[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1015
  • Last Modified:

PPTPD and Iptables mapping issue


I'm trying to get a VPN system seup with poptop (http://www.poptop.org/). It's all configured and working fine using the boxes main IP as the main IP for all the VPNs, however we want to map each of the internal IPs to a unique (or a couple of accounts per) external IP. We want to do this via iptables and came up with the attached IP tables script.

However it doesn't seem to work, when run the user can login to the VPN but not get a line to the outside world.

Attached it the script. I've partialy obscured the external IP the script itself doesn't contain xxx.xxx but the actually ip addreses
# Flush all rules
iptables -F
iptables -X
iptables -Z
# Allow all VPN stuff
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -s -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d xxx.xxx.20.111 -j DNAT --to-destination=
iptables -t nat -A POSTROUTING -o eth0 -s -j SNAT --to-source=xxx.xxx.20.111
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

Open in new window

2 Solutions
In case you didnt do this already,  enable kernel forwarding :

echo 1 > /proc/sys/net/ipv4/ip_forward

Phil_sotprodAuthor Commented:
Yeah thanks I've already set that.

it's set in the pptpd startup script
1) Remove this rule:
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

2) If you want individual mapping, add as many rules as you want to map int to ext IP for example:
# map IP .100 to ext .20.100
iptables -A POSTROUTING -t nat -o eth0 -s -j SNAT  --to-source=xxx.xxx.20.100
# map .101 to the same ext  20.100
iptables -A POSTROUTING -t nat -o eth0 -s -j SNAT --to-source=xxx.xxx.20.100
# map .102 to .20.101
iptables -A POSTROUTING -t nat -o eth0 -s -j SNAT  --to-source=xxx.xxx.20.101
# map all others to .20.103
iptables -A POSTROUTING -t nat -o eth0 -s -j SNAT  --to-source=xxx.xxx.20.103


Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now