All of lore.kernel.org
 help / color / mirror / Atom feed
From: Raymond Leach <raymondl@knowledgefactory.co.za>
To: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Re: VPN Server behind a iptables FW (PPTP)
Date: 12 Mar 2003 17:25:49 +0200	[thread overview]
Message-ID: <1047482749.11446.57.camel@raylinux.internal> (raw)
In-Reply-To: <DBF92B7FA3E6C94A99B4AE5938A62B7E4023BC@excw2k01.bhlan.bhuman.it>

[-- Attachment #1: Type: text/plain, Size: 4087 bytes --]

On Wed, 2003-03-12 at 17:06, Cassani Alexio wrote:
> Hi all,
> I've set up a linux box with iptables 1.2.7a + pptp patch.
> Then I've configured a VPN server win2k-based and if I try to connect to
> it using a client of my LAN I have no problem, obviously the problems
> are present when the vpn client is outside my network.
> The architecture is here reported:
> 
>  VPN	     IPTables			 VPN
> Server ---  Server --- Internet --- Client
> 
> VPN Server Internal IP:192.168.0.1
> VPN Server public IP (hosted by the firewall) is a global address.
> So IPTables server performs NAT.
How are you doinf NAT? Does the public ip get bound to an interface on
the iptables server, e.g. eth0:1?

I had to add INPUT rules like this:
$IPTABLES -A INPUT -i $IFACE_INET -p tcp --dport 1723 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $IFACE_INET -p 47 -d $IP_INET_WEB8 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> 
> Actions performed:
> 
> - from VPN client (a win2k box) I can telnet my vpn server at the 1723
> port
> - from VPN client I've configured a VPN connection to my VPN server and
> the connection stops with the following error "721 remote computer is
> not responding" after hanging for a few seconds on the window "Verifying
> Username and Password"
> 
> My opinion is that GRE packet are not routed by the linux box, so
> authentication fails.
We are using standard pptp for the tunnel ...

> 
> The iptables script used to set up the fw includes the following lines
> regarding GRE protocol:
> 
> $IPTABLES -t nat -A PREROUTING -p GRE -i $INET_IFACE -j DNAT
> --to-destination $LAN_VPNSERVER_IP
> $IPTABLES -A FORWARD -p 47 -i $INET_IFACE -o $LAN_IFACE -d
> $LAN_VPNSERVER_IP -j allowed
> $IPTABLES -A FORWARD -p 47 -s 0/0 -d $LAN_VPNSERVER_IP -j ACCEPT
> 
My PREROUTING and FORWARD rules:

$IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p tcp --dport 1723 -d
$IP_INET_WEB8 -j DNAT --to $IP_INT_WEB8
$IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p 47 -d $IP_INET_WEB8 -j
DNAT --to $IP_INT_WEB8

$IPTABLES -A FORWARD -i $IFACE_INT -p tcp --sport 1723 --dport 1024: -s
$IP_INT_WEB8 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_INT -p 47 -s $IP_INT_WEB8 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_INET -p tcp --dport 1723 -d $IP_INT_WEB8
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_INET -p 47 -d $IP_INT_WEB8 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

then there's also POSTROUTING from the VPN server:

$IPTABLES -t nat -A POSTROUTING -o $IFACE_INET -p tcp --sport 1723 -s
$IP_INT_WEB8 -d ! $NET_INT -j SNAT --to $IP_INET_WEB8

And that works for me ...


> The ones regarding PPTP are (restricted to the vpn client's ip):
> 
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -s $VPNCLIENT_IP -d
> $VPNSERVER_IP --dport 1723 \
> -j DNAT --to-destination $LAN_VPNSERVER_IP:1723
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d
> $LAN_VPNSERVER_IP \
> --dport 1723 -j allowed
> $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $LAN_IFACE -d
> $LAN_VPNSERVER_IP \
> -j icmp_packets
> 
> Any suggestions?
> TIA
> Alexio
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
(  http://www.mapnet.co.za/            )
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

  reply	other threads:[~2003-03-12 15:25 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-03-12 15:06 VPN Server behind a iptables FW (PPTP) Cassani Alexio
2003-03-12 15:25 ` Raymond Leach [this message]
  -- strict thread matches above, loose matches on Subject: below --
2003-03-13 12:01 Cassani Alexio

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1047482749.11446.57.camel@raylinux.internal \
    --to=raymondl@knowledgefactory.co.za \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.