Can't reach MS VPN server behind IPTABLES firewall

From: J. Kang (jskang0l@yahoo.com)
Date: 01/17/02

  • Next message: Oo.et.oO: "ssh unbearably slow to one host on 192.168 subnet only" 

    From: jskang0l@yahoo.com (J. Kang)
Date: 17 Jan 2002 08:06:41 -0800

    I am in need of some help here. I have searched all over the Internet
    (including the comp.* newsgroups) for some help in configuring a RH
    7.2 server running an IPTABLES firewall so that my users can access a
    Microsoft VPN server running on NT that resides behind the firewall.

    I've got the following in my firewall script:

    #
    # Adds some iptables targets like LOG, REJECT and MASQUARADE.
    #
    /sbin/modprobe ipt_LOG
    #/sbin/modprobe ipt_REJECT
    /sbin/modprobe ipt_MASQUERADE

    #
    # Support for owner matching
    #
    #/sbin/modprobe ipt_owner

    #
    # Support for connection tracking of FTP and IRC.
    #
    /sbin/modprobe ip_conntrack_ftp
    #/sbin/modprobe ip_conntrack_irc

    #
    # Enable ip_forward, this is critical since it is turned off as defaul
    in
    # Linux.
    #

    echo "1" > /proc/sys/net/ipv4/ip_forward

    #
    # Enable simple IP Forwarding and Network Address Translation
    #

    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
    $INET_IP

    [ ... ]

    #
    # VPN related packets get special forward rule
    #

    $IPTABLES -A FORWARD -p tcp -s $INET_IP --sport 1723 -d 10.1.1.1 \
    --dport 1723 -j ACCEPT
    $IPTABLES -A FORWARD -p 47 -s 0/0 \
    -d 10.1.1.1 -j ACCEPT

    [ ... ]

    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1723 -j allowed

    ------------------------------------------------------

    Is this right? Is this completely wrong? What am I missing?

    I have been running Ethereal on my firewall box watching the traffic
    come in from a client Win98 laptop. I see the traffic come into the
    firewall box, but at no time do I see the firewall forwarding the
    traffic to the VPN server.

    I also have what I think are the relevant statements from our older
    IPFWADM firewall (running on an older RH server). Maybe this would
    help or someone could help translate it into IPTABLES commands?

    ---------------------------------------
    ipportfw -C
    ipportfw -A -t <INET_IP_ADDRESS>/1723 -R 10.1.1.1/1723
    ipportfw -L
    #
    ipfwd --syslog --masq 10.1.1.1 47 &
    ----------------------------------------

    Any help would be appreciated.

    Relevant Pages

    • Re: Remote Desktop from Linux console
      ... Do you have a VPN or SSH server running on anything, ie on L for example, inside the firewall that you can connect to from the public internet? ... If so you could run the normal Remote Desktop client software on a Windows client or rdesktop on a LINUX client and connect to V after establishing the VPN or SSH tunnel. ...
      (microsoft.public.windows.vista.networking_sharing)
    • Re: Win2003 SP2 secuity problem
      ... The best way to go about this is to turn the firewall back on, ... For remote desktop access make sure you have also added ... > added a machine running Windows 2003 SP2 as a member server running SQL ...
      (microsoft.public.windows.server.security)
    • Re: Network only works in one direction
      ... >>>have turned off the firewall, I have checked the browser service. ... >> With the server running XP Home, ... >Guest account is configured properly. ... >permission setting that is wrong on the xp home. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Port for Adding PC to Domain
      ... > I have Win2003 Server running. ... Some PCs are on a Workgroup and I would ... What port on the firewall do I open to allow ... I usually turn off the firewall until the workstation is ...
      (microsoft.public.windows.server.general)
    • Re: Feedback solicited - best way to harden a mail/web server?
      ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
      (comp.os.linux.security)