[NTLUG:Discuss] cisco vpn client ver4.6 on SuSE 9.3 kernel 2.6

Tue Aug 30 16:17:59 CDT 2005

Steve Martindell wrote:
> I upgraded SuSE 8.2 kernel-2.4 to SuSE 9.3 kernel-2.6
> in order to install the latest cisco vpn client 4.6.

You're running a SUSE 8.2 system with the SUSE 9.3 kernel?
(Ick)

> 
> After ~4 hours of dealing w/ missing config files, 
> files in the wrong place, and files not compiled,
> I got it to connect to work with a standard c-shell.

I can only imagine.  Did you have to run the latest
Cisco client?  I know we run a version 4.something
on our SUSE 8.2 boxes without problem.

> 
> When I start an X-application(like xcalc) it can't
> send the display back to Linux PC at home.

Well.. on a 9.3 box (not necessarily true of 8.2),
you'll find that your X server does not allow
remote connects by default.  A possible workaround
is to enable ssh X11 forwarding and do ssh -X
and bring up your client.

If you just have to use X11 (port 6000) then
you can enable it on SUSE, there's a couple of
steps (it's repeated daily... should be a FAQ...
if you can't find it post... I'll dig up my
own notes).

> 
> I believe this is related to another script they
> supplied that did not run correctly called
> "set_X11_access".
> 
> What I want to do is just hard code this redhat script
> 
> to allow remote X display to work on home SuSE PC.
> 
> the two important commands in the "set_X11_access"
> script are as follows:
> 
> 1)# compute the X rule number
> RULE_NO=`$IPTABLES -t filter --line-numbers -L INPUT |
> grep "x11" | awk -F \   '{ print $1 }' - `
> export RULE_NO
> 
> 2)# execute rule
> $IPTABLES -t filter -R $RULE_NO -i eth0 -p tcp --syn
> --dport 6000:6255 -s 0/0 -d 0/0 $LOG -j $ACCESS
> 
> I think these two cmds opens up certain ports based on
> the results of the grep "x11" command
> 
> But when I try command #1) on SuSE, it returns nothing
> and so $RULE_NO never gets set, and therefore the 
> $IPTABLES command 2) complains:
> "iptables v1.3.1: -R requires a rule number"
> 
> questions: 
>      do I need to run this script ?
> <or> can I hard code this script for SuSE ?
> <or> can I just set the iptables by hand ?
> <and> if so where do I set the iptables on SuSE ?
> <and> how do I know which ports to allow/accept
> access?

SUSE has its own friendly firewall administration
you can get to via YaST.  However, if you trust
your VPN and already have a firewall appliance
that you trust, then you might not need to
run a firewall at all.  I'd certainly remove
it from the picture if at all possible and add
it back when you have something that works (but
again, it may not be needed at all if you trust
the host/net your VPN'ing to).