Re: VPN on Kernel 2.4.18

To: Debian User <debian-user@lists.debian.org>
Subject: Re: VPN on Kernel 2.4.18
From: Jeff <jcoppock1@attbi.com>
Date: Wed, 6 Mar 2002 10:13:41 -0800
Message-id: <[🔎] 20020306181341.GA26375@jc.oftheinter.net>
Mail-followup-to: Debian User <debian-user@lists.debian.org>
In-reply-to: <[🔎] 000401c1c4f6$2ab37f10$0a0a0a0a@gimp>
References: <[🔎] 000401c1c4f6$2ab37f10$0a0a0a0a@gimp>

Dave Scott, 2002-Mar-06 02:03 -0800:
>    Question on Kernel 2.4.18 and Netfilter
> 
>    Is there any way to forward GRE packets through Netfilter to a specific
>    Server behind the firewall?
> 
>    Also, can you have multiple GRE connections through the firewall at any
>    given time?
> 
>    -Dave

Dave,

You ought to be able to forward based on the protocol number
(47).  I don't know about the multiple connections.

I'm guessing here:

iptables -A PREROUTING -i $INETIF -p 47 -j ACCEPT
--to-destination 10.10.10.10

However, consider the security issues:
- you should consider terminating the tunnel at the firewall,
  then letting the firewall handle the packets from there
- GRE has no data encryption, so consider encryption prior to GRE
  encapsulation
  - if not encrypted, anyone can read the data in the packet
- if the MTU and Fragmentation settings are not set properly, DOS
  attacks (whether intentional or inadvertant) are possible



-- 
Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User

Reply to:

Follow-Ups:
- RE: VPN on Kernel 2.4.18
  - From: "Dave Scott" <dscott@globalinfosystems.com>

References:
- VPN on Kernel 2.4.18
  - From: "Dave Scott" <dscott@globalinfosystems.com>

Prev by Date: Re: ALSA modules not loading
Next by Date: More cheese nibbler questions
Previous by thread: VPN on Kernel 2.4.18
Next by thread: RE: VPN on Kernel 2.4.18
Index(es):
- Date
- Thread