New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Need Help with L2tp VPN and CSF Firewall
Hi guys!
I need help with my l2tp vpn and the CSF firewall. My l2tp vpn worked fine if I did not install CSF firewall. I opened the udp port 1701 of iptables. But after the installation of CSF firewall the VPN stopped working. I can log on to my VPN, but cannot open any website. Could anyone of you help me work this through? I need the CSF firewall as I receive brute-force attacks frequently. I also need the VPN function. Thank you so much!
Comments
The NAT iptables rules must have been overriden by CSF
edit/create
/etc/csf/csfpre.shand add the following line:iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEAssuming you're running anything other than OpenVZ, otherwise MASQUERADE won't work.
@WhizzWr Thank you so much for your time and help! I forgot to add that I was using a XEN VPS. Will this work?
I did this and restart the CSF firewall, and it showed "Running /etc/csf/csfpre.sh
/etc/csf/csfpre.sh: line 1: -t: command not found".
eh? could you show me your csfpre.sh content? (eg.
cat /etc/csf/csfpre.sh)FWIW these are the the NAT entries in my csfpre.sh, you might want to try it.
/sbin/iptables -t nat --flush /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEI didn't have that file, and I created one as you told me. The content is "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE". When I restart the CSF firewall, it always appear the line "line 1: iptables: command not found".
Do you also encounter "command not found" when entering "iptables" on SSH?
Try adding the full path and see whether it's working
i.e adding
/sbin/or you could just replace the the content of your csfpre.sh with the one in my #2 post.
don't forget to include The NAT flush command.
i.e adding /sbin/
I added /sbin/ with the command and try it through SSH. This works only if I stop the csf service. Is it OK if the csf service is stopped?
Not OK, the idea of adding those commands in csfpre.sh is to enable you browse internet while having CSF running.
Assuming you have these:
/sbin/iptables -t nat --flush /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEin your csfpre.sh.Now what happened when you start CSF? did the internet via VPN works?
/sbin/iptables -t nat --flush /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEin your csfpre.sh.
Now what happened when you start CSF? did the internet via VPN works?
I did add the rules to my csfpre.sh file. When I start CSF, I could connect to the VPN, yet no internet connection through VPN. This really makes me sick.
No error were given during csf start?
Well, I'm sorry, but all I can think is the internet forwarding is somehow being blocked by CSF. Given you can connect the VPN just fine.
Those are the iptables rules that works with me.
You might want to inspect CSF firewall log, to see which traffics exactly are being blocked.
http://configserver.com/free/csf/readme.txt
Perhaps other LET members could point out something else.
@WhizzWr Thank you so much for your time and help! You're really very helpful. I will try to figure it out .
@WhizzWr I found this post and the problem now solved! Thank you so much!
http://forum.configserver.com/viewtopic.php?f=6&t=2551&p=8449&hilit=gre#p8449
Glad to hear you get it working.
The link you provided is for PPTP though, I never heard Ipsec/L2tp would require opening gre and ppp packet to be allowed through firewall