about UDP4500 and UDP 5000!

[rain520com]

I can't connect to the server I set up on vps using ios built-in vpn. I use centos7, and I have closed the firewall. I read the forum and said "On the NAT, UDP 500 and 4500 should be transferred to the VPN Server." I know this is a very basic problem, but since I am a newbie, I have been unable to find out how to set it up. Does anyone want to say it in detail, thank you!

[cmd wh0ami]

If this is for L2TP/IPsec, since you are running CentOS 7, I would disable and uninstall firewalld & install and enable iptables-services.

Code: Select all

systemctl disable firewalld 

Code: Select all

 systemctl stop firewalld 

Code: Select all

 yum remove firewalld -y 

Code: Select all

 yum install iptables-services -y 

Code: Select all

 systemctl enable iptables

Then you will make a iptables script like this...

Code: Select all

vi softether.fw

Code: Select all

#!/bin/bash
#
#######################################################################
#      iptables rules
#######################################################################
#
# Flush current V4 polices
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow loopback on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow ping and ICMP error returns
iptables -A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

# Allow incoming SSH
iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s YOUR_BACKUP_IP_ADDRESS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow incoming HTTPS for SoftEther (default)
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow incoming OpenVPN
iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow incoming IPsec
iptables -A INPUT -p udp --dport 500 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow incoming Network Speed tool (uncomment when needed)
#iptables -A INPUT -p tcp --dport 9821 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop null packets
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP

# DROP syn-flood packets
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP

# DROP XMAS packets
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP

##########################

# Save Changes
service iptables save

# Service
service iptables restart

#######################################################################
#      End of rules
#######################################################################

Code: Select all

 chmod +x softether.fw

Code: Select all

 ./softether.fw 

*MAKE SURE TO CHANGE YOUR_IP_ADDRESS AND YOUR_BACKUP_IP_ADDRESS FOR SSH OR YOU WILL GET LOCKED OUT OF YOUR SERVER... ALSO MAKE SURE SSH PORT IS CORRECT FOR SSH OR YOU WILL GET LOCKED OUT OF YOUR SERVER...

[cmd wh0ami]

Also if the client is behind a firewall you have to open ports 500 and 4500 on the firewall on your router.

[rain520com]

Thank you very much!

[rain520com]

Is this port forwarding? It seems like I only see some rules that allow it to pass through the firewall.

[cmd wh0ami]

Port Forwarding is done on the outside routers firewall... The set of firewall rules I provided is for CentOS 7 running on your box.

All routers are different, but the general idea is to open and forward ports 500 and 4500 on your router to ports 500 and 4500 of the local IP address of your Linux box.