs
> 
> 
> On 28-Feb-00 RISTO, JONATHAN wrote:
>> Charles,
>> 
>> This information has been helpful in setting up a similar situation that I
>> have,
>> but I have the following question in regards to IPCHAINS and a VPN
>> connection.
>> 
>> At work we connect into a Nortel Networks Contivity box for our VPN. Given
>> that
>> IPSEC generally doesn't like to get NAT'd around, is there a configuration
>> which
>> will allow a VPN to pass through a linux box running IPCHAINS?
>> 
>> Thanks,
>> Jonathan
>> 
>> Tetlow Charles MSgt 12CS/SCBBN wrote:
>> 
>>> Frank,
>>>
>>> Hook your eth0 to your service provider and put one of your "real IPs" on
>>> it
>>> so it can talk to the world.  Hook your workstations behind the eth1 using
>>> the private network address space like you mentioned - 192.168.x.x.  Be
>>> sure
>>> that the workstations are addressed in the same network space as the eth1
>>> and that their gateway is the eth1 address.  (Typically the eth1 on the
>>> Linux box would be 192.168.0.1 and the workstation's gateway would be the
>>> same.)
>>>
>>> Next, setup the Linux box to do Network Address Translation with the IP
>>> Chains configuration:
>>> ipchains -A forward -s 192.168.0.0/16 -d 0/0 -j MASQ
>>> That single line will turn on NAT for everything behind the eth1 with
>>> addresses in your private network address space.
>>>
>>> The only other thing you HAVE to do is insure forwarding is turned on.
>>> Check the file /proc/sys/net/ipv4/ip_forward.  It should contain the single
>>> character "1".  That sets IP Forwarding to on.  Change it to one if it is
>>> set to zero.  And you should be off and running.
>>>
>>> Now, you don't have ANY protections setup at this point.  You have only got
>>> the box working as a packet forwarding gateway with full Network Address
>>> Translation.  If you want to provide "firewall" protections with that box
>>> also, you have to start implementing IP Chains rules to protect yourself.
>>> And of course, be sure that all non-essential services are turned off on
>>> that box.
>>>
>> 
>> -
>> [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> "unsubscribe firewalls" in the body of the message.]
> 
> 
> _______________________
> Aaron C. Springer
> [EMAIL PROTECTED]
> pgp key published
> _______________________
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]


_______________________
Aaron C. Springer
[EMAIL PROTECTED]
pgp key published
_______________________
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]