What authentication method ared you using?
Back in '00 I help design a set of remote VPN/admin tools that took
into consideration thinsg like mobile users and DHCP. Depending on
your authentication mechanism the remote source address is only one of
many authentication parameters and can be safely ignored in some
cases...
On 8/24/05, Gustin Johnson <[EMAIL PROTECTED]> wrote:
> Quoting Cameron Nikitiuk <[EMAIL PROTECTED]>:
>
> > My work wants me to set up remote administration to the office, but
> > there are a couple cha;lenges and I am hoping you cguys can help.
> >
> > My former boss was doing this before & I know I can write rules based
> > on my IP address and such, but to complicate things, there is an
> > appliance that provides failover for our WAN connections. My boss
> > confirmed that once that was installed, he was not able to remote in
> > anymore.
> >
> > These are the questions/challenges I see myself facing and any input
> > would be welcome:
> > 1) Being on SHaw I have a dynamic IP and as such I may lose remote
> > capability if my IP changes. WOuld I be able use one of those free
> > DNS services and then reference that name in the IPTables rules to
> > provide connectivity based on that name? IIRC, there are programs
> > available for these services, that will run in the background and
> > will keep the IP address of your router (in my case a D-Link DI-604)
> > updated with the DNS service.
>
> I use an iptables script called gshield. I simply run it in a cron job
> every
> couple of hours as it autodetects your ip (it parses the output from
> ifconfig I
> believe).
>
> I use dyndns.org for updating the ip and name of dynamicaly connected
> hosts. Then in our DNS server I use a CNAME to point to the dynamic
> name.
>
> Eg.
> vpn IN CNAME hostname.somedyn.dns.
>
> then vpn.mydomain.tld never has to be updated.
>
> Fortunatly Shaw IPs don't change too often, usually once every 1-1.5 years.
>
> > 2) WOuld the IPTables rules work with a domain name? Example:
> > computer.dnsservice.com (which has a public IP of 1.2.3.4)
>
> Sure, here is an example for external rsync access:
> iptables -A IN_EXT -p tcp --dport 873 -s hostname.foo.bar -j ACCEPT
>
> > 3) What would need to be done with the appliance to ensure that I
> > could connect through it? WOuld I need to establish a VPN tunnel or
> > would I need to do something with port forwarding?
>
> Depends on the appliance. Maybe all you need is to port forward ssh or
> rdp. What is the appliance?
>
> > 4) If I change any IPTables rules, would I need to reboot the
> > firewall? Restart the service?
>
> No. A good script will flush all previous rules before running its
> own. Do this
> at the beginning of your own iptables script. No reboot neccesary.
>
> #Flush rules
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables -t nat -F PREROUTING
> iptables -t nat -F POSTROUTING
> iptables -t nat -F OUTPUT
>
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
>
> > 5) ANything else anyone can think of?
> >
> > Would like to get this resolved ASAP so if anyone can come up with any
> ideas?
> >
> >
>
>
> --
> No trees were harmed in the transmission of this message, however a
> large number
> of electrons were seriously inconvenienced.
>
>
> ---------------------------------------------------
> This message was sent using Echostar Secure Webmail
>
>
>
--
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
-------------------Cirez Communications, inc.----------------
----------------------Juan Alberto Cirez---------------------
-----------------------Senior Consultant---------------------
[EMAIL PROTECTED]
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
Sunny and Beautiful Vancouver, Canada.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
