Newb here, I need help opening port 1723 and setting a public IP address to a private IP

Newb here, I need help opening port 1723 and setting a public IP address to a private IP

[Ron Powell]

Ok I very little firewall knowledge and really know nothing about Linux\Unix
so go easy on me.
 What I need to know is this, I have setup a VPN connection on our Windows
2003 server. I need to configure our iptables firewall to allow this
connection, also if anything is different on a 2000 server I will need to
know what to change in case we decide to use it in the future. I need the
vpn's Public IP to point to the private IP of our VPN server and open any
ports to that IP that need to be opened for the vpn connection to work, Im
guessing just 1723. I think that some rules have already been created that
point the Public IP to the Private address but not port 1723.
 Thanks in advance for any advice you can give.

Re: Newb here, I need help opening port 1723 and setting a public IP address to a private IP

[/dev/rob0]

On Wednesday 2005-September-28 17:02, Ron Powell wrote:
> Ok I very little firewall knowledge and really know nothing about
> Linux\Unix so go easy on me.

We like "/" as our path separator. "\" is an escape character. So that 
should be "Linux/Unix." :)

Yes I'm teasing. But FWIW this is one of few places it's safe to say 
"Linux" because netfilter is Linux only.

>  What I need to know is this, I have setup a VPN connection on our
> Windows 2003 server. I need to configure our iptables firewall to
> allow this connection,

You mentioned 1723 in $SUBJECT. 1723/tcp is used to negotiate the 
connection, but the actual VPN traffic is GRE, "--protocol 47".

> also if anything is different on a 2000 server I will need to know
> what to change in case we decide to use it in the future.

Hmmm, I would advise anyone to move away from PPTP in particular and 
from Windows in general. PPTP has known vulnerabilities. OpenVPN is a 
real winner with multiplatform support and using OpenSSL for crypto 
code ... as opposed to MPPE ... ugh!

I'll spare the list any OS advocacy, but I do believe you can do much 
more on Linux, and more safely, and without the uncertainty which is 
built-in to proprietary junkware.

Anyway, this list is probably not a good place to find out about 
features in Windows.

> I need the vpn's Public IP to point to the private IP of our 
> VPN server

That part doesn't parse for me.

> and open any ports to that IP that need to be opened for 
> the vpn connection to work, Im guessing just 1723.

Don't guess.

> I think that some rules have already been created that point the
> Public IP to the Private address but not port 1723.

I would not know what your iptables rules are.

> Thanks in advance for any advice you can give.

I would suggest that you get a ready-made firewall script or rules 
generator to get this thing working. Don't try to learn all of this 
right now. If you want to learn TCP/IP and firewalling, by all means 
set up a sandbox and play with it and hang around here.

There are dozens of such projects available. I used to use Monmotha's 
myself. The way it works is that you edit a configuration section to 
tell it about your network configuration and the services to allow. 
Then you run it and it generates your rules. You might want to save 
them using iptables-save(8).
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

RE: Newb here, I need help opening port 1723 and setting a public IP address to aprivate IP

[Anthony Sadler]

Hey Ron:

The commands as I see them should be this:

iptables -t nat -I PREROUTING -p 47 -s $SOURCE-IP -d $PUBLIC-IP-OF-GATEWAY -j DNAT --to $INTERNAL-VPN-SERVER
iptables -I FORWARD -p 47 -d $INTERNAL-VPN-SERVER -j ACCEPT
iptables -t nat -I POSTROUTING -p 47 -d $INTERNAL-VPN-SERVER -j MASQUERADE

What those three rules do is do a port forward for protocol 47. Note that you do not need the -s $SOURCE-IP section, it can be deleted. 

iptables -t nat -I PREROUTING -p tcp -d $PUBLIC-IP-OF-GATEWAY --dport 1723 -j DNAT --to $INTERNAL-VPN-SERVER:1723
iptables -I FORWARD -p tcp -d $INTERNAL-VPN-SERVER --dport 1723 -j ACCEPT
iptables -t nat -I POSTROUTING -p tcp -d $INTERNAL-VPN-SERVER --dport 1723 -j MASQUERADE

Those rules port forward port 1723 to the local machine.

iptables -I FORWARD -p 47 -j ACCEPT
iptables -t nat -I POSTROUTING -p 47 -j MASQUERADE
iptables -I FORWARD -p tcp -s $INTERNAL-VPN-SERVER -j ACCEPT
iptables -t nat -I POSTROUTING -p tcp -s $INTERNAL-VPN-SERVER -j MASQUERADE

These rules I believe allow outgoing connections. I'm a little bit rusty, some of the gurus can confirm this :D


Anthony Sadler
Far Edge Technology
w: (02) 8425 1400
 
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Ron Powell
Sent: Thursday, 29 September 2005 08:03 
To: netfilter@lists.netfilter.org
Subject: Newb here,I need help opening port 1723 and setting a public IP address to aprivate IP

Ok I very little firewall knowledge and really know nothing about Linux\Unix
so go easy on me.
 What I need to know is this, I have setup a VPN connection on our Windows
2003 server. I need to configure our iptables firewall to allow this
connection, also if anything is different on a 2000 server I will need to
know what to change in case we decide to use it in the future. I need the
vpn's Public IP to point to the private IP of our VPN server and open any
ports to that IP that need to be opened for the vpn connection to work, Im
guessing just 1723. I think that some rules have already been created that
point the Public IP to the Private address but not port 1723.
 Thanks in advance for any advice you can give.