[KLUG Members] IPTABLES and VPN support

Adam Tauno Williams adam at morrison-ind.com
Wed Apr 12 13:57:06 EDT 2006

Previous message: [KLUG Members] IPTABLES and VPN support
Next message: [KLUG Members] IPTABLES and VPN support
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I have a need to send streaming sensitive data over the internet to
> another company. My initial thought is to use an encrypted VPN link.

Makes sense.

> I'm very concerned with security and protecting my internal network from
> the computers on their side of the VPN link. I also have to prevent
> anyone else from getting at the data.
> Any suggestions on the most secure way of providing the data?

A VPN sounds like the solution.

> Is it safer to run a VPN client on my box and connect to their VPN
> server or for them to connect to my VPN server?

I don't think it matters, the configuration is merely reversed.  I
*assume* both sides want to protect themselves from the other.

> If my box connected to their VPN, I assume Linux creates a new virtual
> interface for the VPN tunnel.

Yes.

>  In which case I would need an IPTables
> firewall on my box to only allow outbound connections over that VPN
> interface and to DROP any inbound attempts from it.

Yep.

> Is this reasonable? Is the kernel and IPTables support for this kind of
> thing stable? Anyone tried something like this?

Yes and yes.  IPTables doesn't much care about the interface type,  it
is all just IP traffic.

> I'm also considering them connecting to my VPN server. In which case I
> believe they get an IP on my LAN? 

Yes,  although there can be allot of subtleties about how this is done.

> So I would need a firwall between my
> VPN server and my boxes that provide the stream. 

Yep.

> The reason I'm
> considering this is because I need a redundant system. If one of my
> servers falls over, they need to connect to the secondary server.

Should be easily enough done.

> If I'm connecting to them, like in the first case, I'm not sure how I
> would detect that my primary box failed and start sending from a
> secondary.
> Any ideas?

Some kind of heartbeat, SNMP trap, or just polling.  Depends on how
quickly you need to recover.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20060412/56c7e192/attachment.bin

Previous message: [KLUG Members] IPTABLES and VPN support
Next message: [KLUG Members] IPTABLES and VPN support
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list