[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

linux iptables How to edit to make anyconnect more friendly

Posted on 2013-01-24
7
Medium Priority
?
1,295 Views
Last Modified: 2013-01-28
Hello Experts!

I've had to setup the CISCO anyconnect to work with a client's LAN but it also stops me from working with my LAN. It seems to me that it should be no more than a change in IP tables to fix that but I simply have never done that before.

Attached is an image that shows exactly how it changed my IP tables using Meld (a gui diff viewer) and the added lines in green on the right are the ones that the anyconnect software added.

Could someone give me the commands I need to issue to make this work. Ideally I would only like traffic to specific IP addresses to make it to the VPN tunnel and all other traffic to simply route as it would without the VPN running.

For obvious reasons I blanked out the client's IP address(es).

Thanks!

BTW, an alternative would be to use openconnect but in my currently running version of Linux there is no GUI for it and I'm not exactly sure how to set it up as is just yet but I am looking to that as an option as well.
Screenshot-good.txt---bad.txt---.png
0
Comment
Question by:RegProctor
  • 4
  • 3
7 Comments
 
LVL 1

Author Comment

by:RegProctor
ID: 38817487
So I found I could solve part of this through this command:

iptables-save|grep -v cisco|iptables-restore

Open in new window

However that doesn't really control whether general internet traffic goes through my Internet connection or through their VPN first. I guess the VPN would a longer path so the direct route through my Internet connection would be more likely, but I don't see it being guaranteed. If anyone has some final insight on making sure it's exactly how I want that would be great. That is, only specific IP addresses getting routed to the VPN connection... at least now I have my LAN connection back!

Thanks!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38820151
the last (green) -A ciscovpn -j DROP  'causes all traffic to be droped if not matched before (other green lines)
so I suggest to remove that line and test if it solves your problem, if so you need to think about why cisco inhibits all other traffic not tunneld (which is the purpose of the tunnel, usually)
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38820593
Do I do that with a similar line to the above or is more direct way like some sort of "remove this line from an IP chain" command.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 51

Expert Comment

by:ahoffmann
ID: 38820770
as I don't know what script is used to call the iptables commands, I just can give following try:

iptables -D ciscovpn -j DROP
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38820862
I think it is also necessary to move the cisco IP table chain to be the last chain whereas right now it's the first chain they way they insert it. Do you know how to move that first line so the chain is the last one looked at? I think that would complete what I need.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 2000 total points
ID: 38821614
following two rules need to be last one in each chain (means last before final DROP rule):
  iptables -A INPUT -j ciscovpn
  iptables -A FORWARD -j ciscovpn

to archive that, you need to find out what number the final DROP rule has, use
 iptables -L -n --line-numbers

now you can insert your new ruls vor the ciscovpn, for example if the final DROP rule has number 7 in the INPUT CHAIN you insert it with
   iptables -I 7 INPUT -j ciscovpn

do the same for the FORWARD chain
0
 
LVL 1

Author Comment

by:RegProctor
ID: 38829466
BTW: Due to an error I had to drop anyconnect and spent the better part of a day getting openconnect to work in it's place which doesn't seem to do anything to the IP tables but somehow general traffic is routed through the VPN first. I'm going to open another question about that, perhaps you could answer that one.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Fine Tune your automatic Updates for Ubuntu / Debian
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question