• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 29935
  • Last Modified:

Iptables VPN

Friends:

I have setup a Linux firewall using iptables. I am working on allowing VPN connections using Microsoft VPN client from outside my network to a Microsoft VPN server inside my network. The Microsoft VPN client initiating the connection is outside the firewall and the Microsoft VPN server is inside.

I am searching for the rule which will allows this connection through the iptables firewall.

Thanks in advance.
0
BinKiller
Asked:
BinKiller
  • 4
  • 3
1 Solution
 
SmudoCommented:
try this:

iptables -A FORWARD -p gre -d IP_VPN_SERVER_INSIDE -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d IP_VPN_SERVER_INSIDE -j ACCEPT

Microsoft PPTP VPN uses TCP port 1723 (to establish the connection) plus GRE protocol (47) for data sending/receiving after the tunnel is up. If you're doing NAT on that firewall you can try this:

iptables -A PREROUTING -t nat -p gre -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE:1723
0
 
BinKillerAuthor Commented:
Yes I'm doing NAT this is my NAT script so far:

modprobe ipt_MASQUERADE
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to REAL_IP
echo 1 > /proc/sys/net/ipv4/ip_forward

Then I add yours, I suppose by FIREWALL IP you mean the REAL IP?:
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d <FIREWALL_IP> -j DNAT --to-destination 10.10.10.1:1723

iptables -A PREROUTING -t nat -p gre -d <FIREWALL_IP> -j D
NAT --to-destination 10.10.10.1

Well still not working.
0
 
SmudoCommented:
Yes, you're right, with "FIREWALL_IP"  I mean the real IP.

From my point of view this should work...Hmm, can you try to replace the "-d <REAL_IP" part in GRE rule with "-i eth1"? I know that there's no concept of ports in GRE protocol, maybe the IP settings differ from tcp as well...

I suggest you use a packet logger like Ethereal on the client PC and server and see what packets are flowing...As already mentioned, the first few packets should consist of port 1723 and afterwards, the communication uses GRE protocol 47.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
SmudoCommented:
A question besides, are you sure that your router can handle PPTP sessions? If yes, can you exclude the router as a possible problem? Did it ever work in the past? (before you installed the Linux firewall)
0
 
BinKillerAuthor Commented:
I try:
iptables -A PREROUTING -t nat -p gre -i eth1 -j DNAT --to-
destination 10.10.10.1

But still not working. I'm sure is the router, if I try to connect from one of my local computers to the VPN works fine
0
 
BinKillerAuthor Commented:
I install Ethereal on the client so far. The destination port is PPTP (1723).
0
 
BinKillerAuthor Commented:
I found the problem is my test computer. Tks
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now