* can't get connection to vpn Server (pptp) behind iptables FW
@ 2004-03-12 9:34 peter.gehle
2004-03-12 9:53 ` Antony Stone
0 siblings, 1 reply; 2+ messages in thread
From: peter.gehle @ 2004-03-12 9:34 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1379 bytes --]
Hi,
since two weeks i try to create rules for my iptables fw who
let pass an vpn tunnel to my internel ms vpn server (pptp).
i have installed the kernel 2.4.25 and patched it with patch-o-matic (only the
pptp/gre patch aplied).
i load the ip_conntrack_pptp, ip_conntrack_proto_gre, ip_nat_pptp and ip_nat_proto_gre modules,
and my script looks so:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to-destination 192.168.1.2
iptables -A FORWARD -i eth0 -m state --state NEW -p tcp -d 192.168.1.2 --dport 1723 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW -p GRE -d 192.168.1.2 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p GRE -j DNAT --to-destination 192.168.1.2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
So whats wrong, becaus i can connect to the vpn server behind the firewall, but the
connection hangs at the authentification. after some minutes i receive an message that
the server does not respond.
netstat say this:
netstat-nat -d 192.168.1.2
Proto NATed Address Foreign Address State
tcp p42821a5e.dip.t-dialin.ne:4394 192.168.1.2:1723 ESTABLISHED
tcp p42821a5e.dip.t-dialin.ne:4392 192.168.1.2:1723 TIME_WAIT
Scheme of my network:
vpn-client -> hw-router -> internet -> hw-router -> firewall -> vpn-server
so whats going wrong?
Thanx Peter
[-- Attachment #2: Type: text/html, Size: 2064 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: can't get connection to vpn Server (pptp) behind iptables FW
2004-03-12 9:34 can't get connection to vpn Server (pptp) behind iptables FW peter.gehle
@ 2004-03-12 9:53 ` Antony Stone
0 siblings, 0 replies; 2+ messages in thread
From: Antony Stone @ 2004-03-12 9:53 UTC (permalink / raw)
To: netfilter
On Friday 12 March 2004 9:34 am, peter.gehle@sbgit.com wrote:
> Hi,
>
> since two weeks i try to create rules for my iptables fw who
> let pass an vpn tunnel to my internel ms vpn server (pptp).
> i have installed the kernel 2.4.25 and patched it with patch-o-matic (only
> the pptp/gre patch aplied).
>
> So whats wrong, becaus i can connect to the vpn server behind the firewall,
> but the connection hangs at the authentification. after some minutes i
> receive an message that the server does not respond.
I am not an expert on PPTP (I prefer IPsec), so I can't tell you exactly what
you need to change, however I think you can find out what is missing by
adding a couple of LOG rules which specify the remote system as source and
destination address, and see what packets get LOGged just before being
DROPped. This will help you understand what communication the two machines
are trying to do, which is not being allowed.
eg: iptables -A FORWARD -s rem.ote.vpn.client -j LOG
iptables -A FORWARD -d rem.ote.vpn.client -j LOG
Hope this helps,
Antony.
--
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.
In poetry, it is the exact opposite.
- Paul Dirac
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-03-12 9:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-12 9:34 can't get connection to vpn Server (pptp) behind iptables FW peter.gehle
2004-03-12 9:53 ` Antony Stone
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox