* VPN Server behind a iptables FW (PPTP)
@ 2003-03-12 15:06 Cassani Alexio
2003-03-12 15:25 ` Raymond Leach
0 siblings, 1 reply; 3+ messages in thread
From: Cassani Alexio @ 2003-03-12 15:06 UTC (permalink / raw)
To: netfilter
Hi all,
I've set up a linux box with iptables 1.2.7a + pptp patch.
Then I've configured a VPN server win2k-based and if I try to connect to
it using a client of my LAN I have no problem, obviously the problems
are present when the vpn client is outside my network.
The architecture is here reported:
VPN IPTables VPN
Server --- Server --- Internet --- Client
VPN Server Internal IP:192.168.0.1
VPN Server public IP (hosted by the firewall) is a global address.
So IPTables server performs NAT.
Actions performed:
- from VPN client (a win2k box) I can telnet my vpn server at the 1723
port
- from VPN client I've configured a VPN connection to my VPN server and
the connection stops with the following error "721 remote computer is
not responding" after hanging for a few seconds on the window "Verifying
Username and Password"
My opinion is that GRE packet are not routed by the linux box, so
authentication fails.
The iptables script used to set up the fw includes the following lines
regarding GRE protocol:
$IPTABLES -t nat -A PREROUTING -p GRE -i $INET_IFACE -j DNAT
--to-destination $LAN_VPNSERVER_IP
$IPTABLES -A FORWARD -p 47 -i $INET_IFACE -o $LAN_IFACE -d
$LAN_VPNSERVER_IP -j allowed
$IPTABLES -A FORWARD -p 47 -s 0/0 -d $LAN_VPNSERVER_IP -j ACCEPT
The ones regarding PPTP are (restricted to the vpn client's ip):
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -s $VPNCLIENT_IP -d
$VPNSERVER_IP --dport 1723 \
-j DNAT --to-destination $LAN_VPNSERVER_IP:1723
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d
$LAN_VPNSERVER_IP \
--dport 1723 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $LAN_IFACE -d
$LAN_VPNSERVER_IP \
-j icmp_packets
Any suggestions?
TIA
Alexio
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: VPN Server behind a iptables FW (PPTP)
2003-03-12 15:06 VPN Server behind a iptables FW (PPTP) Cassani Alexio
@ 2003-03-12 15:25 ` Raymond Leach
0 siblings, 0 replies; 3+ messages in thread
From: Raymond Leach @ 2003-03-12 15:25 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 4087 bytes --]
On Wed, 2003-03-12 at 17:06, Cassani Alexio wrote:
> Hi all,
> I've set up a linux box with iptables 1.2.7a + pptp patch.
> Then I've configured a VPN server win2k-based and if I try to connect to
> it using a client of my LAN I have no problem, obviously the problems
> are present when the vpn client is outside my network.
> The architecture is here reported:
>
> VPN IPTables VPN
> Server --- Server --- Internet --- Client
>
> VPN Server Internal IP:192.168.0.1
> VPN Server public IP (hosted by the firewall) is a global address.
> So IPTables server performs NAT.
How are you doinf NAT? Does the public ip get bound to an interface on
the iptables server, e.g. eth0:1?
I had to add INPUT rules like this:
$IPTABLES -A INPUT -i $IFACE_INET -p tcp --dport 1723 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $IFACE_INET -p 47 -d $IP_INET_WEB8 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
>
>
> Actions performed:
>
> - from VPN client (a win2k box) I can telnet my vpn server at the 1723
> port
> - from VPN client I've configured a VPN connection to my VPN server and
> the connection stops with the following error "721 remote computer is
> not responding" after hanging for a few seconds on the window "Verifying
> Username and Password"
>
> My opinion is that GRE packet are not routed by the linux box, so
> authentication fails.
We are using standard pptp for the tunnel ...
>
> The iptables script used to set up the fw includes the following lines
> regarding GRE protocol:
>
> $IPTABLES -t nat -A PREROUTING -p GRE -i $INET_IFACE -j DNAT
> --to-destination $LAN_VPNSERVER_IP
> $IPTABLES -A FORWARD -p 47 -i $INET_IFACE -o $LAN_IFACE -d
> $LAN_VPNSERVER_IP -j allowed
> $IPTABLES -A FORWARD -p 47 -s 0/0 -d $LAN_VPNSERVER_IP -j ACCEPT
>
My PREROUTING and FORWARD rules:
$IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p tcp --dport 1723 -d
$IP_INET_WEB8 -j DNAT --to $IP_INT_WEB8
$IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p 47 -d $IP_INET_WEB8 -j
DNAT --to $IP_INT_WEB8
$IPTABLES -A FORWARD -i $IFACE_INT -p tcp --sport 1723 --dport 1024: -s
$IP_INT_WEB8 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_INT -p 47 -s $IP_INT_WEB8 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_INET -p tcp --dport 1723 -d $IP_INT_WEB8
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $IFACE_INET -p 47 -d $IP_INT_WEB8 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
then there's also POSTROUTING from the VPN server:
$IPTABLES -t nat -A POSTROUTING -o $IFACE_INET -p tcp --sport 1723 -s
$IP_INT_WEB8 -d ! $NET_INT -j SNAT --to $IP_INET_WEB8
And that works for me ...
> The ones regarding PPTP are (restricted to the vpn client's ip):
>
> $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -s $VPNCLIENT_IP -d
> $VPNSERVER_IP --dport 1723 \
> -j DNAT --to-destination $LAN_VPNSERVER_IP:1723
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d
> $LAN_VPNSERVER_IP \
> --dport 1723 -j allowed
> $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $LAN_IFACE -d
> $LAN_VPNSERVER_IP \
> -j icmp_packets
>
> Any suggestions?
> TIA
> Alexio
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
( Raymond Leach )
) Knowledge Factory (
( )
) Tel: +27 11 445 8100 (
( Fax: +27 11 445 8101 )
) (
( http://www.knowledgefactory.co.za/ )
) http://www.saptg.co.za/ (
( http://www.mapnet.co.za/ )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o o
o o
.--. .--.
| o_o| |o_o |
| \_:| |:_/ |
/ / \\ // \ \
( | |) (| | )
/`\_ _/'\ /'\_ _/`\
\___)=(___/ \___)=(___/
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: VPN Server behind a iptables FW (PPTP)
@ 2003-03-13 12:01 Cassani Alexio
0 siblings, 0 replies; 3+ messages in thread
From: Cassani Alexio @ 2003-03-13 12:01 UTC (permalink / raw)
To: Netfilter Mailing List
Hi Raymond,
> >
> > VPN Server Internal IP:192.168.0.1
> > VPN Server public IP (hosted by the firewall) is a global
> address. So
> > IPTables server performs NAT.
> How are you doinf NAT? Does the public ip get bound to an
> interface on the iptables server, e.g. eth0:1?
Yes I've configured all my global addresses on eth0 of the linux box,
the router cisco simply forward all the requests to it.
I've used your script but it doesn't work for me. The problem seems to
be the same, the VPN client reachs the tcp port of the vpn server (1723)
but then hangs for a few seconds and finally it stops showing up the
same error message ("721 remote computer is not responding").
The vpn server doesn't log anything of these attempt.
Maybe the problem could be at kernel level :|
Thanks,
Alexio
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-03-13 12:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-12 15:06 VPN Server behind a iptables FW (PPTP) Cassani Alexio
2003-03-12 15:25 ` Raymond Leach
-- strict thread matches above, loose matches on Subject: below --
2003-03-13 12:01 Cassani Alexio
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox