On 04/28/2007 11:15:33 PM, Neil Aggarwal - neil@xxxxxxxxxxxxxxxxxx wrote: > Hello: > > I have a Linux box acting as a firewall and gateway > for my local internet. The private IP is 192.168.1.1 > > Behind that, I have a Linksys VPN box. Its IP > is 192.168.1.101. > > If I go to my Linux box and issue this command: > > telnet 192.168.1.101 1723 > > I get this output: > > Trying 192.168.1.101... > Connected to 192.168.1.101 (192.168.1.101). > Escape character is '^]'. > > Everything is fine. I can connect to the Linksys box > without a problem. > > Now, I want to set up routing from the external world > to be able to access the Linksys box. > > I added this rule to my firewall to do the forwarding: > > /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP > --sport 1024: --dport 1723 > -j DNAT --to $LINKSYS_VPN_IP:1723 > > It is all one one line, I added link breaks for readability. > OK, you have forwarded this port from the firewall to the vpn box. Now you have to accept it. (You must have a default drop policy in forward.) > When I tried to telnet to port 1723 on my public IP, I saw logs > from my firewall for inbound packets so I added these rules: > > /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP > -p tcp --sport 1024: --dport 1723 > -m state --state NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP > -p tcp --sport 1024: --dport 1723 > -m state --state NEW,ESTABLISHED -j ACCEPT > You need packets to flow in both directions. The outside should be able to initiate so the first rule looks good: /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p tcp --sport 1024: --dport 1723 -m state --state NEW,ESTABLISHED -j ACCEPT But you need to accept the return packets. How about this for the return pattern: /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP -p tcp --sport 1723 -m state --state ESTABLISHED -j ACCEPT The accept in the nat postrouting can be removed. HTH -- Jim Laurino nfcan.x.jimlaur@xxxxxxxx Please reply to the list. Only mail from the listserver reaches this address.
