RE: VPN on Kernel 2.4.18
Thanks Jeff.
Wow, I thought this was going to be an easy task. :(
Surely there must be thousands of others that have done just this.
|---------------------|
|-|----Client(9x,2K)----|
| |---------------------|
| |DSL Modem
| |
| |
| |---------------------|
| |-----Internet--------|
| |---------------------|
| |
VPN |
| |Public IP
| |--------------------------| Nat |------------|
| |----Firewall--------------|----------|Workstations|
| |--Debian 2.2 W2.4Kernel---| |------------|
| |--------------------------| 192.168.0.10-200
| NAT |192.168.0.1
| |
| |
| |----------------------------|
| |---Windows NT 4.0 Server----|
|-|---PP2P Installed-----------|
|----------------------------|
192.168.0.2
Need up to 6 VPN connections to the NT Server
Is this possible. Or is there just a better way to go about this.
They don't have any money for Cisco or Hard Firewall.
At first I was going to use 2.2 Kernel because I read if you recompile
the kernel and install ipfwd you can GRE multi connections across, but
now I just read that 2.4 hasn't been configured to allow multi connects
across, but the date of the article is old.
Oh how confusing this is.
Cheers
-Dave
-----Original Message-----
From: Jeff [mailto:jcoppock1@attbi.com]
Sent: Wednesday, March 06, 2002 10:14 AM
To: Debian User
Subject: Re: VPN on Kernel 2.4.18
Dave Scott, 2002-Mar-06 02:03 -0800:
> Question on Kernel 2.4.18 and Netfilter
>
> Is there any way to forward GRE packets through Netfilter to a
specific
> Server behind the firewall?
>
> Also, can you have multiple GRE connections through the firewall at
any
> given time?
>
> -Dave
Dave,
You ought to be able to forward based on the protocol number
(47). I don't know about the multiple connections.
I'm guessing here:
iptables -A PREROUTING -i $INETIF -p 47 -j ACCEPT
--to-destination 10.10.10.10
However, consider the security issues:
- you should consider terminating the tunnel at the firewall,
then letting the firewall handle the packets from there
- GRE has no data encryption, so consider encryption prior to GRE
encapsulation
- if not encrypted, anyone can read the data in the packet
- if the MTU and Fragmentation settings are not set properly, DOS
attacks (whether intentional or inadvertant) are possible
--
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: