iptables rules for Linux

[yoeluk]

I successfully installed SoftEther on Centos and works as intended until I apply common iptables rules. Meaning that L2PT works fine without the firewall but not at all with it. I added the tcp rules for port 5555 but I still get no response. The server is also running Apache server. I was wondering if anyone here know what iptables rules does SoftEther requires. There is nothing advanced on my setup
Thanks

[inten]

Post your iptables -L output.
SoftEther works just fine on CentOS of out of the box.

[yoeluk]

That's interesting. Bellow is the output of $ iptables -L
With the firewall inactive I can connect to my vpn from my mac, however when I activate my firewall I get nothing.
Example, on my mac I create a new L2TP vpn with these settings:
Server Adress: (ip address of my server)
Account Name: (username@VPN)

In the authenticatinf Settings I entered my password and the secrete

It works fine with the firewall down but not at all with it.

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

[UkrZilla]

Hi yoeluk!

You have to add in your firewall access rule:
allow tcp and udp port 1701 from any to you server

This will allow L2TP.

[inten]

yoeluk wrote:

> There is nothing advanced on my setup

In fact this is not "nothing advanced" and IS your issue.

Chain INPUT (policy ACCEPT)
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
DROP all -- anywhere anywhere

Allow FORWARD chain otherwise VPN connections will not transmit anything. And do not forget about 'ip_forward'.
Good luck.

[yoeluk]

Thanks for your replies!

UkrZilla: the iptable have port 443 open with SoftEther is listening in so I think that there is no need to open another port

inten: Your are right perhaps this is not basic, however I was hoping that I wouldn't have to accept everything.
By deleting the input and forward DROP and adding these SoftEther works

iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -0 eth1 -j ACCEPT
(referenced here: http://www.centos.org/docs/4/html/rhel- ... t-fwd.html)

However, is there another way? It doesn't look terribly save now :S

[inten]

Take a look here http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol.

Read this at last http://www.softether.org/3-spec#VPN_Pro ... VPN_Server

[yoeluk]

Thanks for your reply.
I didn't find the wiki page terribly helpful however the link you gave me let me to this other link

http://www.softether.org/4-docs/2-howto ... VPN_Server

The answer to this question (in case another user needs this set up) is that the bottom of the above link. In short, for SoftEther to operate behind a firewall you need to open udp 500 and udp 4500. To my original secured firewall (with fail2ban active) I added these two rules only and works just fine.

iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

Thanks