|
Hi
I'm running an ipchains 2.2.19 firewall inside ip
192.168.1.1
in parallell with this firewall i have a cisco160x
router with ip 192.168.1.2
The reason for the router is that i have multiple
clients that are running pptp vpn towards
an external server connected to the internet, and
it only allows one client per ip,
so the pptp masq patch does not work since all
clients would appear to come from the same ip.
So i added a static route on the firewall, saying
that all traffic towards the pptp server should go to
192.168.1.2 which would do full nat for each client
making them come from different public ip's.
This works great with 2.2.19 and
ipchains.
But when i installed a new machine with 2.4.20 and
iptables 1.2.7a patched with Harald W pptp patch,
because of an internal pptp server, things
broke.
Everything worked fine, except for the pptp vpn
against that one server.
Clients trying this are nt4 boxes, and traffic
works like this as far as i can understand:
client - linux-gateway - cisco router - pptp
server
and back like:
pptp server - nated ip on cisco -
client
I tried to turn of rp_filter for the internal
network card but that did not help.
So I ended up this morning switcing back to the
machine running 2.2.19 and ipchains, and all
worked. Which has both icmp_redirect and rp_filter
turned on.
in the iptables script i'm using, this was entered
for the pptp machine
to make sure no filter blocked it.
iptables -A FORWARD -s $pptpsrv -j
ACCEPT
iptables -A FORWARD -d $pptpsrv -j
ACCEPT
these where entered before any snat
rules
iptables -t nat -A PREROUTING -s $pptpsrv -j
ACCEPT
iptables -t nat -A PREROUTING -d $pptpsrv -j
ACCEPT
iptables -t nat -A POSTROUTING -s $pptpsrv -j
ACCEPT
iptables -t nat -A POSTROUTING -d $pptpsrv -j
ACCEPT
Does anyone have a suggestion about tuning
parameters to make this work, or is it not possible
with iptables and connection tracking?
Mvh John Berntsen / Pepco AS |
