Hello,
I'm trying to allow ISAKAMP on my linux box that does NAT for a
windows network. I am reading the VPN-Masquerade-HOWTO, and did
everything it suggested, but it still does not work. One thing I
could not find on my RedHat 7.0 box was "ip_masq_ipsec" module. Where
is that module? Do I need it?
Situation:
------------
Internet ---> RH 7 box (216.x.y.z) NAT'ing:
\
\-------> Windows A 192.168.1.101/32
\-------> Windows B 192.168.1.102/32
\-------> Windows C 192.168.1.103/32
"Windows C" used to be directly connected to the internet, and could
easily VPN into their employer's network (Hewlett Packard). Since I
setup a Linux Masq box, the VPN has stopped working. I have been
passed along the following information from HP technical support:
------------------------------
"ISAKAMP type connection uses a Nortel Contivity box on HP end"
"Need NetBui protocol for printers"
"UDP Port 500"
"IP protocol 50 and 51"
------------------------------
Here is my rc.firewall script [x,y,z inserted to protect innocent
public ip addresses]...
Tell me if I'm wrong, but I think my firewall script pretty much just
Masquerades all traffic (yah, it's not much of a firewall, I know).
If so, then shouldn't the VPN work? If not, then what 'ipmasqadm
portfw' commands should I use?
Thanks!!!
echo "Starting firm (firewall and internet router management)... "
# --------------------------------------------------------------------
--------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
LOCAL_INTERFACE_1="eth1" # internal LAN interface
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention
IPADDR="65.x.y.z" # your external interface IP address
LOCALNET_1="192.168.1.0/24" # whatever private range you use
# --------------------------------------------------------------------
--------
ANYWHERE="any/0" # match any IP address
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
# --------------------------------------------------------------------
--------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
#Set forwarding policy to deny, input and output are default ("ALLOW")
ipchains -P forward DENY
# set masquerade timeout to 10 hours for tcp connections
ipchains -M -S 36000 0 0
# --------------------------------------------------------------------
--------
# Enable IP Forwarding, if it isn't already
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# These modules are necessary to masquerade their respective
services.
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio ports=554,7070,7071,6970,6971
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_portfw
/sbin/modprobe ip_masq_autofw
/sbin/modprobe ip_masq_pptp
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_user
/sbin/modprobe ip_masq_vdolive
# --------------------------------------------------------------------
--------
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
# --------------------------------------------------------------------
--------
# Network Ghouls
# Deny access to jerks
# --------------------
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
# --------------------------------------------------------------------
--------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external
address.
ipchains -A input -s $IPADDR -j DENY -l
# Refuse incoming packets claiming to be from a Class A, B or C
private network
ipchains -A input -s $CLASS_A -j DENY
ipchains -A input -s $CLASS_B -j DENY
#ipchains -A input -s $CLASS_C -j DENY
# Refuse broadcast address SOURCE packets
ipchains -A input -s $BROADCAST_DEST -j DENY -l
ipchains -A input -d $BROADCAST_SRC -j DENY -l
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
ipchains -A input -s $CLASS_D_MULTICAST -j DENY
# Refuse Class E reserved IP addresses
ipchains -A input -s $CLASS_E_RESERVED_NET -j DENY -l
# Refuse addresses defined as reserved by the IANA.
# Note: this list includes the loopback, multicast, & reserved
addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 36.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*
# 49-50.*.*.*, 58-60.*.*.*
# 67-127.*.*.*
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 197.*.*.*, 217-255.*.*.*
ipchains -A input -s 0.0.0.0/8 -j DENY -l
ipchains -A input -s 1.0.0.0/8 -j DENY -l
ipchains -A input -s 2.0.0.0/8 -j DENY -l
ipchains -A input -s 5.0.0.0/8 -j DENY -l
ipchains -A input -s 7.0.0.0/8 -j DENY -l
ipchains -A input -s 23.0.0.0/8 -j DENY -l
ipchains -A input -s 27.0.0.0/8 -j DENY -l
ipchains -A input -s 31.0.0.0/8 -j DENY -l
ipchains -A input -s 36.0.0.0/8 -j DENY -l
ipchains -A input -s 37.0.0.0/8 -j DENY -l
ipchains -A input -s 39.0.0.0/8 -j DENY -l
ipchains -A input -s 41.0.0.0/8 -j DENY -l
ipchains -A input -s 42.0.0.0/8 -j DENY -l
ipchains -A input -s 49.0.0.0/8 -j DENY -l
ipchains -A input -s 50.0.0.0/8 -j DENY -l
ipchains -A input -s 58.0.0.0/7 -j DENY -l
ipchains -A input -s 60.0.0.0/8 -j DENY -l
ipchains -A input -s 67.0.0.0/8 -j DENY -l
ipchains -A input -s 68.0.0.0/6 -j DENY -l
ipchains -A input -s 72.0.0.0/5 -j DENY -l
ipchains -A input -s 80.0.0.0/4 -j DENY -l
ipchains -A input -s 96.0.0.0/3 -j DENY -l
ipchains -A input -s 169.254.0.0/16 -j DENY -l
ipchains -A input -s 192.0.2.0/24 -j DENY -l
ipchains -A input -s 197.0.0.0/8 -j DENY -l
ipchains -A input -s 217.0.0.0/8 -j DENY -l
ipchains -A input -s 218.0.0.0/7 -j DENY -l
ipchains -A input -s 220.0.0.0/6 -j DENY -l
ipchains -A input -s 224.0.0.0/3 -j DENY -l
# --------------------------------------------------------------------
--------
echo "\tRunning port redirection..."
ipmasqadm portfw -f #not redirecting anything right now
echo "\t...Done running port redirection"
echo "\tDone enabling port fowarding"
echo "...Done"
exit 0
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
