Iptables VPN

Friends:

I have setup a Linux firewall using iptables. I am working on allowing VPN connections using Microsoft VPN client from outside my network to a Microsoft VPN server inside my network. The Microsoft VPN client initiating the connection is outside the firewall and the Microsoft VPN server is inside.

I am searching for the rule which will allows this connection through the iptables firewall.

Thanks in advance.
BinKillerAsked:
Who is Participating?
 
SmudoCommented:
try this:

iptables -A FORWARD -p gre -d IP_VPN_SERVER_INSIDE -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d IP_VPN_SERVER_INSIDE -j ACCEPT

Microsoft PPTP VPN uses TCP port 1723 (to establish the connection) plus GRE protocol (47) for data sending/receiving after the tunnel is up. If you're doing NAT on that firewall you can try this:

iptables -A PREROUTING -t nat -p gre -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE:1723
0
 
BinKillerAuthor Commented:
Yes I'm doing NAT this is my NAT script so far:

modprobe ipt_MASQUERADE
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to REAL_IP
echo 1 > /proc/sys/net/ipv4/ip_forward

Then I add yours, I suppose by FIREWALL IP you mean the REAL IP?:
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d <FIREWALL_IP> -j DNAT --to-destination 10.10.10.1:1723

iptables -A PREROUTING -t nat -p gre -d <FIREWALL_IP> -j D
NAT --to-destination 10.10.10.1

Well still not working.
0
 
SmudoCommented:
Yes, you're right, with "FIREWALL_IP"  I mean the real IP.

From my point of view this should work...Hmm, can you try to replace the "-d <REAL_IP" part in GRE rule with "-i eth1"? I know that there's no concept of ports in GRE protocol, maybe the IP settings differ from tcp as well...

I suggest you use a packet logger like Ethereal on the client PC and server and see what packets are flowing...As already mentioned, the first few packets should consist of port 1723 and afterwards, the communication uses GRE protocol 47.
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
SmudoCommented:
A question besides, are you sure that your router can handle PPTP sessions? If yes, can you exclude the router as a possible problem? Did it ever work in the past? (before you installed the Linux firewall)
0
 
BinKillerAuthor Commented:
I try:
iptables -A PREROUTING -t nat -p gre -i eth1 -j DNAT --to-
destination 10.10.10.1

But still not working. I'm sure is the router, if I try to connect from one of my local computers to the VPN works fine
0
 
BinKillerAuthor Commented:
I install Ethereal on the client so far. The destination port is PPTP (1723).
0
 
BinKillerAuthor Commented:
I found the problem is my test computer. Tks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.