Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

I am currently running a Linux Firewall with NAT.  I can't get OUTGOING VPN traffic to work.  I am using IPTABLES for my incoming VPN traffic to an internal server, that works fine.  Can anyone help?

Posted on 2003-11-19
4
404 Views
Last Modified: 2010-03-18
I am currently running a Linux Firewall with NAT.  I can't get OUTGOING VPN traffic to work.  I am using IPTABLES for my incoming VPN traffic to an internal server, that works fine.  Can anyone help?  Here are the iptables commands for my forwarding to the internal VPN server.  This is for people outside the location to VPN into.  Our people also need to VPN to an external VPN server, not VPN server - VPN server.


iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1701 -j DNAT --to 192.168.1.2:1701
iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1723 -j DNAT --to 192.168.1.2:1723
iptables -A PREROUTING -t nat -p gre -d 38.119.240.14 -j DNAT --to 192.168.1.2

Ken Hammond

0
Comment
Question by:kenham40
  • 2
4 Comments
 
LVL 24

Expert Comment

by:shivsa
ID: 9783979
check this post, u might get clear idea what is goin bad.
http://www.experts-exchange.com/Operating_Systems/Linux/Q_20700242.html
0
 
LVL 24

Expert Comment

by:shivsa
ID: 9784005
0
 

Author Comment

by:kenham40
ID: 9787945
Ok, I read through both of those but still have yet to see where someone had the problem I am having.  My linux server (firewall/router) has three nics.  eth0 is going to my cisco 2600 router which has a T1 line hooked in.  eth1 goes to our private network, gateway being 192.168.10.1.  eth2 goes to our subleases private network at 192.168.1.1.  The problem I am having is that say they are on 192.168.1.4 as an IP address (they are using DHCP), they can't get out using win2k's VPN PPTP client to a VPN server somewhere else. Yesterday I DID however setup a VPN server on 192.168.1.2, did some port forwarding and GRE and INCOMING VPN traffic to that server works wonderfully.  So my question is, how do I get their win2k VPN clients to be able to connect to an external VPN server?
0
 
LVL 4

Accepted Solution

by:
Jivko earned 500 total points
ID: 9824545
You need not only destination NAT :
iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1701 -j DNAT --to 192.168.1.2:1701
iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1723 -j DNAT --to 192.168.1.2:1723
iptables -A PREROUTING -t nat -p gre -d 38.119.240.14 -j DNAT --to 192.168.1.2

,
but source NAT:

iptables -t nat -A POSTROUTING -p udp -s 192.168.1.0/24 --dport 1701 -j SNAT --to-source 38.119.240.14:1701
iptables -t nat -A POSTROUTING -p udp -s 192.168.1.0/24--dport 1723 -j SNAT --to-source 38.119.240.14:1723
iptables -A POSTROUTING -t nat -p gre -s 192.168.1.0/24 -j SNAT --to-source 38.119.240.14
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question