Howto configure iptables to forward PPTP to an internal VPN server

Howto configure iptables to forward PPTP to an internal VPN server

Post by Petri Suomine » Sat, 24 Aug 2002 23:02:41



Hi,

I have a RedHat 7.1 (2.4. kernels) acting as a firewall for a private IP
network, the firewall is done with iptables.

I want to enable incoming Microsoft VPN connections to a Microsoft VPN
server that is behind the firewall (in a private networks address, the
firewall does NAT). How do I configure iptables to do that ? The port that
need to be forwarded is 1723 but then there is a GRE packet (IP Protocol 47)
that also needs to be forwarded. This involves no ports, so can it be
forwarded based on its protocol.

The reason I can't use Linux PPTP server (PopToPoP or whatever) is that I
have an internal ADSL card on the linux box, and it's driver is precompiled
so I cannot do anything with the kernel.

Regards,
                Petri

 
 
 

Howto configure iptables to forward PPTP to an internal VPN server

Post by Natma » Sun, 25 Aug 2002 14:10:04



Quote:> Hi,

> I have a RedHat 7.1 (2.4. kernels) acting as a firewall for a private IP
> network, the firewall is done with iptables.

> I want to enable incoming Microsoft VPN connections to a Microsoft VPN
> server that is behind the firewall (in a private networks address, the
> firewall does NAT). How do I configure iptables to do that ? The port that
> need to be forwarded is 1723 but then there is a GRE packet (IP Protocol
47)
> that also needs to be forwarded. This involves no ports, so can it be
> forwarded based on its protocol.

Port is not Protocol.

you CAN forward protocol 47, by using "-p 47".  Ports are --dport
and --sport.  Forwarding GRE is the same as if you are forwarding ports,
except for the -p 47 instead of the usual -p tcp or -p udp.  There are some
how-tos with examples.

Quote:

> The reason I can't use Linux PPTP server (PopToPoP or whatever) is that I
> have an internal ADSL card on the linux box, and it's driver is
precompiled
> so I cannot do anything with the kernel.

If the driver is a module, then you can get the sources for matching kernel
version and recompile the kernel.  If the module is for kernel 2.4.18, then
download that version from www.kernel.org and go from there.  Even if you
can't find the exact same version that the module is from, sometimes
something close will work too.  If you already have GRE support in your
kernel, then you don't need to recompile to run PoPToP (unless you need the
encryption).

Natman

 
 
 

Howto configure iptables to forward PPTP to an internal VPN server

Post by Dmitri A. Martynoff64456127 » Tue, 15 Oct 2002 19:37:48


    Hello, All!

Quote:> > I want to enable incoming Microsoft VPN connections to a Microsoft VPN
> > server that is behind the firewall (in a private networks address, the
> > firewall does NAT). How do I configure iptables to do that ?

    I need exactly the same thing. I followed the HOWTO
(ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html), but it
does not work (timeout at password verification). Even more, it seems that a
simplest port forwarding via ipchains/DNAT does not work:

[GW]
iptables -A POSTROUTING -d $GW_IP --dport 8080 \
    -jDNAT --to $DESTINATION_IP:8080
telnet $DESTINATION_IP 8080
- OK.

[Client]
telnet $GW_IP 8080
- Connection refused

    What am I doing wrong? Kernel 2.4.18-10, iptables 1.2.6a.
    Is anybody here, who has working iptables/DNAT port forwarding?

Quote:> you CAN forward protocol 47, by using "-p 47".  Ports are --dport
> and --sport.  Forwarding GRE is the same as if you are forwarding ports,
> except for the -p 47 instead of the usual -p tcp or -p udp.  There are
some
> how-tos with examples.

    Why does the HOWTO require kernel patch for GRE forwarding
(ip_conntrack_pptp and ip_pptp_nat modules)?

    With respect,
    Dmitri A. Martynoff.

 
 
 

Howto configure iptables to forward PPTP to an internal VPN server

Post by bill davids » Sun, 27 Oct 2002 00:49:15




| > > I want to enable incoming Microsoft VPN connections to a Microsoft VPN
| > > server that is behind the firewall (in a private networks address, the
| > > firewall does NAT). How do I configure iptables to do that ?
|
|     I need exactly the same thing. I followed the HOWTO
| (ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html), but it
| does not work (timeout at password verification). Even more, it seems that a
| simplest port forwarding via ipchains/DNAT does not work:

If you are using a 2.4 kernel, did you remember to
  "echo 1 >/proc/sys/net/ipv4/ip_forward"
to make ANY forwarding work? I know, of course you did...

--

  "Before we bring democracy to Iraq, or even to Afghanistan, maybe we
should bring it to Florida."
                -Jon Stewart on "Daily Show":

 
 
 

1. iptables and gre forwarding for pptp/vpn

Did you get this working with Win9x machines?.. I have it working with win2k
and NT machines but not win9x???.. when I run Tcpdump I see 1723 traffic go
through onto the internal interface but not GRE traffic...

Any ideas?

Thanks

-dan

-------------------------------------

-------------------------------------

The obvious thing is necessary to make iptables work with vpn, but it
took me a while to come up with it, so i hope this saves time for
someone with a linux firewall on their windows box.

/usr/local/bin/iptables -t nat -A PREROUTING -p 47 -i eth1 -j DNAT --to
10.0.0.2

2. ipchains howto redirect http

3. M$ pptp vpn server behind Linux 2.4.18 iptables, please help

4. Linux Porting

5. PPTP VPN server on iptables firewall

6. Unknown APIC on Abit KX7-333

7. VPN PPTP PPP Linux box to MS Server HOWTO?

8. PCI probe for Xconfigurator problems

9. VPN::PPTP > RH 2.4.* > IPTABLES

10. Connecting to a Netware File Server through a PoPToP PPTP VPN Server

11. How To configure PPTP(or VPN) in linux?

12. Port Forwarding iptables internal traffic

13. iptables forwarding/redirecting internal host problem