Solved

Iptables VPN

Posted on 2003-11-11
7
29,820 Views
Last Modified: 2012-06-21
Friends:

I have setup a Linux firewall using iptables. I am working on allowing VPN connections using Microsoft VPN client from outside my network to a Microsoft VPN server inside my network. The Microsoft VPN client initiating the connection is outside the firewall and the Microsoft VPN server is inside.

I am searching for the rule which will allows this connection through the iptables firewall.

Thanks in advance.
0
Comment
Question by:BinKiller
  • 4
  • 3
7 Comments
 
LVL 1

Accepted Solution

by:
Smudo earned 250 total points
ID: 9723500
try this:

iptables -A FORWARD -p gre -d IP_VPN_SERVER_INSIDE -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d IP_VPN_SERVER_INSIDE -j ACCEPT

Microsoft PPTP VPN uses TCP port 1723 (to establish the connection) plus GRE protocol (47) for data sending/receiving after the tunnel is up. If you're doing NAT on that firewall you can try this:

iptables -A PREROUTING -t nat -p gre -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE:1723
0
 

Author Comment

by:BinKiller
ID: 9724238
Yes I'm doing NAT this is my NAT script so far:

modprobe ipt_MASQUERADE
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to REAL_IP
echo 1 > /proc/sys/net/ipv4/ip_forward

Then I add yours, I suppose by FIREWALL IP you mean the REAL IP?:
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d <FIREWALL_IP> -j DNAT --to-destination 10.10.10.1:1723

iptables -A PREROUTING -t nat -p gre -d <FIREWALL_IP> -j D
NAT --to-destination 10.10.10.1

Well still not working.
0
 
LVL 1

Expert Comment

by:Smudo
ID: 9726198
Yes, you're right, with "FIREWALL_IP"  I mean the real IP.

From my point of view this should work...Hmm, can you try to replace the "-d <REAL_IP" part in GRE rule with "-i eth1"? I know that there's no concept of ports in GRE protocol, maybe the IP settings differ from tcp as well...

I suggest you use a packet logger like Ethereal on the client PC and server and see what packets are flowing...As already mentioned, the first few packets should consist of port 1723 and afterwards, the communication uses GRE protocol 47.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Expert Comment

by:Smudo
ID: 9726227
A question besides, are you sure that your router can handle PPTP sessions? If yes, can you exclude the router as a possible problem? Did it ever work in the past? (before you installed the Linux firewall)
0
 

Author Comment

by:BinKiller
ID: 9726499
I try:
iptables -A PREROUTING -t nat -p gre -i eth1 -j DNAT --to-
destination 10.10.10.1

But still not working. I'm sure is the router, if I try to connect from one of my local computers to the VPN works fine
0
 

Author Comment

by:BinKiller
ID: 9726676
I install Ethereal on the client so far. The destination port is PPTP (1723).
0
 

Author Comment

by:BinKiller
ID: 9733752
I found the problem is my test computer. Tks
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question