RE: VPN on Kernel 2.4.18

To: "Debian User " <debian-user@lists.debian.org>
Subject: RE: VPN on Kernel 2.4.18
From: "Dave Scott" <dscott@globalinfosystems.com>
Date: Wed, 6 Mar 2002 15:30:01 -0800
Message-id: <[🔎] 001e01c1c566$d7035360$0a0a0a0a@gimp>
In-reply-to: <[🔎] 20020306181341.GA26375@jc.oftheinter.net>

Thanks Jeff.

Wow, I thought this was going to be an easy task. :(
Surely there must be thousands of others that have done just this.  

  |---------------------|
|-|----Client(9x,2K)----|
| |---------------------|
| 	    |DSL Modem
| 	    |
| 	    |
| |---------------------|
| |-----Internet--------|
| |---------------------|
|	    |
VPN	    |
|	    |Public IP
| |--------------------------|    Nat   |------------|
| |----Firewall--------------|----------|Workstations|
| |--Debian 2.2 W2.4Kernel---|          |------------|
| |--------------------------|          192.168.0.10-200
|	NAT |192.168.0.1
|	    |
|	    |
| |----------------------------|
| |---Windows NT 4.0 Server----|
|-|---PP2P Installed-----------|
  |----------------------------|
           192.168.0.2

Need up to 6 VPN connections to the NT Server
Is this possible.  Or is there just a better way to go about this.
They don't have any money for Cisco or Hard Firewall.

At first I was going to use 2.2 Kernel because I read if you recompile
the kernel and install ipfwd you can GRE multi connections across, but
now I just read that 2.4 hasn't been configured to allow multi connects
across, but the date of the article is old.
Oh how confusing this is.


Cheers 
-Dave





	   
-----Original Message-----
From: Jeff [mailto:jcoppock1@attbi.com] 
Sent: Wednesday, March 06, 2002 10:14 AM
To: Debian User
Subject: Re: VPN on Kernel 2.4.18

Dave Scott, 2002-Mar-06 02:03 -0800:
>    Question on Kernel 2.4.18 and Netfilter
> 
>    Is there any way to forward GRE packets through Netfilter to a
specific
>    Server behind the firewall?
> 
>    Also, can you have multiple GRE connections through the firewall at
any
>    given time?
> 
>    -Dave

Dave,

You ought to be able to forward based on the protocol number
(47).  I don't know about the multiple connections.

I'm guessing here:

iptables -A PREROUTING -i $INETIF -p 47 -j ACCEPT
--to-destination 10.10.10.10

However, consider the security issues:
- you should consider terminating the tunnel at the firewall,
  then letting the firewall handle the packets from there
- GRE has no data encryption, so consider encryption prior to GRE
  encapsulation
  - if not encrypted, anyone can read the data in the packet
- if the MTU and Fragmentation settings are not set properly, DOS
  attacks (whether intentional or inadvertant) are possible



-- 
Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: VPN on Kernel 2.4.18
  - From: Jeff <jcoppock1@attbi.com>

References:
- Re: VPN on Kernel 2.4.18
  - From: Jeff <jcoppock1@attbi.com>

Prev by Date: Re: new twist on shutting down and restricting ssh users
Next by Date: RE: chkconfig is to redhat as ___ is to debian?
Previous by thread: Re: VPN on Kernel 2.4.18
Next by thread: Re: VPN on Kernel 2.4.18
Index(es):
- Date
- Thread