Can't reach MS VPN server behind IPTABLES firewall

Can't reach MS VPN server behind IPTABLES firewall

Post by J. Ka » Sat, 19 Jan 2002 01:06:41



I am in need of some help here.  I have searched all over the Internet
(including the comp.* newsgroups) for some help in configuring a RH
7.2 server running an IPTABLES firewall so that my users can access a
Microsoft VPN server running on NT that resides behind the firewall.

I've got the following in my firewall script:

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

#
# Enable ip_forward, this is critical since it is turned off as defaul
in
# Linux.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
$INET_IP

[ ... ]

#
# VPN related packets get special forward rule
#

$IPTABLES -A FORWARD -p tcp -s $INET_IP --sport 1723 -d 10.1.1.1 \
--dport 1723 -j ACCEPT
$IPTABLES -A FORWARD -p 47 -s 0/0 \
-d 10.1.1.1 -j ACCEPT

[ ... ]

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1723 -j allowed

------------------------------------------------------

Is this right?  Is this completely wrong?  What am I missing?  

I have been running Ethereal on my firewall box watching the traffic
come in from a client Win98 laptop.  I see the traffic come into the
firewall box, but at no time do I see the firewall forwarding the
traffic to the VPN server.

I also have what I think are the relevant statements from our older
IPFWADM firewall (running on an older RH server).  Maybe this would
help or someone could help translate it into IPTABLES commands?

---------------------------------------
ipportfw -C
ipportfw -A -t <INET_IP_ADDRESS>/1723 -R 10.1.1.1/1723
ipportfw -L
#
ipfwd --syslog --masq 10.1.1.1 47 &            
----------------------------------------

Any help would be appreciated.

 
 
 

Can't reach MS VPN server behind IPTABLES firewall

Post by David Chuh » Sun, 20 Jan 2002 06:27:03



Quote:> I am in need of some help here.  I have searched all over the Internet
> (including the comp.* newsgroups) for some help in configuring a RH
> 7.2 server running an IPTABLES firewall so that my users can access a
> Microsoft VPN server running on NT that resides behind the firewall.

I'm assuming you're looking to connect using pptp based on the rest of you're
message.  Also consider posting your entire iptables script.  I hope that your
default policies are DROP.  You'll need to accept ESTABLISHED traffic on the
FORWARD chain.  Try doing some logging to see what is not getting through.

Quote:> I've got the following in my firewall script:

[snip modprobes, kernel config and POSTROUTING rule]

Quote:> #
> # VPN related packets get special forward rule
> #

> $IPTABLES -A FORWARD -p tcp -s $INET_IP --sport 1723 -d 10.1.1.1 \
> --dport 1723 -j ACCEPT

You can't expect the packets to be coming from your $INET_IP nor should they
be from source port 1723 so remove the -s and --sport tags.

Quote:> $IPTABLES -A FORWARD -p 47 -s 0/0 \
> -d 10.1.1.1 -j ACCEPT

This is fine.

Quote:> [ ... ]

> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1723 -j allowed

Not really sure what you are doing here accept that "tcp_packets" and
"allowed" must be user defined chains, but you're not telling us what those
are or how they fit into the rest of the script.

[snip comments about setup for previous kernel configuration]

Quote:> ---------------------------------------
> ipportfw -C
> ipportfw -A -t <INET_IP_ADDRESS>/1723 -R 10.1.1.1/1723
> ipportfw -L
> #
> ipfwd --syslog --masq 10.1.1.1 47 &
> ----------------------------------------

The above is all unnecessary with iptables as it is now built in.  You'll need
rules in the nat table to accomplish what this used to do.

iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1723 -j DNAT --to
10.1.1.1:1723
iptables -t nat -A PREROUTING -i $EXTIF -p gre -j DNAT --to 10.1.1.1

Sorry about hacking up your message so bad, but the news server I use doesn't
allow me to post if I have less new content then the original message.

-Dave

 
 
 

Can't reach MS VPN server behind IPTABLES firewall

Post by J. Ka » Thu, 24 Jan 2002 03:24:18



> I'm assuming you're looking to connect using pptp based on the rest of you're
> message.  Also consider posting your entire iptables script.  I hope that your
> default policies are DROP.  You'll need to accept ESTABLISHED traffic on the
> FORWARD chain.  Try doing some logging to see what is not getting through.

Yes, I am attempting to do this via PPTP on a variety of Windows
clients.  Yes, my default policies are set to DROP.

I appreciate your initial advice.  I'll take those and see if I can
figure out what is wrong with my IPTABLES rules.  I really want to
figure this out myself and wanted some basic hints at what I might be
missing.  If I can't make any headway, I will post back and probably
include my entire IPTABLES script.

Thanks again!
Joe K.

 
 
 

1. Reaching A Web Server Hidden Behind A Firewall

I have a RH 7.0 firewall between my LAN and the internet (which I access via
ADSL). I only have one IP from my friendly neighborhood ISP, but at least
it's permanent.

I want for the outside world to be able to reach the web server.
my eth0 is external, and is defined as 10.200.1.1 (my "realworld" address is
192.117.108.18)

My eth1 connects to the lan, and is 192.168.1.1

The web server's IP is 192.168.1.2

What do I need to do so that all incoming calls to HTTP are allowed, and
routed to 192.168.1.2???
--
Meron Lavie
www.redmatch.com - World's Largest Hi-Tech Salary Site

NOTE: THERE ARE NO NUMBERS IN MY REAL EMAIL ADDRESS HOST NAME: ANTI-SPAM!

2. inn and x86

3. FTP server behind linux firewall communicating w/ FTP behind linux firewall

4. convert non-trusted to trusted system w/OUT using SAM?

5. M$ pptp vpn server behind Linux 2.4.18 iptables, please help

6. mtio question:the meaningmtio question: the meaning of status in the mt command

7. NT VPN server behind Linux firewall.. help?

8. How can I link in 64 bit mode.

9. VPN server behind firewall

10. Windows 2000 Vpn server behind Linux firewall

11. Unable to access my VPN server from behind the firewall (ipf)

12. Help: VPN server behind Linux firewall..

13. Private VPN Server behind RH7.1 Firewall Problem