can't get connection to vpn Server (pptp) behind iptables FW

can't get connection to vpn Server (pptp) behind iptables FW

[peter.gehle]

[-- Attachment #1: Type: text/plain, Size: 1379 bytes --]

Hi,

since two weeks i try to create rules for my iptables fw who
let pass an vpn tunnel to my internel ms vpn server (pptp).
i have installed the kernel 2.4.25 and patched it with patch-o-matic (only the 
pptp/gre patch aplied).

i load the ip_conntrack_pptp, ip_conntrack_proto_gre, ip_nat_pptp and ip_nat_proto_gre modules,
and my script looks so:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to-destination 192.168.1.2
iptables -A FORWARD -i eth0 -m state --state NEW -p tcp -d 192.168.1.2 --dport 1723 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state NEW -p GRE  -d 192.168.1.2 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p GRE -j DNAT --to-destination 192.168.1.2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

So whats wrong, becaus i can connect to the vpn server behind the firewall, but the 
connection hangs at the authentification. after some minutes i receive an message that
the server does not respond.

netstat say this:
netstat-nat -d 192.168.1.2 
Proto NATed Address Foreign Address State 
tcp p42821a5e.dip.t-dialin.ne:4394 192.168.1.2:1723 ESTABLISHED 
tcp p42821a5e.dip.t-dialin.ne:4392 192.168.1.2:1723 TIME_WAIT

Scheme of my network:
vpn-client -> hw-router -> internet -> hw-router -> firewall -> vpn-server

so whats going wrong?

Thanx Peter

[-- Attachment #2: Type: text/html, Size: 2064 bytes --]

Re: can't get connection to vpn Server (pptp) behind iptables FW

[Antony Stone]

On Friday 12 March 2004 9:34 am, peter.gehle@sbgit.com wrote:

> Hi,
>
> since two weeks i try to create rules for my iptables fw who
> let pass an vpn tunnel to my internel ms vpn server (pptp).
> i have installed the kernel 2.4.25 and patched it with patch-o-matic (only
> the pptp/gre patch aplied).
>
> So whats wrong, becaus i can connect to the vpn server behind the firewall,
> but the connection hangs at the authentification. after some minutes i
> receive an message that the server does not respond.

I am not an expert on PPTP (I prefer IPsec), so I can't tell you exactly what 
you need to change, however I think you can find out what is missing by 
adding a couple of LOG rules which specify the remote system as source and 
destination address, and see what packets get LOGged just before being 
DROPped.   This will help you understand what communication the two machines 
are trying to do, which is not being allowed.

eg: iptables -A FORWARD -s rem.ote.vpn.client -j LOG
iptables -A FORWARD -d rem.ote.vpn.client -j LOG

Hope this helps,

Antony.

-- 
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

                                                     Please reply to the list;
                                                           please don't CC me.