General discussion

Locked

Access intranet thru an IPCOP VPN

By Sceva ·
I have set up a branch office vpn between our main office and a remote office. The remote office is using IPCOP version 1.3. Everything works great except when someone at the branch office attempts to connect to the intranet at the main office. It does not connect, even when using the ip address instead of the server name. It seems that the IPCOP is sending the request out over the internet instead of thru the vpn tunnel. DNS is providing the correct ip address and I can successfully ping the intranet server by ip and hostname. The intranet server does not have a public ip address.

I have tried a couple of iptable fixes but have been unsuccessful so far. I am also using DansGuardian and transparent web proxy on the IPCOP machine.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by steve In reply to Access intranet thru an I ...

Do you have an ipcop machine at both ends of the VPN tunnel?

Collapse -

by Sceva In reply to

No. The IPCop is at the remote office. We have a watchguard device at the other end.

Collapse -

by Sceva In reply to Access intranet thru an I ...

I have the IPCOP on the remote office side and a watchguard device at the home office. The intranet server is at the home office.

Collapse -

by Sceva In reply to Access intranet thru an I ...

Hope someone can help. Thanks.

Collapse -

by Thrash Cardiom In reply to Access intranet thru an I ...

I have just worked out the solution to this problem this morning. You need to edit two files and add some iptables rules that will allow your intranet traffic to bypass both squid and dansguardian. The files are:

/etc/rc.d/rc.firewall
/etc/rc.d/rc.local

In /etc/rc.d/rc.firewall find these lines:

# DansGuardian Transparent Filtering Setup
/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -p tcp --dport 80 -j REDIRECT --to-port 8080

And add these two lines ABOVE them:

/sbin/iptables -t nat -N POSTSQUID
/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -p tcp --dport 80 --destination ###.###.###.###/## -j POSTSQUID

replace the hashes with your intranet's network address.

Next find these lines:

# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW

And alter them so they look like this:

/sbin/iptables -t nat -N PRESQUID
/sbin/iptables -t nat -A PREROUTING -j PRESQUID
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW

Save /etc/rc.d/rc.firewall and edit /etc/rc.d/rc.local and add these lines:

/sbin/iptables -t nat -A PRESQUID -p tcp -d ###.###.###.###/## -j POSTSQUID
/sbin/iptables -t nat -A POSTSQUID -j ACCEPT

Replace the hashes with your intranet network address.

Save /etc/rc.d/rc.local

Next run these commands:

/etc/rc.d/rc.firewall restart
/etc/rc.d/rc.local

It should all be working now. Normal traffic will be passed through squid and dansguardian and intranet traffic will bypass them and go via the VPN.

Regards
Richard

Collapse -

by Sceva In reply to
Collapse -

by Sceva In reply to Access intranet thru an I ...

This question was closed by the author

Back to Linux Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums