I am currently running a Linux Firewall with NAT. I can't get OUTGOING VPN traffic to work. I am using IPTABLES for my incoming VPN traffic to an internal server, that works fine. Can anyone help?

I am currently running a Linux Firewall with NAT.  I can't get OUTGOING VPN traffic to work.  I am using IPTABLES for my incoming VPN traffic to an internal server, that works fine.  Can anyone help?  Here are the iptables commands for my forwarding to the internal VPN server.  This is for people outside the location to VPN into.  Our people also need to VPN to an external VPN server, not VPN server - VPN server.


iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1701 -j DNAT --to 192.168.1.2:1701
iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1723 -j DNAT --to 192.168.1.2:1723
iptables -A PREROUTING -t nat -p gre -d 38.119.240.14 -j DNAT --to 192.168.1.2

Ken Hammond

kenham40Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shivsaCommented:
check this post, u might get clear idea what is goin bad.
http://www.experts-exchange.com/Operating_Systems/Linux/Q_20700242.html
0
kenham40Author Commented:
Ok, I read through both of those but still have yet to see where someone had the problem I am having.  My linux server (firewall/router) has three nics.  eth0 is going to my cisco 2600 router which has a T1 line hooked in.  eth1 goes to our private network, gateway being 192.168.10.1.  eth2 goes to our subleases private network at 192.168.1.1.  The problem I am having is that say they are on 192.168.1.4 as an IP address (they are using DHCP), they can't get out using win2k's VPN PPTP client to a VPN server somewhere else. Yesterday I DID however setup a VPN server on 192.168.1.2, did some port forwarding and GRE and INCOMING VPN traffic to that server works wonderfully.  So my question is, how do I get their win2k VPN clients to be able to connect to an external VPN server?
0
JivkoCommented:
You need not only destination NAT :
iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1701 -j DNAT --to 192.168.1.2:1701
iptables -t nat -A PREROUTING -p udp -d 38.119.240.14 --dport 1723 -j DNAT --to 192.168.1.2:1723
iptables -A PREROUTING -t nat -p gre -d 38.119.240.14 -j DNAT --to 192.168.1.2

,
but source NAT:

iptables -t nat -A POSTROUTING -p udp -s 192.168.1.0/24 --dport 1701 -j SNAT --to-source 38.119.240.14:1701
iptables -t nat -A POSTROUTING -p udp -s 192.168.1.0/24--dport 1723 -j SNAT --to-source 38.119.240.14:1723
iptables -A POSTROUTING -t nat -p gre -s 192.168.1.0/24 -j SNAT --to-source 38.119.240.14
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.