I successfully installed SoftEther on Centos and works as intended until I apply common iptables rules. Meaning that L2PT works fine without the firewall but not at all with it. I added the tcp rules for port 5555 but I still get no response. The server is also running Apache server. I was wondering if anyone here know what iptables rules does SoftEther requires. There is nothing advanced on my setup
Thanks
iptables rules for Linux
-
- Posts: 370
- Joined: Fri Oct 18, 2013 8:15 am
- Location: All around the world
- Contact:
Re: iptables rules for Linux
Post your iptables -L output.
SoftEther works just fine on CentOS of out of the box.
SoftEther works just fine on CentOS of out of the box.
When you don't like the answer, change the question.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
-
- Posts: 5
- Joined: Sun Jan 12, 2014 9:03 am
Re: iptables rules for Linux
That's interesting. Bellow is the output of $ iptables -L
With the firewall inactive I can connect to my vpn from my mac, however when I activate my firewall I get nothing.
Example, on my mac I create a new L2TP vpn with these settings:
Server Adress: (ip address of my server)
Account Name: (username@VPN)
In the authenticatinf Settings I entered my password and the secrete
It works fine with the firewall down but not at all with it.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
With the firewall inactive I can connect to my vpn from my mac, however when I activate my firewall I get nothing.
Example, on my mac I create a new L2TP vpn with these settings:
Server Adress: (ip address of my server)
Account Name: (username@VPN)
In the authenticatinf Settings I entered my password and the secrete
It works fine with the firewall down but not at all with it.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: '
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
-
- Posts: 65
- Joined: Sun Dec 15, 2013 8:34 am
Re: iptables rules for Linux
Hi yoeluk!
You have to add in your firewall access rule:
allow tcp and udp port 1701 from any to you server
This will allow L2TP.
You have to add in your firewall access rule:
allow tcp and udp port 1701 from any to you server
This will allow L2TP.
-
- Posts: 370
- Joined: Fri Oct 18, 2013 8:15 am
- Location: All around the world
- Contact:
Re: iptables rules for Linux
yoeluk wrote:
> There is nothing advanced on my setup
In fact this is not "nothing advanced" and IS your issue.
Chain INPUT (policy ACCEPT)
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
DROP all -- anywhere anywhere
Allow FORWARD chain otherwise VPN connections will not transmit anything. And do not forget about 'ip_forward'.
Good luck.
> There is nothing advanced on my setup
In fact this is not "nothing advanced" and IS your issue.
Chain INPUT (policy ACCEPT)
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
DROP all -- anywhere anywhere
Allow FORWARD chain otherwise VPN connections will not transmit anything. And do not forget about 'ip_forward'.
Good luck.
When you don't like the answer, change the question.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
-
- Posts: 5
- Joined: Sun Jan 12, 2014 9:03 am
Re: iptables rules for Linux
Thanks for your replies!
UkrZilla: the iptable have port 443 open with SoftEther is listening in so I think that there is no need to open another port
inten: Your are right perhaps this is not basic, however I was hoping that I wouldn't have to accept everything.
By deleting the input and forward DROP and adding these SoftEther works
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -0 eth1 -j ACCEPT
(referenced here: http://www.centos.org/docs/4/html/rhel- ... t-fwd.html)
However, is there another way? It doesn't look terribly save now :S
UkrZilla: the iptable have port 443 open with SoftEther is listening in so I think that there is no need to open another port
inten: Your are right perhaps this is not basic, however I was hoping that I wouldn't have to accept everything.
By deleting the input and forward DROP and adding these SoftEther works
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -0 eth1 -j ACCEPT
(referenced here: http://www.centos.org/docs/4/html/rhel- ... t-fwd.html)
However, is there another way? It doesn't look terribly save now :S
-
- Posts: 370
- Joined: Fri Oct 18, 2013 8:15 am
- Location: All around the world
- Contact:
Re: iptables rules for Linux
Take a look here http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol.
Read this at last http://www.softether.org/3-spec#VPN_Pro ... VPN_Server
Read this at last http://www.softether.org/3-spec#VPN_Pro ... VPN_Server
When you don't like the answer, change the question.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
-
- Posts: 5
- Joined: Sun Jan 12, 2014 9:03 am
Re: iptables rules for Linux
Thanks for your reply.
I didn't find the wiki page terribly helpful however the link you gave me let me to this other link
http://www.softether.org/4-docs/2-howto ... VPN_Server
The answer to this question (in case another user needs this set up) is that the bottom of the above link. In short, for SoftEther to operate behind a firewall you need to open udp 500 and udp 4500. To my original secured firewall (with fail2ban active) I added these two rules only and works just fine.
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
Thanks
I didn't find the wiki page terribly helpful however the link you gave me let me to this other link
http://www.softether.org/4-docs/2-howto ... VPN_Server
The answer to this question (in case another user needs this set up) is that the bottom of the above link. In short, for SoftEther to operate behind a firewall you need to open udp 500 and udp 4500. To my original secured firewall (with fail2ban active) I added these two rules only and works just fine.
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
Thanks