Iptables VPN

Friends:

I have setup a Linux firewall using iptables. I am working on allowing VPN connections using Microsoft VPN client from outside my network to a Microsoft VPN server inside my network. The Microsoft VPN client initiating the connection is outside the firewall and the Microsoft VPN server is inside.

I am searching for the rule which will allows this connection through the iptables firewall.

Thanks in advance.
BinKillerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SmudoCommented:
try this:

iptables -A FORWARD -p gre -d IP_VPN_SERVER_INSIDE -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d IP_VPN_SERVER_INSIDE -j ACCEPT

Microsoft PPTP VPN uses TCP port 1723 (to establish the connection) plus GRE protocol (47) for data sending/receiving after the tunnel is up. If you're doing NAT on that firewall you can try this:

iptables -A PREROUTING -t nat -p gre -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE:1723

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BinKillerAuthor Commented:
Yes I'm doing NAT this is my NAT script so far:

modprobe ipt_MASQUERADE
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to REAL_IP
echo 1 > /proc/sys/net/ipv4/ip_forward

Then I add yours, I suppose by FIREWALL IP you mean the REAL IP?:
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d <FIREWALL_IP> -j DNAT --to-destination 10.10.10.1:1723

iptables -A PREROUTING -t nat -p gre -d <FIREWALL_IP> -j D
NAT --to-destination 10.10.10.1

Well still not working.
SmudoCommented:
Yes, you're right, with "FIREWALL_IP"  I mean the real IP.

From my point of view this should work...Hmm, can you try to replace the "-d <REAL_IP" part in GRE rule with "-i eth1"? I know that there's no concept of ports in GRE protocol, maybe the IP settings differ from tcp as well...

I suggest you use a packet logger like Ethereal on the client PC and server and see what packets are flowing...As already mentioned, the first few packets should consist of port 1723 and afterwards, the communication uses GRE protocol 47.
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

SmudoCommented:
A question besides, are you sure that your router can handle PPTP sessions? If yes, can you exclude the router as a possible problem? Did it ever work in the past? (before you installed the Linux firewall)
BinKillerAuthor Commented:
I try:
iptables -A PREROUTING -t nat -p gre -i eth1 -j DNAT --to-
destination 10.10.10.1

But still not working. I'm sure is the router, if I try to connect from one of my local computers to the VPN works fine
BinKillerAuthor Commented:
I install Ethereal on the client so far. The destination port is PPTP (1723).
BinKillerAuthor Commented:
I found the problem is my test computer. Tks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.