From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@lists.netfilter.org
Subject: Re: ""how can i allow IP protocol 47 "" on iptables to connet a pptp VPN server.
Date: Sat, 16 Jun 2007 14:29:13 +0200 [thread overview]
Message-ID: <4673D799.30503@plouf.fr.eu.org> (raw)
In-Reply-To: <000e01c7b005$cb371be0$1664a8c0@ssplscu22>
Hello,
rajeev.sekhar a écrit :
>
> Right now my PPTP VPN server is outside the firewall consuming 2 Static
> IPaddress,
>
> I want to pleace my PPTP VPN server behind firewall.
>
> i followed good docs on
> http://tldp.org/HOWTO/VPN-Masquerade-HOWTO-5.html , but still cant
> understand some words in it.
This document is largely outdated regarding the filtering/NAT rules as
it does mention only the old ipfwadm/ipchains for 2.0 and 2.2 kernels.
> I DNATed 1723, and 500 (which is used for control channels on pptp) to
> my vpn server behind my firewall.
UDP 500 is used by IPSec. I have never seen it used by PPTP.
> The encrypted data channel in PPTP is carried over GRE, IP protocol 47,
> Now how can allow IP protocol 47 from outside , Is this possible? (
> pretty new for me)
-p 47
> I am pasting my firewall rules.
[...]
> iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
IMO, you'd better filter by interface (or by interface AND address)
rather than only by address. Filtering only on the source address won't
protect from IP spoofing. Also, allowing only 127.0.0.1 may block
loopback communications using other addresses in the 127.0.0.0/8 range.
> iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
Not needed, as the OUTPUT policy is ACCEPT.
> iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
Why only TCP ? What about other protocols ? Doing so may break
communications, e.g. blocking incoming UDP DNS replies, ICMP error
messages, or GRE return traffic.
> iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
> #### SNATing VPN server to go out #########################
> iptables -A FORWARD -d 192.168.1.34 -j ACCEPT
> iptables -A POSTROUTING -t nat -s 192.168.1.34 -j SNAT --to-source
> 203.129.224.181
Same as above, better use the input and/or output interface.
> #### DNATing 1723 and 500 port for VPN server ##############
> iptables -A PREROUTING -t nat -p tcp --dport 1723 -i eth1 -d
> 203.129.224.181 -j DNAT --to-destination 192.168.1.34:1723
> iptables -A PREROUTING -t nat -p udp --dport 500 -i eth1 -d
> 203.129.224.181 -j DNAT --to-destination 192.168.1.34:500
See the above comment about UDP 500 not being used by PPTP.
> I tried to NAT port 41 so that protocol 41 will work ( But as expected
> it didnt worked)
*Protocol*, not port. Protocol 41 is used for encapsulating IPv6 over
IPv4. GRE is protocol *47*.
> #### DNATing 41 port
> iptables -t nat -A PREROUTING -i eth1 -p 41 -j DNAT --to 192.168.1.34
> iptables -t filter -A FORWARD -i eth1 -p 41 -d 192.168.1.34 -j ACCEPT
"-p 47" should work better. You should also accept GRE traffic from the
server to the outside.
> Is it possible to put vpn server befind firewall?
> Is anybody did this before?
I did. It worked fine.
Note : AFAIK the Netfilter conntrack+NAT PPTP helper modules
(ip_conntrack_pptp+ip_nat_pptp or nf_conntrack_pptp+nf_nat_pptp on some
recent 2.6 kernels) are not required for a masqueraded server.
You may try the following rather simple ruleset (assuming eth0 is the
internal interface and eth1 the external interface) with the same
default policies :
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# accept established and related traffic
# put these rules first as they will catch most traffic
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept incoming loopback and internal traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
# DNAT and accept external new PPTP traffic to the server
iptables -t nat -A PREROUTING -i eth1 -d 203.129.224.181 \
-p tcp --dport 1723 -j DNAT --to 192.168.1.34
iptables -A FORWARD -i eth1 -d 192.168.1.34 -m state --state NEW \
-p tcp --dport 1723 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -d 203.129.224.181 \
-p 47 -j DNAT --to 192.168.1.34
iptables -A FORWARD -i eth1 -d 192.168.1.34 -p 47 -j ACCEPT
# accept and SNAT/masquerade new internal traffic to the outside
iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW \
-j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 \
-j SNAT --to 203.129.224.181
next prev parent reply other threads:[~2007-06-16 12:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-16 11:02 ""how can i allow IP protocol 47 "" on iptables to connet a pptp VPN server rajeev.sekhar
2007-06-16 11:24 ` Gáspár Lajos
2007-06-16 12:29 ` Pascal Hambourg [this message]
2007-06-16 13:38 ` rajeev.sekhar
2007-06-16 13:27 ` ""how can i allow IP protocol 47 "" on iptables to connet a pptpVPN server Neil Aggarwal
2007-06-16 15:12 ` Marcos Granero Vaz - Informatica/MTZ
2007-06-19 13:43 ` rajeev.sekhar
2007-06-19 23:12 ` Pascal Hambourg
2007-06-20 5:40 ` rajeev.sekhar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4673D799.30503@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.