Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Iptables router PPTP passthrough

Posted on 2009-06-28
4
4,528 Views
Last Modified: 2013-11-16
I have a fedora box as my local firewall/router.  It works except that I can't create a  pptp vpn conection from inside the firewall.  
*nat
:PREROUTING ACCEPT [196:12281]
:POSTROUTING ACCEPT [8:496]
:OUTPUT ACCEPT [8:496]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.0.2.3
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.2.4
-A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
COMMIT
 
*mangle
:PREROUTING ACCEPT [3901:2059623]
:INPUT ACCEPT [255:44225]
:FORWARD ACCEPT [3646:2015398]
:OUTPUT ACCEPT [117:13070]
:POSTROUTING ACCEPT [3763:2028468]
COMMIT
 
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:STATEFUL - [0:0]
-A INPUT -i ALL -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j STATEFUL
-A FORWARD -d 10.0.2.3/32 -i eth0 -o eth2 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 10.0.2.4/32 -i eth0 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -j STATEFUL
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -j STATEFUL
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEFUL -m state --state NEW -j ACCEPT
-A STATEFUL -j DROP
COMMIT

Open in new window

0
Comment
Question by:mrjd420
  • 2
4 Comments
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 50 total points
ID: 24734090
As you can read in http://en.wikipedia.org/wiki/PPTP PPTP uses two connections - a GRE protocol connection and TCP on port 1723. So you sould allow those connections and you should be fine:

iptables -A FORWARD -p gre -s <your_VPN_destination_IP> -j ACCEPT
iptables -A FORWARD -p gre -d <your_VPN_destination_IP> -j ACCEPT

iptables -A FORWARD -p tcp --sport 1723 -s <your_VPN_destination_IP> -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d <your_VPN_destination_IP> -j ACCEPT



0
 
LVL 1

Author Comment

by:mrjd420
ID: 24739513
Not sure why I didn't mention trying that or something similar to it.  However, I have tried and tried again those exact same steps and I had the same results.  It starts to make a connection, gets to the "verifying username and password" then disconnects with a 619 error.
0
 
LVL 8

Accepted Solution

by:
stefanx earned 200 total points
ID: 24739557
Make sure you have loaded the relevant connection tracking modules for pptp on startup as follows:

/sbin/modprobe nf_conntrack_proto_gre
/sbin/modprobe nf_nat_proto_gre
/sbin/modprobe nf_conntrack_pptp
/sbin/modprobe nf_nat_pptp

Assuming a 2.6 kernel ;)

0
 
LVL 1

Author Comment

by:mrjd420
ID: 24739789
Those modules were not enabled.  Turning them on got it working.  Thanks for your help.  I am going to share the points since the first suggestion was correct, but not the solution to my problem because I communited the problem poorly.  Thanks again for the help!
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPv6 question 1 32
2 routers and 1 public IP Address. 10 55
Use of vpn-filter value  in S2S VPN 2 49
RRAS computer has too many IP addresses 24 21
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question