Iptables router PPTP passthrough

I have a fedora box as my local firewall/router.  It works except that I can't create a  pptp vpn conection from inside the firewall.  
*nat
:PREROUTING ACCEPT [196:12281]
:POSTROUTING ACCEPT [8:496]
:OUTPUT ACCEPT [8:496]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.0.2.3
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.2.4
-A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
COMMIT
 
*mangle
:PREROUTING ACCEPT [3901:2059623]
:INPUT ACCEPT [255:44225]
:FORWARD ACCEPT [3646:2015398]
:OUTPUT ACCEPT [117:13070]
:POSTROUTING ACCEPT [3763:2028468]
COMMIT
 
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:STATEFUL - [0:0]
-A INPUT -i ALL -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j STATEFUL
-A FORWARD -d 10.0.2.3/32 -i eth0 -o eth2 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 10.0.2.4/32 -i eth0 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -j STATEFUL
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -j STATEFUL
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEFUL -m state --state NEW -j ACCEPT
-A STATEFUL -j DROP
COMMIT

Open in new window

LVL 1
mrjd420Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BlazCommented:
As you can read in http://en.wikipedia.org/wiki/PPTP PPTP uses two connections - a GRE protocol connection and TCP on port 1723. So you sould allow those connections and you should be fine:

iptables -A FORWARD -p gre -s <your_VPN_destination_IP> -j ACCEPT
iptables -A FORWARD -p gre -d <your_VPN_destination_IP> -j ACCEPT

iptables -A FORWARD -p tcp --sport 1723 -s <your_VPN_destination_IP> -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d <your_VPN_destination_IP> -j ACCEPT



0
mrjd420Author Commented:
Not sure why I didn't mention trying that or something similar to it.  However, I have tried and tried again those exact same steps and I had the same results.  It starts to make a connection, gets to the "verifying username and password" then disconnects with a 619 error.
0
stefanxCommented:
Make sure you have loaded the relevant connection tracking modules for pptp on startup as follows:

/sbin/modprobe nf_conntrack_proto_gre
/sbin/modprobe nf_nat_proto_gre
/sbin/modprobe nf_conntrack_pptp
/sbin/modprobe nf_nat_pptp

Assuming a 2.6 kernel ;)

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mrjd420Author Commented:
Those modules were not enabled.  Turning them on got it working.  Thanks for your help.  I am going to share the points since the first suggestion was correct, but not the solution to my problem because I communited the problem poorly.  Thanks again for the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.