On Wed, 2003-03-12 at 17:06, Cassani Alexio wrote: > Hi all, > I've set up a linux box with iptables 1.2.7a + pptp patch. > Then I've configured a VPN server win2k-based and if I try to connect to > it using a client of my LAN I have no problem, obviously the problems > are present when the vpn client is outside my network. > The architecture is here reported: > > VPN IPTables VPN > Server --- Server --- Internet --- Client > > VPN Server Internal IP:192.168.0.1 > VPN Server public IP (hosted by the firewall) is a global address. > So IPTables server performs NAT. How are you doinf NAT? Does the public ip get bound to an interface on the iptables server, e.g. eth0:1? I had to add INPUT rules like this: $IPTABLES -A INPUT -i $IFACE_INET -p tcp --dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $IFACE_INET -p 47 -d $IP_INET_WEB8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > > Actions performed: > > - from VPN client (a win2k box) I can telnet my vpn server at the 1723 > port > - from VPN client I've configured a VPN connection to my VPN server and > the connection stops with the following error "721 remote computer is > not responding" after hanging for a few seconds on the window "Verifying > Username and Password" > > My opinion is that GRE packet are not routed by the linux box, so > authentication fails. We are using standard pptp for the tunnel ... > > The iptables script used to set up the fw includes the following lines > regarding GRE protocol: > > $IPTABLES -t nat -A PREROUTING -p GRE -i $INET_IFACE -j DNAT > --to-destination $LAN_VPNSERVER_IP > $IPTABLES -A FORWARD -p 47 -i $INET_IFACE -o $LAN_IFACE -d > $LAN_VPNSERVER_IP -j allowed > $IPTABLES -A FORWARD -p 47 -s 0/0 -d $LAN_VPNSERVER_IP -j ACCEPT > My PREROUTING and FORWARD rules: $IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p tcp --dport 1723 -d $IP_INET_WEB8 -j DNAT --to $IP_INT_WEB8 $IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p 47 -d $IP_INET_WEB8 -j DNAT --to $IP_INT_WEB8 $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --sport 1723 --dport 1024: -s $IP_INT_WEB8 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_INT -p 47 -s $IP_INT_WEB8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_INET -p tcp --dport 1723 -d $IP_INT_WEB8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_INET -p 47 -d $IP_INT_WEB8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT then there's also POSTROUTING from the VPN server: $IPTABLES -t nat -A POSTROUTING -o $IFACE_INET -p tcp --sport 1723 -s $IP_INT_WEB8 -d ! $NET_INT -j SNAT --to $IP_INET_WEB8 And that works for me ... > The ones regarding PPTP are (restricted to the vpn client's ip): > > $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -s $VPNCLIENT_IP -d > $VPNSERVER_IP --dport 1723 \ > -j DNAT --to-destination $LAN_VPNSERVER_IP:1723 > $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d > $LAN_VPNSERVER_IP \ > --dport 1723 -j allowed > $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $LAN_IFACE -d > $LAN_VPNSERVER_IP \ > -j icmp_packets > > Any suggestions? > TIA > Alexio -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ( Raymond Leach ) ) Knowledge Factory ( ( ) ) Tel: +27 11 445 8100 ( ( Fax: +27 11 445 8101 ) ) ( ( http://www.knowledgefactory.co.za/ ) ) http://www.saptg.co.za/ ( ( http://www.mapnet.co.za/ ) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o o o o .--. .--. | o_o| |o_o | | \_:| |:_/ | / / \\ // \ \ ( | |) (| | ) /`\_ _/'\ /'\_ _/`\ \___)=(___/ \___)=(___/
Attachment:
signature.asc
Description: This is a digitally signed message part
