how to connect to VPN server using IPTABLES nat

how to connect to VPN server using IPTABLES nat

[Buddy wu]

   I DON'T mean there is a VPN serving making from linux.
   The fact is that:
   I set up a VPN server using windows server(IP:192.168.1.1) and it
is behind a Linux server which is using iptables for nat
   iptables -A PREROUTING -d 218.0.0.0 -j DNAT --to 192.168.1.1

   but I can't establish the VPN connection from out(etc IP address is
218.10.0.1, I have tested that I can connect to other service such as
web(port 80). How can I establish the VPN connection ? Is there need
some setting in IPTABLES?

Re: how to connect to VPN server using IPTABLES nat

[Rob Sterenborg]

On Thu, March 2, 2006 11:46, Buddy wu wrote:
>    I DON'T mean there is a VPN serving making from linux.
>    The fact is that:
>    I set up a VPN server using windows server(IP:192.168.1.1) and it
> is behind a Linux server which is using iptables for nat
>    iptables -A PREROUTING -d 218.0.0.0 -j DNAT --to 192.168.1.1
>
>    but I can't establish the VPN connection from out(etc IP address is
> 218.10.0.1, I have tested that I can connect to other service such as
> web(port 80). How can I establish the VPN connection ? Is there need
> some setting in IPTABLES?

If it's Windows then I suspect it's a PPTP server.
For this to work you have to forward both 1723/tcp and the gre (47) protocol.
Also, you need the pptp conntrack/nat modules for which you may have to
recompile the kernel and iptables.


Gr,
Rob

Re: how to connect to VPN server using IPTABLES nat

[Buddy wu]

I'm puzzled with the IPTABLES
when I set the default Policy of INPUT and FORWARD chains, I can
established the vpn connection. But When I use the below command ,the
vpn connection can't be established
iptables -A INPUT -d 218.0.0.0 -j ACCEPT
iptables -A FORWARD -d 218.0.0.0 -j ACCEPT
WHY? what other rules should be added?


2006/3/2, Rob Sterenborg <rob@sterenborg.info>:
>
> On Thu, March 2, 2006 11:46, Buddy wu wrote:
> >    I DON'T mean there is a VPN serving making from linux.
> >    The fact is that:
> >    I set up a VPN server using windows server(IP:192.168.1.1) and it
> > is behind a Linux server which is using iptables for nat
> >    iptables -A PREROUTING -d 218.0.0.0 -j DNAT --to 192.168.1.1
> >
> >    but I can't establish the VPN connection from out(etc IP address is
> > 218.10.0.1, I have tested that I can connect to other service such as
> > web(port 80). How can I establish the VPN connection ? Is there need
> > some setting in IPTABLES?
>
> If it's Windows then I suspect it's a PPTP server.
> For this to work you have to forward both 1723/tcp and the gre (47) protocol.
> Also, you need the pptp conntrack/nat modules for which you may have to
> recompile the kernel and iptables.
>
>
> Gr,
> Rob
>
>
>
>

RE: how to connect to VPN server using IPTABLES nat

[Rob Sterenborg]

> I'm puzzled with the IPTABLES
> when I set the default Policy of INPUT and FORWARD chains, I can
> established the vpn connection. But When I use the below command ,the

Of *both* INPUT and FORWARD ?
Packets typically travel only one chain and this traffic would only go
through the FORWARD chain.

> vpn connection can't be established
> iptables -A INPUT -d 218.0.0.0 -j ACCEPT

So, this isn't going to help you.

> iptables -A FORWARD -d 218.0.0.0 -j ACCEPT
> WHY? what other rules should be added?

Does this rule have packetcount (iptables -nvL FORWARD) ? Because, erm..
From below I gues that your pptp server isn't on the 218.0.0.0 subnet
but on 192.168.1.1.
(iptables -A FORWARD -d 192.168.1.1 -j ACCEPT)

Your rules are a secrect to me ; if this doesn't work then maybe there's
something else blocking pptp already before it would be accepted by this
rule. Perhaps you need some logging rules to see if that is the case.

Perhaps this may be of help :
http://martybugs.net/smoothwall/vpn.cgi


Gr,
Rob

> 2006/3/2, Rob Sterenborg <rob@sterenborg.info>:
>> 
>> On Thu, March 2, 2006 11:46, Buddy wu wrote:
>>>    I DON'T mean there is a VPN serving making from linux.    The
>>>    fact is that: I set up a VPN server using windows
>>> server(IP:192.168.1.1) and it is behind a Linux server which is
>>>    using iptables for nat iptables -A PREROUTING -d 218.0.0.0 -j
>>> DNAT --to 192.168.1.1 
>>> 
>>>    but I can't establish the VPN connection from out(etc IP address
>>> is 218.10.0.1, I have tested that I can connect to other service
>>> such as web(port 80). How can I establish the VPN connection ? Is
>>> there need some setting in IPTABLES?
>> 
>> If it's Windows then I suspect it's a PPTP server.
>> For this to work you have to forward both 1723/tcp and the gre (47)
>> protocol. Also, you need the pptp conntrack/nat modules for which
>> you may have to recompile the kernel and iptables.
>> 
>> 
>> Gr,
>> Rob