Solved

I am currently running a Linux Firewall with NAT.  I can't get OUTGOING VPN traffic to work.  I am using IPTABLES for my incoming VPN traffic to an internal server, that works fine.  Can anyone help?

Posted on 2003-11-19
4
399 Views
Last Modified: 2010-03-18
I am currently running a Linux Firewall with NAT.  I can't get OUTGOING VPN traffic to work.  I am using IPTABLES for my incoming VPN traffic to an internal server, that works fine.  Can anyone help?  Here are the iptables commands for my forwarding to the internal VPN server.  This is for people outside the location to VPN into.  Our people also need to VPN to an external VPN server, not VPN server - VPN server.


iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1701 -j DNAT --to 192.168.1.2:1701
iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1723 -j DNAT --to 192.168.1.2:1723
iptables -A PREROUTING -t nat -p gre -d 38.119.240.14 -j DNAT --to 192.168.1.2

Ken Hammond

0
Comment
Question by:kenham40
  • 2
4 Comments
 
LVL 24

Expert Comment

by:shivsa
Comment Utility
check this post, u might get clear idea what is goin bad.
http://www.experts-exchange.com/Operating_Systems/Linux/Q_20700242.html
0
 
LVL 24

Expert Comment

by:shivsa
Comment Utility
0
 

Author Comment

by:kenham40
Comment Utility
Ok, I read through both of those but still have yet to see where someone had the problem I am having.  My linux server (firewall/router) has three nics.  eth0 is going to my cisco 2600 router which has a T1 line hooked in.  eth1 goes to our private network, gateway being 192.168.10.1.  eth2 goes to our subleases private network at 192.168.1.1.  The problem I am having is that say they are on 192.168.1.4 as an IP address (they are using DHCP), they can't get out using win2k's VPN PPTP client to a VPN server somewhere else. Yesterday I DID however setup a VPN server on 192.168.1.2, did some port forwarding and GRE and INCOMING VPN traffic to that server works wonderfully.  So my question is, how do I get their win2k VPN clients to be able to connect to an external VPN server?
0
 
LVL 4

Accepted Solution

by:
Jivko earned 500 total points
Comment Utility
You need not only destination NAT :
iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1701 -j DNAT --to 192.168.1.2:1701
iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1723 -j DNAT --to 192.168.1.2:1723
iptables -A PREROUTING -t nat -p gre -d 38.119.240.14 -j DNAT --to 192.168.1.2

,
but source NAT:

iptables -t nat -A POSTROUTING -p udp -s 192.168.1.0/24 --dport 1701 -j SNAT --to-source 38.119.240.14:1701
iptables -t nat -A POSTROUTING -p udp -s 192.168.1.0/24--dport 1723 -j SNAT --to-source 38.119.240.14:1723
iptables -A POSTROUTING -t nat -p gre -s 192.168.1.0/24 -j SNAT --to-source 38.119.240.14
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now