VPN to W2k with PPTP over Linux firewall Problem

VPN to W2k with PPTP over Linux firewall Problem

Post by Simon Arn » Sat, 09 Aug 2003 19:51:45



Hello,
I'm having problems setting up port forwarding for PPTP on a Linux Box to a
W2k VP-server.
I'm running Suse 7.2 with a 2.4.19 Kernel with PPTP-Masquerade patch
applied.
I managed to connect to my Server using its IP,but cannot get port
forwarding to run.
My setup:

Linux Box:
3 NICs:
eth0 172.23.71.99/20 to internal LAN
eth1 192.168.0.23/24 to Router-Subnet
eth2 192.168.10.1/24 to DMZ

W2K:
192.168.10.2/24 in the DMZ

iptables FORWARD policy is set to "ACCEPT",
I added with
 iptables -t nat -D PREROUTING -i eth0 -p udp --dport 1723 -j DNAT --to
192.168.10.2:1723
 iptables -A PREROUTING -i eth0 -p 47 -j ACCEPT --to 192.168.10.2
port forwarding for TCP port 1723 and GRE to the Windows server. Port
forwarding itself works, I tested that by forwarding port 80 to a apache
server running on the W2K-box.
Accessing the W2K-box with its IP was possible using SNATing traffic on eth2
to the Linux box's IP.
When trying out port forwarding I watched the traffic on eth2 and saw eth2
sending packets to the W2k-box but no responses.

Any Idea?
Thanks, Simon

 
 
 

VPN to W2k with PPTP over Linux firewall Problem

Post by Michael Har » Sun, 10 Aug 2003 14:56:45


I found that for a PPTP server behind a redhat firewall (using kernel
2.4.20) it does dot work if the PPTP-Masquerade patch is installed.  It will
only work if the PPTP iptables kernel modules are NOT loaded.  The patch
only works for connections started from the internal lan.  Its a one way
patch and assumes the client is the thing that needs masquerading.  (Yes
unloading the kernel modules from memory was enough to make to go - I didn't
have to undo the patch completely)

You will not be able to run more than one client on the same subnet as you
have the server.

Furthermore there may be issues with the MTU (I haven't sorted it out
completely).  I can only get it to connect and log on if windump is running
on the server at the moment.  This may be an issue which had to be adjuested
by changing the MTU at the WinXP client end.  (this is the case even though
I can connect internally from another machine using the ip address like you)

Furthermore if you are using Win2K you may need to either forward the IPSec
ports or turn IPSec off.

Hope this helps.  Let us know how you go.

Michael...


Quote:> Hello,
> I'm having problems setting up port forwarding for PPTP on a Linux Box to
a
> W2k VP-server.
> I'm running Suse 7.2 with a 2.4.19 Kernel with PPTP-Masquerade patch
> applied.
> I managed to connect to my Server using its IP,but cannot get port
> forwarding to run.
> My setup:

> Linux Box:
> 3 NICs:
> eth0 172.23.71.99/20 to internal LAN
> eth1 192.168.0.23/24 to Router-Subnet
> eth2 192.168.10.1/24 to DMZ

> W2K:
> 192.168.10.2/24 in the DMZ

> iptables FORWARD policy is set to "ACCEPT",
> I added with
>  iptables -t nat -D PREROUTING -i eth0 -p udp --dport 1723 -j DNAT --to
> 192.168.10.2:1723
>  iptables -A PREROUTING -i eth0 -p 47 -j ACCEPT --to 192.168.10.2
> port forwarding for TCP port 1723 and GRE to the Windows server. Port
> forwarding itself works, I tested that by forwarding port 80 to a apache
> server running on the W2K-box.
> Accessing the W2K-box with its IP was possible using SNATing traffic on
eth2
> to the Linux box's IP.
> When trying out port forwarding I watched the traffic on eth2 and saw eth2
> sending packets to the W2k-box but no responses.

> Any Idea?
> Thanks, Simon


 
 
 

VPN to W2k with PPTP over Linux firewall Problem

Post by Michael Har » Mon, 11 Aug 2003 18:18:09



Quote:>  iptables -t nat -D PREROUTING -i eth0 -p udp --dport 1723 -j DNAT --to
> 192.168.10.2:1723
>  iptables -A PREROUTING -i eth0 -p 47 -j ACCEPT --to 192.168.10.2

As well as my previous post

OOps - just noticed youhave forwarded udp packets in the first rule.  You
need to forward tcp packets.

Also you have used the -D option when the -A option is used to add rules.

The second rule seem a bit weired as well because protocol 47 also has to be
forwarded

Firstly you need to allow the data to access the nat table

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p 47 -j ACCEPT

you need to let data out from the internal network and related data in

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT

then you need to forward PPTP on both protocols to your Win2K server

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1723 -j DNAT --to
192.168.10.2
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p 47 -j DNAT --to 192.168.10.2

you also need a way for the server to talk back through the firewall
Masquerade/SNAT

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

or

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

Quote:> port forwarding for TCP port 1723 and GRE to the Windows server. Port
> forwarding itself works, I tested that by forwarding port 80 to a apache
> server running on the W2K-box.
> Accessing the W2K-box with its IP was possible using SNATing traffic on
eth2
> to the Linux box's IP.
> When trying out port forwarding I watched the traffic on eth2 and saw eth2
> sending packets to the W2k-box but no responses.

> Any Idea?
> Thanks, Simon

 
 
 

VPN to W2k with PPTP over Linux firewall Problem

Post by Simon Arn » Tue, 12 Aug 2003 18:32:40


Hi,
like this it works:
#NAT for outgoing Traffic
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.23
#for inbound VPN-Traffic
iptables -A FORWARD -i eth0 -o eth2 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -p 47 -j ACCEPT
#outbound VPN-Traffic
iptables -A FORWARD -i eth2 -o eth0 -p 47 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to
192.168.10.2
iptables -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to 192.168.10.2
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.10.1
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 172.23.71.99

The last line (SNATing the response from the VPN-Server) did the trick.
Thank you for the help
Simon.





> >  iptables -t nat -D PREROUTING -i eth0 -p udp --dport 1723 -j DNAT --to
> > 192.168.10.2:1723
> >  iptables -A PREROUTING -i eth0 -p 47 -j ACCEPT --to 192.168.10.2

> As well as my previous post

> OOps - just noticed youhave forwarded udp packets in the first rule.  You
> need to forward tcp packets.

> Also you have used the -D option when the -A option is used to add rules.

> The second rule seem a bit weired as well because protocol 47 also has to
be
> forwarded

> Firstly you need to allow the data to access the nat table

> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1723 -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p 47 -j ACCEPT

> you need to let data out from the internal network and related data in

> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT

> then you need to forward PPTP on both protocols to your Win2K server

> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1723 -j DNAT --to
> 192.168.10.2
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p 47 -j DNAT --to 192.168.10.2

> you also need a way for the server to talk back through the firewall
> Masquerade/SNAT

> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

> or

> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

> > port forwarding for TCP port 1723 and GRE to the Windows server. Port
> > forwarding itself works, I tested that by forwarding port 80 to a apache
> > server running on the W2K-box.
> > Accessing the W2K-box with its IP was possible using SNATing traffic on
> eth2
> > to the Linux box's IP.
> > When trying out port forwarding I watched the traffic on eth2 and saw
eth2
> > sending packets to the W2k-box but no responses.

> > Any Idea?
> > Thanks, Simon

 
 
 

VPN to W2k with PPTP over Linux firewall Problem

Post by Michael Har » Wed, 13 Aug 2003 06:54:43



Quote:> Hi,
> like this it works:

> The last line (SNATing the response from the VPN-Server) did the trick.
> Thank you for the help
> Simon.

Damm..  I wish I could get mine working properly now.  I think I have MTU
issues but I am not sure.

michael

 
 
 

1. VPN From W2K/Pro to W2K Server Doesn't Work Through IPCHAINS Firewall

I am trying to access a remote server via VPN.

The server is W2K/SP2 running ISA.

My local computer is W2K/Pro with SP2, on a LAN whose gateway is Redhat
Linux v7.0 running an IPCHAINS-based firewall which also performs
NATting/Forwarding. The Linux accesses the Internet through ADSL.

When I try to connect to the remote server, I get "Verifying Username and
Password", but after about 15 secs it fails with message 721. The firewall
log shows no violations.

Everyone else succeeds in accessing from their ISP's dialup. I am the first
person to try to access it from an external LAN.

What am I doing wrong?

--
TIA
Meron Lavie

NOTE: THERE IS NO "2" IN MY REAL EMAIL ADDRESS: ANTI-SPAM!!!

2. ssh on Solaris 10

3. slow pptp for linux firewall clients, fast pptp from Linux firewall

4. IRC clients for Linux 2.0?

5. Linux Firewall & Microsoft PPTP (VPN) Problem.

6. Mitsumi cdrom driver uploaded

7. PPTP through OpenBSD to W2K VPN Server

8. Masquerading performance question ...

9. Linux Firewall settings to allow PPTP VPN acces to NT Server?

10. PPTP Help: Winnt pptp through a Linux Firewall

11. PPTP VPN Firewall questions

12. PPTP VPN server on iptables firewall

13. Trying again with my linux pptp client problem to Microsoft vpn.