cajin
asked on
iptables for VPN across 2 private network
My company's network ip addresses are 192.168.1.*. The router has a public IP address and private IP address(192.168.1.1). It supports VPN function. In the past, I can access the company network with Windows 2000 VPN client from my home PC which is connected to internet directly through ADSL.
Now, I install a Linux computer at my home. I want to use the Linux computer as a gateway. It has a public IP address and private address (192.168.2.1) too. I configure NAT and IP MASQURADE on the Linux computer. My Windows 2000 PC now has 192.168.2.2 as its IP address.
I tried many other internet applications such as IE, yahoo messenger, email, etc on my Windows 2000 computer. All this applications can work as same as before. They can access internet without any problem. The only problem is, I failed to connect to my company's network. Seems like the Linux computer didn't foward the PPTP data to my Windows 2000 computer.
Anyone knows how to configure IP tables in this case(for Two private networks connected with Internet)? I hope, the first step, is, the home computer could access company's private network. The second step, the company's computers could access my home private network.
The company's router support PPTP.
Thanks in advance.
Now, I install a Linux computer at my home. I want to use the Linux computer as a gateway. It has a public IP address and private address (192.168.2.1) too. I configure NAT and IP MASQURADE on the Linux computer. My Windows 2000 PC now has 192.168.2.2 as its IP address.
I tried many other internet applications such as IE, yahoo messenger, email, etc on my Windows 2000 computer. All this applications can work as same as before. They can access internet without any problem. The only problem is, I failed to connect to my company's network. Seems like the Linux computer didn't foward the PPTP data to my Windows 2000 computer.
Anyone knows how to configure IP tables in this case(for Two private networks connected with Internet)? I hope, the first step, is, the home computer could access company's private network. The second step, the company's computers could access my home private network.
The company's router support PPTP.
Thanks in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will have a try tcpdump following you instruction.
BTW, i check the log on my company's router, I saw a log as below after I tried to connect to it,
09/09/03 00:00:37 PPTP: IP down, rem: <My Home Public IP>
09/09/03 00:00:37 PPTP-1 down: Remote clearing
09/09/03 00:00:12 PPP: Channel 1 up, Answer
09/09/03 00:00:12 PPTP: IP up, rem: <My Home Public IP>, via: <My Company Public IP>
That means my home computer did send request to company's router but was turned down eventually.
Jin
BTW, i check the log on my company's router, I saw a log as below after I tried to connect to it,
09/09/03 00:00:37 PPTP: IP down, rem: <My Home Public IP>
09/09/03 00:00:37 PPTP-1 down: Remote clearing
09/09/03 00:00:12 PPP: Channel 1 up, Answer
09/09/03 00:00:12 PPTP: IP up, rem: <My Home Public IP>, via: <My Company Public IP>
That means my home computer did send request to company's router but was turned down eventually.
Jin
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"cat /proc/netip_conntrack" generated this output
tcp 6 431994 ESTABLISHED src=192.168.2.2 dst=[COMP_PUB_IP] sport=2021 dport=
1723 src==[COMP_PUB_IP] dst=[HOME PUB IP] sport=1723 dport=2021 [ASSURED] use=1
...
unknown 47 597 src==[COMP_PUB_IP]dst==[HO
dst===[COMP_PUB_IP] use=1
For the GRE protocol (47), it is unreplied. Not sure why.
tcp 6 431994 ESTABLISHED src=192.168.2.2 dst=[COMP_PUB_IP] sport=2021 dport=
1723 src==[COMP_PUB_IP] dst=[HOME PUB IP] sport=1723 dport=2021 [ASSURED] use=1
...
unknown 47 597 src==[COMP_PUB_IP]dst==[HO
dst===[COMP_PUB_IP] use=1
For the GRE protocol (47), it is unreplied. Not sure why.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
super funny!
While i read articles about iptables and VPN, i tried many commands, finally I got through. I successfully connected to the VPN server. So I saved the iptables with iptables-save command and then rebooted the computer, then use iptables-restore to apply the saved rules, it doesn't work again!
My save files is like below,
# Generated by iptables-save v1.2.7a on Wed Sep 10 21:10:05 2003
*nat
:PREROUTING ACCEPT [990:64764]
:POSTROUTING ACCEPT [18:1137]
:OUTPUT ACCEPT [38:2414]
-A PREROUTING -i eth1 -p 47 -j DNAT --to-destination 192.168.2.2
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Sep 10 21:10:05 2003
# Generated by iptables-save v1.2.7a on Wed Sep 10 21:10:05 2003
*filter
:INPUT ACCEPT [11298:1943901]
:FORWARD ACCEPT [16500:8521721]
:OUTPUT ACCEPT [9668:1720757]
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth0 -p 47 -j ACCEPT
COMMIT
really confusing!
While i read articles about iptables and VPN, i tried many commands, finally I got through. I successfully connected to the VPN server. So I saved the iptables with iptables-save command and then rebooted the computer, then use iptables-restore to apply the saved rules, it doesn't work again!
My save files is like below,
# Generated by iptables-save v1.2.7a on Wed Sep 10 21:10:05 2003
*nat
:PREROUTING ACCEPT [990:64764]
:POSTROUTING ACCEPT [18:1137]
:OUTPUT ACCEPT [38:2414]
-A PREROUTING -i eth1 -p 47 -j DNAT --to-destination 192.168.2.2
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Sep 10 21:10:05 2003
# Generated by iptables-save v1.2.7a on Wed Sep 10 21:10:05 2003
*filter
:INPUT ACCEPT [11298:1943901]
:FORWARD ACCEPT [16500:8521721]
:OUTPUT ACCEPT [9668:1720757]
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth0 -p 47 -j ACCEPT
COMMIT
really confusing!
ASKER
After double test, the above saved rule-sets are working! Seems like it takes some time before it be effective.
Now I have another FAQ, i have a IP-phone software which can call from PC to a normal telephone. In the past, my PC is connected to internet directly, so it worked well. Now, my PC is behind my Linux firewall, though it can still connect to the other telephone, but I cannot hear anything. This software actually uses Microsoft NetMeeting for VoIP. I read some documents about NetMeeting, it uses only TCP and UDP, nothing special, and my iptables don't block any TCP/UDP data. I don't know why I cannot hear the voice.
I check /proc/net/ip_conntrack, no "UNREPLIED" data. Seems like everything is ok. Confusing again :-)
Now I have another FAQ, i have a IP-phone software which can call from PC to a normal telephone. In the past, my PC is connected to internet directly, so it worked well. Now, my PC is behind my Linux firewall, though it can still connect to the other telephone, but I cannot hear anything. This software actually uses Microsoft NetMeeting for VoIP. I read some documents about NetMeeting, it uses only TCP and UDP, nothing special, and my iptables don't block any TCP/UDP data. I don't know why I cannot hear the voice.
I check /proc/net/ip_conntrack, no "UNREPLIED" data. Seems like everything is ok. Confusing again :-)
ASKER
Thanks for all your help. I'd like to split the points to all people who answered me because nobody solved my problem completely and directly, but all people gave me some idea to study more.
cajin : could you please put your iptables config here , i'm having alot of problems connection (keeps giving a no answer error)
thx
thx
ASKER
Goldwing, I did that for fun only. That linux box is not in use any more. So I can't give you my original iptables config. But it was already posted here in my previous message.
ASKER
When I use Windows 2000 to connect to my company's VPN, a error shows up when verify username/password, the error code is 619, text is "The designated port is not connected".