VPN iptables rules

Question

VPN iptables rules

networking

Hi,

Ive been following this guide on setting up a VPN, which is nearly working.

~~[http://wiki.nikoforge.org/L2TP/IPSec_VPN_Setup_on_Centos_6_(64-bit)_for_use_with_Android_ICS_and_iOS_5_Clients#Firewall.2FRouter_Configuration " target="blank">](http://wiki.nikoforge.org/L2TP/IPSec_VP … iguration ">http://wiki.nikoforge.org/L2TP/IPSecVPNSetuponCentos6(64-bit)forusewithAndroidICSandiOS5Clients#Firewall.2FRouter_Configuration](

The only issue im having is if i disable iptables, I can connect but any sites I request on my ipad dont get forwarded out to the internet.

If I turn on iptables, I cant connect at all. I havent setup any port forwarding, which I belive I need to be able to do.

Could someone provide me some points on what my iptables should look like?

The site above says I need to forward the following ports -

Port Protocol Description

500 UDP L2TP IKE

4500 UDP L2TP NAT-T

1701 UDP L2TP Traffic

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

38 3582 ACCEPT all – lo any anywhere anywhere

0 0 REJECT all -- any any anywhere loopback/8 reject-with icmp-port-unreachable

333 25029 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED

0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https

0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain

0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:isakmp

0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipsec-nat-t

0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:l2tp

9 540 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh

18 5422 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

400 74181 ACCEPT all -- any any anywhere anywhere

Thanks!

2 Replies

forum:hoopycat · Answer 1 · Sept. 2, 2012, 12:36 p.m.

forum:hoopycat 11 years, 9 months ago

You'll want to allow UDP ports 500, 1701, and 4500 instead of the TCP ports.

The sole REJECT rule in the FORWARD chain is most likely going to be a problem, as well.

forum:tbaker · Answer 2 · Sept. 2, 2012, 12:46 p.m.

forum:tbaker 11 years, 9 months ago

Thanks - I can now connect with iptables running, but still cant get out externally on my ipad.

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all – anywhere anywhere

REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh

ACCEPT udp -- anywhere anywhere state NEW udp dpt:isakmp

ACCEPT udp -- anywhere anywhere state NEW udp dpt:l2tp

ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipsec-nat-t

REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- anywhere anywhere

This is what I see in /var/log/messages

Sep 2 16:43:57 server pppd[19239]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received

Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[500] used for NAT-T

Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[500] used as isakmp port (fd=21)

Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[4500] used for NAT-T

Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[4500] used as isakmp port (fd=22)

Sep 2 16:43:57 server pppd[19239]: Cannot determine ethernet address for proxy ARP

Sep 2 16:43:57 server pppd[19239]: local IP address 192.168.0.50

Sep 2 16:43:57 server pppd[19239]: remote IP address 192.168.0.99

Compute

Storage

Databases

Networking

Developer Tools

Delivery

Security

Services

Industries

Pricing

Community

Engage With Us

VPN iptables rules

2 Replies

Reply

Tips: