We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

PPTPD and Iptables mapping issue

Medium Priority
1,083 Views
Last Modified: 2013-11-16
Hi,

I'm trying to get a VPN system seup with poptop (http://www.poptop.org/). It's all configured and working fine using the boxes main IP as the main IP for all the VPNs, however we want to map each of the internal IPs to a unique (or a couple of accounts per) external IP. We want to do this via iptables and came up with the attached IP tables script.

However it doesn't seem to work, when run the user can login to the VPN but not get a line to the outside world.

Attached it the script. I've partialy obscured the external IP the script itself doesn't contain xxx.xxx but the actually ip addreses
#!/bin/sh
 
# Flush all rules
 
iptables -F
 
iptables -X
 
iptables -Z
 
# Allow all VPN stuff
 
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
 
iptables -A INPUT -p 47 -j ACCEPT
 
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
 
iptables -A OUTPUT -p 47 -j ACCEPT
 
iptables -A FORWARD -i ppp0 -o eth0 -s 192.168.0.10/24 -m state --state NEW -j ACCEPT
 
iptables -t nat -A PREROUTING -i eth0 -d xxx.xxx.20.111 -j DNAT --to-destination=192.168.0.101
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source=xxx.xxx.20.111
 
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

Open in new window

Comment
Watch Question

In case you didnt do this already,  enable kernel forwarding :

echo 1 > /proc/sys/net/ipv4/ip_forward


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Yeah thanks I've already set that.

it's set in the pptpd startup script
Artysystem administrator
Top Expert 2007
Commented:
1) Remove this rule:
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

2) If you want individual mapping, add as many rules as you want to map int to ext IP for example:
# map IP .100 to ext .20.100
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.0.100 -j SNAT  --to-source=xxx.xxx.20.100
# map .101 to the same ext  20.100
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.0.101 -j SNAT --to-source=xxx.xxx.20.100
# map .102 to .20.101
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.0.101 -j SNAT  --to-source=xxx.xxx.20.101
# map all others to .20.103
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.0.0/24 -j SNAT  --to-source=xxx.xxx.20.103


Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.