""how can i allow IP protocol 47 "" on iptables to connet a pptp VPN server.

""how can i allow IP protocol 47 "" on iptables to connet a pptp VPN server.

[rajeev.sekhar]

hi list ,

Right now my PPTP VPN server is outside the firewall consuming 2 Static 
IPaddress,

I want to pleace my PPTP VPN server behind firewall.

i followed good docs on http://tldp.org/HOWTO/VPN-Masquerade-HOWTO-5.html , 
but still cant understand some words in it.

I DNATed 1723, and 500 (which is used for control channels on pptp) to my 
vpn server behind my firewall.
The encrypted data channel in PPTP is carried over GRE, IP protocol 47,  Now 
how can allow IP protocol 47 from outside , Is this possible? ( pretty new 
for me)
They are telling to   ""masquerade ALL protocol traffic"  What they mean by 
this?
I am pasting my firewall rules.


##################################
#       Default policy is to drop on
#       INPUT And FORWARD and allow
#       every thing On OUTPUT chain
##################################
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
#### SNATing VPN server to go out #########################
iptables -A FORWARD -d 192.168.1.34 -j ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.1.34 -j SNAT --to-source 
203.129.224.181
####  DNATing 1723 and 500 port for VPN server ##############
iptables -A PREROUTING -t nat -p tcp --dport 1723 -i eth1 -d 
203.129.224.181 -j DNAT --to-destination 192.168.1.34:1723
iptables -A PREROUTING -t nat -p udp --dport 500 -i eth1 -d 
203.129.224.181 -j DNAT --to-destination 192.168.1.34:500
echo "1" > /proc/sys/net/ipv4/ip_forward

optionally i tried masqurading too, But it didnt worked.
The rule i tried is
#### MASQURADE rule on server
iptables -t nat -A POSTROUTING -o  eth1 -j MASQUERADE



I tried to NAT port 41 so that protocol 41 will work ( But as expected it 
didnt worked)
#### DNATing 41 port
iptables -t nat -A PREROUTING -i eth1 -p 41 -j DNAT --to 192.168.1.34
iptables -t filter -A FORWARD -i eth1 -p 41 -d 192.168.1.34 -j ACCEPT


Is it possible to put vpn server befind firewall?
Is anybody did this before?


Regards
---------------------------------------------
Rajeev Sekhar
Suma Soft Pvt. Ltd
Jr System Administrator
Ph no :91-020-25425655
cell no :91-9370677989
email:rajeev.sekhar@sumasoft.net

----------------------------------------------
Confidentiality Note: This e-mail message and any attachments to it are
intended only for the named recipients and may contain legally privileged
and/or confidential information. If you are not one of the intended
recipients, please notify the sender and do not duplicate or forward this
e-mail message and immediately delete it from your computer.
----------------------------------------------

Re: ""how can i allow IP protocol 47 "" on iptables to connet a pptp VPN server.

[Gáspár Lajos]

rajeev.sekhar írta:
> hi list ,
>
> Right now my PPTP VPN server is outside the firewall consuming 2 
> Static IPaddress,
>
> I want to pleace my PPTP VPN server behind firewall.
>
> i followed good docs on 
> http://tldp.org/HOWTO/VPN-Masquerade-HOWTO-5.html , but still cant 
> understand some words in it.
>
> I DNATed 1723, and 500 (which is used for control channels on pptp) to 
> my vpn server behind my firewall.
> The encrypted data channel in PPTP is carried over GRE, IP protocol 
> 47,  Now how can allow IP protocol 47 from outside , Is this possible? 
> ( pretty new for me)
iptables -p 47 ....
or
iptables -p gre

see /etc/protocols
> They are telling to   ""masquerade ALL protocol traffic"  What they 
> mean by this?
> I am pasting my firewall rules.
>
>
>
> Is it possible to put vpn server befind firewall?
Maybe... :D
> Is anybody did this before?
I neved did :D


Swifty

Re: ""how can i allow IP protocol 47 "" on iptables to connet a pptp VPN server.

[Pascal Hambourg]

Hello,

rajeev.sekhar a écrit :
> 
> Right now my PPTP VPN server is outside the firewall consuming 2 Static 
> IPaddress,
> 
> I want to pleace my PPTP VPN server behind firewall.
> 
> i followed good docs on 
> http://tldp.org/HOWTO/VPN-Masquerade-HOWTO-5.html , but still cant 
> understand some words in it.

This document is largely outdated regarding the filtering/NAT rules as 
it does mention only the old ipfwadm/ipchains for 2.0 and 2.2 kernels.

> I DNATed 1723, and 500 (which is used for control channels on pptp) to 
> my vpn server behind my firewall.

UDP 500 is used by IPSec. I have never seen it used by PPTP.

> The encrypted data channel in PPTP is carried over GRE, IP protocol 47,  
> Now how can allow IP protocol 47 from outside , Is this possible? ( 
> pretty new for me)

-p 47

> I am pasting my firewall rules.
[...]
> iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

IMO, you'd better filter by interface (or by interface AND address) 
rather than only by address. Filtering only on the source address won't 
protect from IP spoofing. Also, allowing only 127.0.0.1 may block 
loopback communications using other addresses in the 127.0.0.0/8 range.

> iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT

Not needed, as the OUTPUT policy is ACCEPT.

> iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

Why only TCP ? What about other protocols ? Doing so may break 
communications, e.g. blocking incoming UDP DNS replies, ICMP error 
messages, or GRE return traffic.

> iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
> #### SNATing VPN server to go out #########################
> iptables -A FORWARD -d 192.168.1.34 -j ACCEPT
> iptables -A POSTROUTING -t nat -s 192.168.1.34 -j SNAT --to-source 
> 203.129.224.181

Same as above, better use the input and/or output interface.

> ####  DNATing 1723 and 500 port for VPN server ##############
> iptables -A PREROUTING -t nat -p tcp --dport 1723 -i eth1 -d 
> 203.129.224.181 -j DNAT --to-destination 192.168.1.34:1723
> iptables -A PREROUTING -t nat -p udp --dport 500 -i eth1 -d 
> 203.129.224.181 -j DNAT --to-destination 192.168.1.34:500

See the above comment about UDP 500 not being used by PPTP.

> I tried to NAT port 41 so that protocol 41 will work ( But as expected 
> it didnt worked)

*Protocol*, not port. Protocol 41 is used for encapsulating IPv6 over 
IPv4. GRE is protocol *47*.

> #### DNATing 41 port
> iptables -t nat -A PREROUTING -i eth1 -p 41 -j DNAT --to 192.168.1.34
> iptables -t filter -A FORWARD -i eth1 -p 41 -d 192.168.1.34 -j ACCEPT

"-p 47" should work better. You should also accept GRE traffic from the 
server to the outside.

> Is it possible to put vpn server befind firewall?
> Is anybody did this before?

I did. It worked fine.

Note : AFAIK the Netfilter conntrack+NAT PPTP helper modules 
(ip_conntrack_pptp+ip_nat_pptp or nf_conntrack_pptp+nf_nat_pptp on some 
recent 2.6 kernels) are not required for a masqueraded server.

You may try the following rather simple ruleset (assuming eth0 is the 
internal interface and eth1 the external interface) with the same 
default policies :

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# accept established and related traffic
# put these rules first as they will catch most traffic
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# accept incoming loopback and internal traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT

# DNAT and accept external new PPTP traffic to the server
iptables -t nat -A PREROUTING -i eth1 -d 203.129.224.181 \
   -p tcp --dport 1723 -j DNAT --to 192.168.1.34
iptables -A FORWARD -i eth1 -d 192.168.1.34 -m state --state NEW \
   -p tcp --dport 1723 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -d 203.129.224.181 \
   -p 47 -j DNAT --to 192.168.1.34
iptables -A FORWARD -i eth1 -d 192.168.1.34 -p 47 -j ACCEPT

# accept and SNAT/masquerade new internal traffic to the outside
iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW \
  -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 \
   -j SNAT --to 203.129.224.181

Re: ""how can i allow IP protocol 47 "" on iptables to connet a pptp VPN server.

[rajeev.sekhar]

----- Original Message ----- 
From: "Pascal Hambourg" <pascal.mail@plouf.fr.eu.org>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, June 16, 2007 5:59 PM
Subject: Re: ""how can i allow IP protocol 47 "" on iptables to connet a 
pptp VPN server.


Hello,

rajeev.sekhar a écrit :
>
> Right now my PPTP VPN server is outside the firewall consuming 2 Static 
> IPaddress,
>
> I want to pleace my PPTP VPN server behind firewall.
>
> i followed good docs on http://tldp.org/HOWTO/VPN-Masquerade-HOWTO-5.html 
> , but still cant understand some words in it.

This document is largely outdated regarding the filtering/NAT rules as
it does mention only the old ipfwadm/ipchains for 2.0 and 2.2 kernels.

> I DNATed 1723, and 500 (which is used for control channels on pptp) to my 
> vpn server behind my firewall.

UDP 500 is used by IPSec. I have never seen it used by PPTP.

> The encrypted data channel in PPTP is carried over GRE, IP protocol 47, 
> Now how can allow IP protocol 47 from outside , Is this possible? ( pretty 
> new for me)

-p 47

> I am pasting my firewall rules.
[...]
> iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

IMO, you'd better filter by interface (or by interface AND address)
rather than only by address. Filtering only on the source address won't
protect from IP spoofing. Also, allowing only 127.0.0.1 may block
loopback communications using other addresses in the 127.0.0.0/8 range.

> iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT

Not needed, as the OUTPUT policy is ACCEPT.

> iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

Why only TCP ? What about other protocols ? Doing so may break
communications, e.g. blocking incoming UDP DNS replies, ICMP error
messages, or GRE return traffic.

> iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
> #### SNATing VPN server to go out #########################
> iptables -A FORWARD -d 192.168.1.34 -j ACCEPT
> iptables -A POSTROUTING -t nat -s 192.168.1.34 -j SNAT --to-source 
> 203.129.224.181

Same as above, better use the input and/or output interface.

> ####  DNATing 1723 and 500 port for VPN server ##############
> iptables -A PREROUTING -t nat -p tcp --dport 1723 -i eth1 -d 
> 203.129.224.181 -j DNAT --to-destination 192.168.1.34:1723
> iptables -A PREROUTING -t nat -p udp --dport 500 -i eth1 -d 
> 203.129.224.181 -j DNAT --to-destination 192.168.1.34:500

See the above comment about UDP 500 not being used by PPTP.

> I tried to NAT port 41 so that protocol 41 will work ( But as expected it 
> didnt worked)

*Protocol*, not port. Protocol 41 is used for encapsulating IPv6 over
IPv4. GRE is protocol *47*.

> #### DNATing 41 port
> iptables -t nat -A PREROUTING -i eth1 -p 41 -j DNAT --to 192.168.1.34
> iptables -t filter -A FORWARD -i eth1 -p 41 -d 192.168.1.34 -j ACCEPT

"-p 47" should work better. You should also accept GRE traffic from the
server to the outside.

> Is it possible to put vpn server befind firewall?
> Is anybody did this before?

I did. It worked fine.

Note : AFAIK the Netfilter conntrack+NAT PPTP helper modules
(ip_conntrack_pptp+ip_nat_pptp or nf_conntrack_pptp+nf_nat_pptp on some
recent 2.6 kernels) are not required for a masqueraded server.

You may try the following rather simple ruleset (assuming eth0 is the
internal interface and eth1 the external interface) with the same
default policies :

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# accept established and related traffic
# put these rules first as they will catch most traffic
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# accept incoming loopback and internal traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT

# DNAT and accept external new PPTP traffic to the server
iptables -t nat -A PREROUTING -i eth1 -d 203.129.224.181 \
   -p tcp --dport 1723 -j DNAT --to 192.168.1.34
iptables -A FORWARD -i eth1 -d 192.168.1.34 -m state --state NEW \
   -p tcp --dport 1723 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -d 203.129.224.181 \
   -p 47 -j DNAT --to 192.168.1.34
iptables -A FORWARD -i eth1 -d 192.168.1.34 -p 47 -j ACCEPT

# accept and SNAT/masquerade new internal traffic to the outside
iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW \
  -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 \
   -j SNAT --to 203.129.224.181


Thanks  Pascal Hambourg,

Thats a lot of tips apart from NATing VPN server.
I am new to iptables, Was not sure with the security related problem with 
the rules i used.

I will try all the things and let you know.
Its nice when you tired google-ng & trying some combination , & then some 
one helps to move forward.

Thanks again.........:)

Regards
---------------------------------------------
Rajeev Sekhar
Suma Soft Pvt. Ltd
Jr System Administrator
Ph no :91-020-25425655
cell no :91-9370677989
email:rajeev.sekhar@sumasoft.net



----------------------------------------------
Confidentiality Note: This e-mail message and any attachments to it are
intended only for the named recipients and may contain legally privileged
and/or confidential information. If you are not one of the intended
recipients, please notify the sender and do not duplicate or forward this
e-mail message and immediately delete it from your computer.
----------------------------------------------

RE: ""how can i allow IP protocol 47 "" on iptables to connet a pptpVPN server.

[Neil Aggarwal]

Rajiv:
 
> Is it possible to put vpn server befind firewall?
> Is anybody did this before?

I tried it.  I was able to get things working for the
most part, but had intermittent problems.

I eventualy moved my VPN server outside the firewall.

I hope this reference point helps.

	Neil

--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
FREE! Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

Re: ""how can i allow IP protocol 47 "" on iptables to connet a pptpVPN server.

[Marcos Granero Vaz - Informatica/MTZ]

[-- Attachment #1: Type: text/plain, Size: 904 bytes --]

I had this kind of problem too. And i figured out that only one  GRE
protocol VPN connection works at a time. I think this problem is in the
kernel or in iptables conntrack (maybe the way they control the flow),
but there is a way, you have to use a PPTP proxy. I use a pptpproxy from
http://www.mgix.com/pptpproxy/ and works fine! Now i have 6 GRE VPN
connection simultaneously.

Regards

Neil Aggarwal escreveu:
> Rajiv:
>  
>   
>> Is it possible to put vpn server befind firewall?
>> Is anybody did this before?
>>     
>
> I tried it.  I was able to get things working for the
> most part, but had intermittent problems.
>
> I eventualy moved my VPN server outside the firewall.
>
> I hope this reference point helps.
>
> 	Neil
>
> --
> Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
> FREE! Eliminate junk email and reclaim your inbox.
> Visit http://www.spammilter.com for details.
>
>
>   

Re: ""how can i allow IP protocol 47 "" on iptables to connet a pptpVPN server.

[rajeev.sekhar]

----- Original Message ----- 
From: "Marcos Granero Vaz - Informatica/MTZ" <MarcosGranero@granero.com.br>
To: "Neil Aggarwal" <neil@JAMMConsulting.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Saturday, June 16, 2007 8:42 PM
Subject: Re: ""how can i allow IP protocol 47 "" on iptables to connet a 
pptpVPN server.


>I had this kind of problem too. And i figured out that only one  GRE
> protocol VPN connection works at a time. I think this problem is in the
hi Neil
Its seem i am also facing the same problem,
I configured VPN befind the firewall, with the rules given by Pascal 
Hambourg.

But when i connect more than one client, the old client connection get 
terminated.

My rule are
#### SNATing 192.168.1.33
iptables -A FORWARD -s 192.168.1.33 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.33 -j SNAT --to-source 
203.129.224.180
#### DNATing 192.168.1.33 on port 1723 and protocol 47
iptables -A FORWARD -d 192.168.1.33 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 203.129.224.180 --dport 
1723 -j DNAT --to-destination 192.168.1.33:1723
iptables -t nat -A PREROUTING -i eth1 -d 203.129.224.180 -p 47 -j DNAT --to 
192.168.1.33
iptables -A FORWARD -i eth1 -d 192.168.1.33 -p 47 -j ACCEPT

Is any one is facing the same problem,

Or i have to go for pprpproxy?

> kernel or in iptables conntrack (maybe the way they control the flow),
> but there is a way, you have to use a PPTP proxy. I use a pptpproxy from
> http://www.mgix.com/pptpproxy/ and works fine! Now i have 6 GRE VPN
> connection simultaneously.
>
> Regards
>
> Neil Aggarwal escreveu:
>> Rajiv:
>>
>>
>>> Is it possible to put vpn server befind firewall?
>>> Is anybody did this before?
>>>
>>
>> I tried it.  I was able to get things working for the
>> most part, but had intermittent problems.
>>
>> I eventualy moved my VPN server outside the firewall.
>>
>> I hope this reference point helps.
>>
>> Neil
>>
>> --
>> Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
>> FREE! Eliminate junk email and reclaim your inbox.
>> Visit http://www.spammilter.com for details.
>>
>>
>>
> 

----------------------------------------------
Confidentiality Note: This e-mail message and any attachments to it are
intended only for the named recipients and may contain legally privileged
and/or confidential information. If you are not one of the intended
recipients, please notify the sender and do not duplicate or forward this
e-mail message and immediately delete it from your computer.
----------------------------------------------

Re: ""how can i allow IP protocol 47 "" on iptables to connet a pptpVPN server.

[Pascal Hambourg]

rajeev.sekhar a écrit :
> 
> I configured VPN befind the firewall, with the rules given by Pascal 
> Hambourg.
> 
> But when i connect more than one client, the old client connection get 
> terminated.

Did you test from clients with different public IP addresses (not 
masqueraded behind the same NAT device) ?
AFAIK the generic connection tracking and NAT should handle properly 
multiple GRE tunnels between a masqueraded server and multiple clients, 
provided that the server sees a unique IP address for each client so 
each tunnel creates a unique conntrack/NAT tuple.

Re: ""how can i allow IP protocol 47 "" on iptables to connet a pptpVPN server.

[rajeev.sekhar]

----- Original Message ----- 
From: "Pascal Hambourg" <pascal.mail@plouf.fr.eu.org>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, June 20, 2007 4:42 AM
Subject: Re: ""how can i allow IP protocol 47 "" on iptables to connet a 
pptpVPN server.


rajeev.sekhar a écrit :
>
> I configured VPN befind the firewall, with the rules given by Pascal 
> Hambourg.
>
> But when i connect more than one client, the old client connection get 
> terminated.

Did you test from clients with different public IP addresses (not
masqueraded behind the same NAT device) ?
AFAIK the generic connection tracking and NAT should handle properly
multiple GRE tunnels between a masqueraded server and multiple clients,
provided that the server sees a unique IP address for each client so
each tunnel creates a unique conntrack/NAT tuple.

Ohh yes you are right,
I tried to connect multiple client from the same IP address, I will try from 
different IPs & let you know.

Thanks
Rajeev sekhar 

----------------------------------------------
Confidentiality Note: This e-mail message and any attachments to it are
intended only for the named recipients and may contain legally privileged
and/or confidential information. If you are not one of the intended
recipients, please notify the sender and do not duplicate or forward this
e-mail message and immediately delete it from your computer.
----------------------------------------------