VPN Behind a redhat 7.3 gateway

VPN Behind a redhat 7.3 gateway

Post by Michael Har » Fri, 11 Apr 2003 13:09:45



I am running an NT VPN server on a local subnet behind a RedHat 7.3 gateway.

I can log onto the NT VPN locally using its local net IP address (i.e. the
VPN seems to be set up correctly) but cannot log on through the gateway
(i.e. NAT appears to be not working correctly).

I have set up VPN masqurading as per
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

i.e.

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1723 -j DNAT --to
192.168.0.40
/sbin/iptables -t nat -A PREROUTING -i eth1 -p 47 -j DNAT --to 192.168.0.40

I don't know if I have to patch the kernel or recompile it with various
options

I am using kernel 2.4.19

Kernel modules include IP tunnelling.

Any help appreciated !!!

Michael

 
 
 

VPN Behind a redhat 7.3 gateway

Post by Joerg Morbitze » Fri, 11 Apr 2003 20:24:33



> I am running an NT VPN server on a local subnet behind a RedHat 7.3
> gateway.

> I can log onto the NT VPN locally using its local net IP address (i.e. the
> VPN seems to be set up correctly) but cannot log on through the gateway
> (i.e. NAT appears to be not working correctly).

> I have set up VPN masqurading as per
> http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

> i.e.

> /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1723 -j DNAT
> --to 192.168.0.40
> /sbin/iptables -t nat -A PREROUTING -i eth1 -p 47 -j DNAT --to
> 192.168.0.40

> I don't know if I have to patch the kernel or recompile it with various
> options

> I am using kernel 2.4.19

> Kernel modules include IP tunnelling.

> Any help appreciated !!!

> Michael

It is always good to add more logging to your firewall rules, so before your
DNAT setup use the same rule with -j LOG and check the logs. Also, does the
NT VPN server has a correct route back to the originating ip address?

 
 
 

VPN Behind a redhat 7.3 gateway

Post by Michael Har » Sat, 12 Apr 2003 06:10:01


Thanks Joerg,

I have created some logs.

Here is what they look like.  I am not sure what they mean.  It looks to me
like its logging the request on the first line but I have some rule
somewhere that blocks the NATed packet.

Apr 11 07:15:47 Gateway kernel: IN=eth1 OUT=
MAC=00:80:c8:4e:1a:33:00:50:ba:d1:a3:82:08:00 SRC=192.168.0.11
DST=192.168.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=26112 DF PROTO=TCP
SPT=1030 DPT=1723 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 11 07:15:47 Gateway kernel: IN=eth1 OUT=eth1 SRC=192.168.0.11
DST=192.168.0.12 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=26112 DF PROTO=TCP
SPT=1030 DPT=1723 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 11 07:15:49 Gateway kernel: IN=eth1 OUT=
MAC=00:80:c8:4e:1a:33:00:50:ba:d1:a3:82:08:00 SRC=192.168.0.11
DST=192.168.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=26368 DF PROTO=TCP
SPT=1030 DPT=1723 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 11 07:15:49 Gateway kernel: IN=eth1 OUT=eth1 SRC=192.168.0.11
DST=192.168.0.12 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=26368 DF PROTO=TCP
SPT=1030 DPT=1723 WINDOW=8192 RES=0x00 SYN URGP=0

I have default policies of DROP
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD

I have a rules that let all input and output on the internal interface
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -j ACCEPT

I have catchall rules for INPUT and OUTPUT packets for logging
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

Michael



> > I am running an NT VPN server on a local subnet behind a RedHat 7.3
> > gateway.

> > I can log onto the NT VPN locally using its local net IP address (i.e.
the
> > VPN seems to be set up correctly) but cannot log on through the gateway
> > (i.e. NAT appears to be not working correctly).

> > I have set up VPN masqurading as per
> > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

> > i.e.

> > /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1723 -j DNAT
> > --to 192.168.0.40
> > /sbin/iptables -t nat -A PREROUTING -i eth1 -p 47 -j DNAT --to
> > 192.168.0.40

> > I don't know if I have to patch the kernel or recompile it with various
> > options

> > I am using kernel 2.4.19

> > Kernel modules include IP tunnelling.

> > Any help appreciated !!!

> > Michael

> It is always good to add more logging to your firewall rules, so before
your
> DNAT setup use the same rule with -j LOG and check the logs. Also, does
the
> NT VPN server has a correct route back to the originating ip address?

 
 
 

VPN Behind a redhat 7.3 gateway

Post by Michael Har » Sat, 12 Apr 2003 08:13:59



Quote:> Thanks Joerg,

> I have catchall rules for INPUT and OUTPUT packets for logging
> $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
> $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

I also have catchall rules on the FORWARD chain like
$IPTABLES -A FORWARD -j drop-and-log-it

When I make a rule before it saying
$IPTABLES -A FORWARD -i $INTIF -o $INTIF -j ACCEPT

(allowing forwarding on the internal inferface both into and outf the linux
box)

Most of the stuff that is logged dissappears - but I still don't get a
connection.  Could this be because return packets are not automatically
NATed back to the originating computer?

Michael

 
 
 

1. VPN on Redhat 7.3

I have a firewall-in-a-box that I use for my DSL connection that supports IPSec
and VPN and I am able to use VPN software to connect to a remote network.  I
have a Linux box that I just loaded Redhat 7.3 on (and have recently updated
eveyrthing with up2date) and would like to use it to replace the other box.  I
can get everything else working fine, but in spite of hours spent with google
searches, etc. I can't figure out what's needed to get VPN working over the
Linux machine.

I have ready several things saying I need to patch the Kernel, but everything
that deals specifically with this version says I don't need to patch the kernel.
On the other hand, it's not working, so there must be something I'm doing wrong.

I started out with PMFirewall and have since also tried Seawall since that was
supposed to have VPN support, but Seawall gives an error message that it doesn't
support this kernel version.  I copied some examples of wide-open forwarding
rules and that didn't work either.

Any advice would be appreciated.

Thanks - Kevin

2. Plugins with kde 2.1

3. VPN client through Redhat 7.3 IPtables not working

4. Vertically split images in Mosaic using VGA16

5. Solution: VPN on Redhat 7.3

6. Linux's LPD problem... any newer lpd?

7. VPN Setup on RedHat 7.3 / Authentication.

8. Is Masquerading available?

9. RedHat 7.3 on Gateway X500 goes to sleep?

10. Internet gateway problem on Redhat 7.3

11. Windows XP VPN server behind Linux gateway

12. WINDOWS 2003 VPN SERVER BEHIND LINUX GATEWAY

13. VPN Server behind Redat 7,3 gateway