ipchains rules for this config...

ipchains rules for this config...

Post by Paul D. Smit » Thu, 27 Jul 2000 04:00:00



So, I have a pretty strict ipchains set in place.

Now, I need an extra hole drilled and nothing I've tried seems to work!
I have a VPN client I'm trying to use, and it has this requirement (from
thier FAQ):

Q:  I can ping the server address from the internet but get the message:
    "Remote Host Not Responding" when using the client.

A:  Most of the time this is because your ISP is blocking one of the
    following ports or protocols:

    UDP port 500
    Protocol types 50, and 51

OK I'm pretty sure my ISP isn't blocking these, but rather my firewall
is.  Say that the VPN server IP address is 9.9.9.9 and my local
interface IP address is 1.1.1.1, what ipchains rules would I need to
allow the above connection to go through?

I tried, for example:

    ipchains -A output -i eth0 -p udp \
             -s 1.1.1.1 \
             -d 9.9.9.9 500 -j ACCEPT

    ipchains -A input  -i eth0 -p udp \
             -s 9.9.9.9 500 \
             -d 1.1.1.1 -j ACCEPT

But I'm not sure if that's right, or too lenient, or what.

Anyway, it doesn't seem right because I still get a "remote host not
responding" error.

Help?

--
-------------------------------------------------------------------------------

 "Please remain calm...I may be mad, but I am a professional." --Mad Scientist
-------------------------------------------------------------------------------
   These are my opinions---Nortel Networks takes no responsibility for them.

 
 
 

ipchains rules for this config...

Post by Manfred Bart » Thu, 27 Jul 2000 04:00:00



Quote:> So, I have a pretty strict ipchains set in place.

> Now, I need an extra hole drilled and nothing I've tried seems to work!
> I have a VPN client I'm trying to use, and it has this requirement (from
> thier FAQ):

> Q:  I can ping the server address from the internet but get the message:
>     "Remote Host Not Responding" when using the client.

> A:  Most of the time this is because your ISP is blocking one of the
>     following ports or protocols:

>     UDP port 500
>     Protocol types 50, and 51

> OK I'm pretty sure my ISP isn't blocking these, but rather my firewall
> is.  Say that the VPN server IP address is 9.9.9.9 and my local
> interface IP address is 1.1.1.1, what ipchains rules would I need to
> allow the above connection to go through?

> I tried, for example:

>     ipchains -A output -i eth0 -p udp \
>              -s 1.1.1.1 \
>              -d 9.9.9.9 500 -j ACCEPT

>     ipchains -A input  -i eth0 -p udp \
>              -s 9.9.9.9 500 \
>              -d 1.1.1.1 -j ACCEPT

> But I'm not sure if that's right, or too lenient, or what.

Just add --log to your firewall rules and read your log files.  If
your ACCEPT-rules get triggered then the packets pass through.
        <http://logi.cc/linux/ipchains-log-format.html>

Quote:> Anyway, it doesn't seem right because I still get a "remote host not
> responding" error.

Use ``tcpdump -i eth0 udp port 500'' to see what is happening.

--
Manfred Bartz

 
 
 

ipchains rules for this config...

Post by Steve Co » Thu, 27 Jul 2000 04:00:00




> > So, I have a pretty strict ipchains set in place.

> > Now, I need an extra hole drilled and nothing I've tried seems to work!
> > I have a VPN client I'm trying to use, and it has this requirement (from
> > thier FAQ):

> > Q:  I can ping the server address from the internet but get the message:
> >     "Remote Host Not Responding" when using the client.

> > A:  Most of the time this is because your ISP is blocking one of the
> >     following ports or protocols:

> >     UDP port 500
> >     Protocol types 50, and 51

> > OK I'm pretty sure my ISP isn't blocking these, but rather my firewall
> > is.  Say that the VPN server IP address is 9.9.9.9 and my local
> > interface IP address is 1.1.1.1, what ipchains rules would I need to
> > allow the above connection to go through?

> > I tried, for example:

> >     ipchains -A output -i eth0 -p udp \
> >              -s 1.1.1.1 \
> >              -d 9.9.9.9 500 -j ACCEPT

> >     ipchains -A input  -i eth0 -p udp \
> >              -s 9.9.9.9 500 \
> >              -d 1.1.1.1 -j ACCEPT

> > But I'm not sure if that's right, or too lenient, or what.

> Just add --log to your firewall rules and read your log files.  If
> your ACCEPT-rules get triggered then the packets pass through.
>         <http://logi.cc/linux/ipchains-log-format.html>

> > Anyway, it doesn't seem right because I still get a "remote host not
> > responding" error.

> Use ``tcpdump -i eth0 udp port 500'' to see what is happening.

> --
> Manfred Bartz

You can also use the ipchains -C option to test any rule
you have set up before firing up the VPN. Will save time
 
 
 

ipchains rules for this config...

Post by Paul D. Smit » Wed, 02 Aug 2000 04:00:00



  mb> Just add --log to your firewall rules and read your log files.  If
  mb> your ACCEPT-rules get triggered then the packets pass through.

Sigh.  The ACCEPT rules are firing, but still no response from the
server.  It probably doesn't grok ipmasq or some such nonsense.

Thanks anyway.

--
-------------------------------------------------------------------------------

 "Please remain calm...I may be mad, but I am a professional." --Mad Scientist
-------------------------------------------------------------------------------
   These are my opinions---Nortel Networks takes no responsibility for them.

 
 
 

1. Converting ipchains rules to iptables rules?

Is there any convenient script available to convert ipchains rules
to iptables rules?

I am migrating my lab server (that runs linux 2.2.19/ipchains) to a
new server that runs linux 2.4.7.  The old server has a list of
ipchains rules that have worked quite well, and I would like the
new server to have these rules as well.  I realize I can use the
2.4.7 ipchains module and the old rules, but I would rather convert
to iptables, even if the conversion will be initially painful.

Thanks!
Ashok

2. SLS Linux 1.05 / D-Link DE-600 pocket adapt.

3. Just deleted ALL RULES in IPCHAINS, How can I get them back?

4. Problems installing SuSE Linux 7.2

5. Sample collections of ipchains rules?

6. how to automate remore id lookup?

7. Quickest ipchains rules structure

8. cthulu -paranoia

9. ipchains -L is sometime very long to list all rules

10. ipchains rule ???

11. Are these ipchains rules secure enough?

12. squid rules in ipchains

13. ipchains rules related