[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1258
  • Last Modified:

linux iptables How to edit to make anyconnect more friendly

Hello Experts!

I've had to setup the CISCO anyconnect to work with a client's LAN but it also stops me from working with my LAN. It seems to me that it should be no more than a change in IP tables to fix that but I simply have never done that before.

Attached is an image that shows exactly how it changed my IP tables using Meld (a gui diff viewer) and the added lines in green on the right are the ones that the anyconnect software added.

Could someone give me the commands I need to issue to make this work. Ideally I would only like traffic to specific IP addresses to make it to the VPN tunnel and all other traffic to simply route as it would without the VPN running.

For obvious reasons I blanked out the client's IP address(es).

Thanks!

BTW, an alternative would be to use openconnect but in my currently running version of Linux there is no GUI for it and I'm not exactly sure how to set it up as is just yet but I am looking to that as an option as well.
Screenshot-good.txt---bad.txt---.png
0
RegProctor
Asked:
RegProctor
  • 4
  • 3
1 Solution
 
RegProctorAuthor Commented:
So I found I could solve part of this through this command:

iptables-save|grep -v cisco|iptables-restore

Open in new window

However that doesn't really control whether general internet traffic goes through my Internet connection or through their VPN first. I guess the VPN would a longer path so the direct route through my Internet connection would be more likely, but I don't see it being guaranteed. If anyone has some final insight on making sure it's exactly how I want that would be great. That is, only specific IP addresses getting routed to the VPN connection... at least now I have my LAN connection back!

Thanks!
0
 
ahoffmannCommented:
the last (green) -A ciscovpn -j DROP  'causes all traffic to be droped if not matched before (other green lines)
so I suggest to remove that line and test if it solves your problem, if so you need to think about why cisco inhibits all other traffic not tunneld (which is the purpose of the tunnel, usually)
0
 
RegProctorAuthor Commented:
Do I do that with a similar line to the above or is more direct way like some sort of "remove this line from an IP chain" command.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
ahoffmannCommented:
as I don't know what script is used to call the iptables commands, I just can give following try:

iptables -D ciscovpn -j DROP
0
 
RegProctorAuthor Commented:
I think it is also necessary to move the cisco IP table chain to be the last chain whereas right now it's the first chain they way they insert it. Do you know how to move that first line so the chain is the last one looked at? I think that would complete what I need.
0
 
ahoffmannCommented:
following two rules need to be last one in each chain (means last before final DROP rule):
  iptables -A INPUT -j ciscovpn
  iptables -A FORWARD -j ciscovpn

to archive that, you need to find out what number the final DROP rule has, use
 iptables -L -n --line-numbers

now you can insert your new ruls vor the ciscovpn, for example if the final DROP rule has number 7 in the INPUT CHAIN you insert it with
   iptables -I 7 INPUT -j ciscovpn

do the same for the FORWARD chain
0
 
RegProctorAuthor Commented:
BTW: Due to an error I had to drop anyconnect and spent the better part of a day getting openconnect to work in it's place which doesn't seem to do anything to the IP tables but somehow general traffic is routed through the VPN first. I'm going to open another question about that, perhaps you could answer that one.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now