Masq'g a pptp win2k vpn server through linux - need help...

Masq'g a pptp win2k vpn server through linux - need help...

Post by Jason » Tue, 20 Aug 2002 16:10:12



Hi everybody,

As the subject says I'm trying to masq connections to a win2k vpn
server that is behind a linux router/firewall.  I'm having trouble
getting it to work through even though I've spent the last week
studying everything I could find on how to do it on the net.  Any help
would be greatly appreciated....

The network is as follows;

                          Linux Server;
eth0 (192.168.1.254) connects to the local lan  
eth1 (192.168.3.1) connects to another business that shares the same
net connection
eth2 (x.x.x.x) connects to the internet (public ip address via a high
speed connection - I won't display the ip here as I don't want to
advertise that it has (well will do) a pptp server running on it)
eth3 (192.168.2.1) connects to the win2k vpn server

The ip of the win2k vpn server is 192.168.2.2 (plus a second interface
192.168.1.2 that connects to the LAN)

I'm using Debian woody 3.0r0, I downloaded a clean 2.2.19 kernel from
kernel.org (had problems patching the one that came with debian.) and
applied the pptp masq patch to it.  I compiled the kernel successfully
and modprobed in the ip_masq_pptp module successfully to give pptp
masq support into the kernel.

I got the source and compiled ipfwd successfully, I followed the docs
on the net and managed after two days of trying various rules to get
the pptp masq'g to work on a test private ip network (masqing from one
192.168.x,.x network to another via a linux box the two cards in it)
but when I tried today to get the same setup running on a public ip
address I couldn't get it to work and I'm really lost as to why it's
not going, here is the settings I used.  Any suggestions/comments on
what may be wrong with them or suggestions on how to trace the fault
would be greatly appreciated.

My firewall script is as follows (with various port forwardings to
other computers such as mail servers cut out for simplicities sake)

ipchains -P input accept
ipchains -P output accept
ipchains -P forward DENY

# enable ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

ipchains -M -S 7200 10 160

# masq subnets to net to enable net access
ipchains -A forward -i eth2 -s 192.168.1.0/24 -j MASQ
ipchains -A forward -i eth2 -s 192.168.2.0/24 -j MASQ
ipchains -A forward -i eth2 -s 192.168.3.0/24 -j MASQ

#forward incoming control connections to the vpn box
ipmasqadm portfw -a -P tcp -L <external ip> 1723 -R 192.168.2.2 1723

#masq incoming control and data vpn connections
ipchains -A forward -p tcp -s 0.0.0.0/0 -d 192.168.2.2/24 1723 -i eth3
-j MASQ
ipchains -A forward -p 47 -s 0.0.0.0/0 -d 192.168.2.2/24 -i eth3 -j
MASQ

# forwards initial data connections to the vpn box
ipfwd --masq 192.168.2.2 47 &

The above commands look right to me, any ideas would be greatly
appreciated.... I'm really lost and I really need to have this working
by tomorrow by the latest...  

-Thanks Jason