Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

linux iptables How to edit to make anyconnect more friendly

Posted on 2013-01-24
7
Medium Priority
?
1,234 Views
Last Modified: 2013-01-28
Hello Experts!

I've had to setup the CISCO anyconnect to work with a client's LAN but it also stops me from working with my LAN. It seems to me that it should be no more than a change in IP tables to fix that but I simply have never done that before.

Attached is an image that shows exactly how it changed my IP tables using Meld (a gui diff viewer) and the added lines in green on the right are the ones that the anyconnect software added.

Could someone give me the commands I need to issue to make this work. Ideally I would only like traffic to specific IP addresses to make it to the VPN tunnel and all other traffic to simply route as it would without the VPN running.

For obvious reasons I blanked out the client's IP address(es).

Thanks!

BTW, an alternative would be to use openconnect but in my currently running version of Linux there is no GUI for it and I'm not exactly sure how to set it up as is just yet but I am looking to that as an option as well.
Screenshot-good.txt---bad.txt---.png
0
Comment
Question by:RegProctor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 1

Author Comment

by:RegProctor
ID: 38817487
So I found I could solve part of this through this command:

iptables-save|grep -v cisco|iptables-restore

Open in new window

However that doesn't really control whether general internet traffic goes through my Internet connection or through their VPN first. I guess the VPN would a longer path so the direct route through my Internet connection would be more likely, but I don't see it being guaranteed. If anyone has some final insight on making sure it's exactly how I want that would be great. That is, only specific IP addresses getting routed to the VPN connection... at least now I have my LAN connection back!

Thanks!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38820151
the last (green) -A ciscovpn -j DROP  'causes all traffic to be droped if not matched before (other green lines)
so I suggest to remove that line and test if it solves your problem, if so you need to think about why cisco inhibits all other traffic not tunneld (which is the purpose of the tunnel, usually)
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38820593
Do I do that with a similar line to the above or is more direct way like some sort of "remove this line from an IP chain" command.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 38820770
as I don't know what script is used to call the iptables commands, I just can give following try:

iptables -D ciscovpn -j DROP
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38820862
I think it is also necessary to move the cisco IP table chain to be the last chain whereas right now it's the first chain they way they insert it. Do you know how to move that first line so the chain is the last one looked at? I think that would complete what I need.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 2000 total points
ID: 38821614
following two rules need to be last one in each chain (means last before final DROP rule):
  iptables -A INPUT -j ciscovpn
  iptables -A FORWARD -j ciscovpn

to archive that, you need to find out what number the final DROP rule has, use
 iptables -L -n --line-numbers

now you can insert your new ruls vor the ciscovpn, for example if the final DROP rule has number 7 in the INPUT CHAIN you insert it with
   iptables -I 7 INPUT -j ciscovpn

do the same for the FORWARD chain
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38829466
BTW: Due to an error I had to drop anyconnect and spent the better part of a day getting openconnect to work in it's place which doesn't seem to do anything to the IP tables but somehow general traffic is routed through the VPN first. I'm going to open another question about that, perhaps you could answer that one.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question