Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

linux iptables How to edit to make anyconnect more friendly

Posted on 2013-01-24
7
1,135 Views
Last Modified: 2013-01-28
Hello Experts!

I've had to setup the CISCO anyconnect to work with a client's LAN but it also stops me from working with my LAN. It seems to me that it should be no more than a change in IP tables to fix that but I simply have never done that before.

Attached is an image that shows exactly how it changed my IP tables using Meld (a gui diff viewer) and the added lines in green on the right are the ones that the anyconnect software added.

Could someone give me the commands I need to issue to make this work. Ideally I would only like traffic to specific IP addresses to make it to the VPN tunnel and all other traffic to simply route as it would without the VPN running.

For obvious reasons I blanked out the client's IP address(es).

Thanks!

BTW, an alternative would be to use openconnect but in my currently running version of Linux there is no GUI for it and I'm not exactly sure how to set it up as is just yet but I am looking to that as an option as well.
Screenshot-good.txt---bad.txt---.png
0
Comment
Question by:RegProctor
  • 4
  • 3
7 Comments
 
LVL 1

Author Comment

by:RegProctor
ID: 38817487
So I found I could solve part of this through this command:

iptables-save|grep -v cisco|iptables-restore

Open in new window

However that doesn't really control whether general internet traffic goes through my Internet connection or through their VPN first. I guess the VPN would a longer path so the direct route through my Internet connection would be more likely, but I don't see it being guaranteed. If anyone has some final insight on making sure it's exactly how I want that would be great. That is, only specific IP addresses getting routed to the VPN connection... at least now I have my LAN connection back!

Thanks!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38820151
the last (green) -A ciscovpn -j DROP  'causes all traffic to be droped if not matched before (other green lines)
so I suggest to remove that line and test if it solves your problem, if so you need to think about why cisco inhibits all other traffic not tunneld (which is the purpose of the tunnel, usually)
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38820593
Do I do that with a similar line to the above or is more direct way like some sort of "remove this line from an IP chain" command.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 38820770
as I don't know what script is used to call the iptables commands, I just can give following try:

iptables -D ciscovpn -j DROP
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38820862
I think it is also necessary to move the cisco IP table chain to be the last chain whereas right now it's the first chain they way they insert it. Do you know how to move that first line so the chain is the last one looked at? I think that would complete what I need.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 38821614
following two rules need to be last one in each chain (means last before final DROP rule):
  iptables -A INPUT -j ciscovpn
  iptables -A FORWARD -j ciscovpn

to archive that, you need to find out what number the final DROP rule has, use
 iptables -L -n --line-numbers

now you can insert your new ruls vor the ciscovpn, for example if the final DROP rule has number 7 in the INPUT CHAIN you insert it with
   iptables -I 7 INPUT -j ciscovpn

do the same for the FORWARD chain
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38829466
BTW: Due to an error I had to drop anyconnect and spent the better part of a day getting openconnect to work in it's place which doesn't seem to do anything to the IP tables but somehow general traffic is routed through the VPN first. I'm going to open another question about that, perhaps you could answer that one.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question