Prepare IPtables for the Cisco VPN Client

Hi out there,

installing the Cisco VPN Client 4.8.00 should be no problem (just run “vpninstall” with kernel headers installed). But running it from the notebook in an insecure environment needs a host firewall on the mobile device. I love setting the default policies of a chain to “DROP”!

But the VPN Client communicates via loopback interface, and complains with

The application was unable to communicate with
the VPN sub-system.

So use this ruleset for peace:

# Prepare
iptables -t filter -F
# Default Policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
#VPN-Client needs loopback communication
iptables -t filter -A INPUT -i lo -j ACCEPT
# VPN-Client needs incoming UDP stuff
iptables -t filter -A INPUT -p udp -s 0/0
--sport 500 -d 0/0 --dport 500 -j ACCEPT
iptables -t filter -A INPUT -p udp -s 0/0
--sport 4500 -d 0/0 --dport 4500 -j ACCEPT
# General useability
iptables -t filter -A INPUT -m state --state
iptables -t filter -A INPUT -j REJECT
--reject-with icmp-port-unreachable

BTW: The VPN Client’s traffic is NATable, no need to open special ports if ESTABLISHED,RELATED is open already.


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply