March 22nd, 2007

Prepare IPtables for the Cisco VPN Client

Hi out there,

installing the Cisco VPN Client 4.8.00 should be no problem (just run “vpninstall” with kernel headers installed). But running it from the notebook in an insecure environment needs a host firewall on the mobile device. I love setting the default policies of a chain to “DROP”!

But the VPN Client communicates via loopback interface, and complains with

The application was unable to communicate with
the VPN sub-system.

So use this ruleset for peace:

# Prepare
iptables -t filter -F
# Default Policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#VPN-Client needs loopback communication
iptables -t filter -A INPUT -i lo -j ACCEPT
# VPN-Client needs incoming UDP stuff
iptables -t filter -A INPUT -p udp -s 0/0
--sport 500 -d 0/0 --dport 500 -j ACCEPT
iptables -t filter -A INPUT -p udp -s 0/0
--sport 4500 -d 0/0 --dport 4500 -j ACCEPT
# General useability
iptables -t filter -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -j REJECT
--reject-with icmp-port-unreachable

BTW: The VPN Client’s traffic is NATable, no need to open special ports if ESTABLISHED,RELATED is open already.

Regards
Usn


By usn in Linux / Unix 



You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply