Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual page 290

pkts bytes target
destination
17 748 DNAT
tcp dpt:443 to:10.10.0.1:8443
This entry states that eth0 is routing TCP port 443 to IP address 10.10.0.1:8443.
9 (Conditional) If your Identity Server cluster configuration contains more than one Identity
Server, repeat these steps on each server in the cluster.
Adding the SSL VPN Commands
These steps assume that you have completed at least
Commands" on page
1 Add the following lines to the
scripts/SuSEfirewall2-custom
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j SNAT --to 10.1.1.1
The 10.8.0.0/16 address is configured as a tunnel subnet, and the 10.1.1.1 address is your
private interface.
2 Add the following lines to the
iptables -A $chain -j ACCEPT -s 10.8.0.0/22
iptables -A $chain -j ACCEPT -d 10.8.0.0/22
The file should look similar to the following:
fw_custom_before_masq() {
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j SNAT --to 10.1.1.1
true
}
fw_custom_before_denyall() {
for chain in input_ext input_dmz input_int forward_int forward_ext
forward_dmz; do
iptables -A $chain -j ACCEPT -s 10.8.0.0/22
iptables -A $chain -j ACCEPT -d 10.8.0.0/22
done
true
}
3 Save the file.
4 Restart the firewall by executing the following command:
/etc/init.d/SuSEfirewall2_setup restart
5 Verify that the post SSL VPN routing iptables filters have been registered correctly by issuing
the following command:
iptables -t nat -nvL
You should see information similar to the following if the filters have been registered correctly:
Chain POSTROUTING (policy ACCEPT 20987 packets, 1266K bytes)
pkts bytes target prot opt in
0
to:10.1.1.1
290 Novell Access Manager 3.1 SP1 Identity Server Guide
prot opt in
tcp -- eth0
289.
fw_custom_before_masq
fw_custom_before_denyall
0 SNAT all --
out source
* 0.0.0.0/0
Step 3 in "Adding the Identity Server
section of the
file.
out source
* * 10.8.0.0/16
0.0.0.0/0
/etc/sysconfig/
section.
destination
0.0.0.0/0