RegProctor
asked on
linux iptables How to edit to make anyconnect more friendly
Hello Experts!
I've had to setup the CISCO anyconnect to work with a client's LAN but it also stops me from working with my LAN. It seems to me that it should be no more than a change in IP tables to fix that but I simply have never done that before.
Attached is an image that shows exactly how it changed my IP tables using Meld (a gui diff viewer) and the added lines in green on the right are the ones that the anyconnect software added.
Could someone give me the commands I need to issue to make this work. Ideally I would only like traffic to specific IP addresses to make it to the VPN tunnel and all other traffic to simply route as it would without the VPN running.
For obvious reasons I blanked out the client's IP address(es).
Thanks!
BTW, an alternative would be to use openconnect but in my currently running version of Linux there is no GUI for it and I'm not exactly sure how to set it up as is just yet but I am looking to that as an option as well.
Screenshot-good.txt---bad.txt---.png
I've had to setup the CISCO anyconnect to work with a client's LAN but it also stops me from working with my LAN. It seems to me that it should be no more than a change in IP tables to fix that but I simply have never done that before.
Attached is an image that shows exactly how it changed my IP tables using Meld (a gui diff viewer) and the added lines in green on the right are the ones that the anyconnect software added.
Could someone give me the commands I need to issue to make this work. Ideally I would only like traffic to specific IP addresses to make it to the VPN tunnel and all other traffic to simply route as it would without the VPN running.
For obvious reasons I blanked out the client's IP address(es).
Thanks!
BTW, an alternative would be to use openconnect but in my currently running version of Linux there is no GUI for it and I'm not exactly sure how to set it up as is just yet but I am looking to that as an option as well.
Screenshot-good.txt---bad.txt---.png
the last (green) -A ciscovpn -j DROP 'causes all traffic to be droped if not matched before (other green lines)
so I suggest to remove that line and test if it solves your problem, if so you need to think about why cisco inhibits all other traffic not tunneld (which is the purpose of the tunnel, usually)
so I suggest to remove that line and test if it solves your problem, if so you need to think about why cisco inhibits all other traffic not tunneld (which is the purpose of the tunnel, usually)
ASKER
Do I do that with a similar line to the above or is more direct way like some sort of "remove this line from an IP chain" command.
as I don't know what script is used to call the iptables commands, I just can give following try:
iptables -D ciscovpn -j DROP
iptables -D ciscovpn -j DROP
ASKER
I think it is also necessary to move the cisco IP table chain to be the last chain whereas right now it's the first chain they way they insert it. Do you know how to move that first line so the chain is the last one looked at? I think that would complete what I need.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
BTW: Due to an error I had to drop anyconnect and spent the better part of a day getting openconnect to work in it's place which doesn't seem to do anything to the IP tables but somehow general traffic is routed through the VPN first. I'm going to open another question about that, perhaps you could answer that one.
ASKER
Open in new window
However that doesn't really control whether general internet traffic goes through my Internet connection or through their VPN first. I guess the VPN would a longer path so the direct route through my Internet connection would be more likely, but I don't see it being guaranteed. If anyone has some final insight on making sure it's exactly how I want that would be great. That is, only specific IP addresses getting routed to the VPN connection... at least now I have my LAN connection back!Thanks!