[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Iptables VPN

Posted on 2003-11-11
7
Medium Priority
?
29,893 Views
Last Modified: 2012-06-21
Friends:

I have setup a Linux firewall using iptables. I am working on allowing VPN connections using Microsoft VPN client from outside my network to a Microsoft VPN server inside my network. The Microsoft VPN client initiating the connection is outside the firewall and the Microsoft VPN server is inside.

I am searching for the rule which will allows this connection through the iptables firewall.

Thanks in advance.
0
Comment
Question by:BinKiller
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 1

Accepted Solution

by:
Smudo earned 750 total points
ID: 9723500
try this:

iptables -A FORWARD -p gre -d IP_VPN_SERVER_INSIDE -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d IP_VPN_SERVER_INSIDE -j ACCEPT

Microsoft PPTP VPN uses TCP port 1723 (to establish the connection) plus GRE protocol (47) for data sending/receiving after the tunnel is up. If you're doing NAT on that firewall you can try this:

iptables -A PREROUTING -t nat -p gre -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d FIREWALL_IP -j DNAT --to-destination IP_VPN_SERVER_INSIDE:1723
0
 

Author Comment

by:BinKiller
ID: 9724238
Yes I'm doing NAT this is my NAT script so far:

modprobe ipt_MASQUERADE
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to REAL_IP
echo 1 > /proc/sys/net/ipv4/ip_forward

Then I add yours, I suppose by FIREWALL IP you mean the REAL IP?:
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d <FIREWALL_IP> -j DNAT --to-destination 10.10.10.1:1723

iptables -A PREROUTING -t nat -p gre -d <FIREWALL_IP> -j D
NAT --to-destination 10.10.10.1

Well still not working.
0
 
LVL 1

Expert Comment

by:Smudo
ID: 9726198
Yes, you're right, with "FIREWALL_IP"  I mean the real IP.

From my point of view this should work...Hmm, can you try to replace the "-d <REAL_IP" part in GRE rule with "-i eth1"? I know that there's no concept of ports in GRE protocol, maybe the IP settings differ from tcp as well...

I suggest you use a packet logger like Ethereal on the client PC and server and see what packets are flowing...As already mentioned, the first few packets should consist of port 1723 and afterwards, the communication uses GRE protocol 47.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 1

Expert Comment

by:Smudo
ID: 9726227
A question besides, are you sure that your router can handle PPTP sessions? If yes, can you exclude the router as a possible problem? Did it ever work in the past? (before you installed the Linux firewall)
0
 

Author Comment

by:BinKiller
ID: 9726499
I try:
iptables -A PREROUTING -t nat -p gre -i eth1 -j DNAT --to-
destination 10.10.10.1

But still not working. I'm sure is the router, if I try to connect from one of my local computers to the VPN works fine
0
 

Author Comment

by:BinKiller
ID: 9726676
I install Ethereal on the client so far. The destination port is PPTP (1723).
0
 

Author Comment

by:BinKiller
ID: 9733752
I found the problem is my test computer. Tks
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question