Solved

linux iptables How to edit to make anyconnect more friendly

Posted on 2013-01-24
7
1,151 Views
Last Modified: 2013-01-28
Hello Experts!

I've had to setup the CISCO anyconnect to work with a client's LAN but it also stops me from working with my LAN. It seems to me that it should be no more than a change in IP tables to fix that but I simply have never done that before.

Attached is an image that shows exactly how it changed my IP tables using Meld (a gui diff viewer) and the added lines in green on the right are the ones that the anyconnect software added.

Could someone give me the commands I need to issue to make this work. Ideally I would only like traffic to specific IP addresses to make it to the VPN tunnel and all other traffic to simply route as it would without the VPN running.

For obvious reasons I blanked out the client's IP address(es).

Thanks!

BTW, an alternative would be to use openconnect but in my currently running version of Linux there is no GUI for it and I'm not exactly sure how to set it up as is just yet but I am looking to that as an option as well.
Screenshot-good.txt---bad.txt---.png
0
Comment
Question by:RegProctor
  • 4
  • 3
7 Comments
 
LVL 1

Author Comment

by:RegProctor
ID: 38817487
So I found I could solve part of this through this command:

iptables-save|grep -v cisco|iptables-restore

Open in new window

However that doesn't really control whether general internet traffic goes through my Internet connection or through their VPN first. I guess the VPN would a longer path so the direct route through my Internet connection would be more likely, but I don't see it being guaranteed. If anyone has some final insight on making sure it's exactly how I want that would be great. That is, only specific IP addresses getting routed to the VPN connection... at least now I have my LAN connection back!

Thanks!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38820151
the last (green) -A ciscovpn -j DROP  'causes all traffic to be droped if not matched before (other green lines)
so I suggest to remove that line and test if it solves your problem, if so you need to think about why cisco inhibits all other traffic not tunneld (which is the purpose of the tunnel, usually)
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38820593
Do I do that with a similar line to the above or is more direct way like some sort of "remove this line from an IP chain" command.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 51

Expert Comment

by:ahoffmann
ID: 38820770
as I don't know what script is used to call the iptables commands, I just can give following try:

iptables -D ciscovpn -j DROP
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38820862
I think it is also necessary to move the cisco IP table chain to be the last chain whereas right now it's the first chain they way they insert it. Do you know how to move that first line so the chain is the last one looked at? I think that would complete what I need.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 38821614
following two rules need to be last one in each chain (means last before final DROP rule):
  iptables -A INPUT -j ciscovpn
  iptables -A FORWARD -j ciscovpn

to archive that, you need to find out what number the final DROP rule has, use
 iptables -L -n --line-numbers

now you can insert your new ruls vor the ciscovpn, for example if the final DROP rule has number 7 in the INPUT CHAIN you insert it with
   iptables -I 7 INPUT -j ciscovpn

do the same for the FORWARD chain
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38829466
BTW: Due to an error I had to drop anyconnect and spent the better part of a day getting openconnect to work in it's place which doesn't seem to do anything to the IP tables but somehow general traffic is routed through the VPN first. I'm going to open another question about that, perhaps you could answer that one.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
increase internet speed 3 100
Help needed with BIND9 DNS on Ubuntu. 22 105
VPN tunnel between Watchguard and OpenVPN? 1 130
Blocking outside IP Addresses 16 50
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question