iptables + pptp + special case



I have a site with the iptables rules below (12/3/07 I added)
currently
the firewall is set to forward all tcp:1723 and all GRE to the
internal
VPN server.
However they need one PC inside the org connect to a outside VPN I
added
the rules (12/3/07) hoping to add a special case whereby any tcp:1723
and GRE from STRATOS_SERVER(12.23.94.89) should be forwarded to the
STRATOS_CLIENT PC. However my iptables logic doesn't seem to add up
can anyone shed some light to what might be the hang up?

VPN_SERVER_IP=192.168.0.62
STRATOS_CLIENT=192.168.0.31
STRATOS_SERVER=12.23.94.89

#
# incoming from home to our VPN added 22/1/06
#

iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 1723 -j
DNAT --to ${VPN_SERVER_IP}:1723
iptables -A FORWARD -p tcp -d ${VPN_SERVER_IP} --dport 1723 -o eth1 -j
ACCEPT
iptables -A PREROUTING -t nat -p 47 -d ${OUTSIDE_IP} -j DNAT --to
${VPN_SERVER_IP}
iptables -A FORWARD -p 47 -d ${VPN_SERVER_IP} -o eth1 -j ACCEPT

#
# outgoing to stratos VPN added 12/3/07
#

iptables -A PREROUTING -t nat -p tcp -d ${STRATOS_SERVER} --dport 1723
-j DNAT --to ${STRATOS_CLIENT}:1723
iptables -A FORWARD -p tcp -d ${STRATOS_CLIENT} --dport 1723 -o eth1 -
j
ACCEPT
iptables -A PREROUTING -t nat -p 47 -d ${STRATOS_SERVER} -j DNAT --to
${STRATOS_CLIENT}
iptables -A FORWARD -p 47 -d ${STRATOS_CLIENT} -o eth1 -j ACCEPT

.



Relevant Pages

  • Re: VPN/Remote Access
    ... The event log on the vpn server shows the connection being established but cannot be completed and suggests the same GRE issue. ... I updated the firmware on the hardware firewall to the latest version but that didn't help. ... I don't want to go buy a new firewall only to learn it was something on the offsite client network that wasn't passing the GRE. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN/Remote Access
    ... passing the GRE no matter that it said it was set to "vpn passthrough". ... So I ditched it and went back to a software firewall on the server. ... the one I was really trying to fix -- allow vpn access from a client ... It now appears that the client's network is also blocking the GRE. ...
    (microsoft.public.windows.server.sbs)
  • Re: error 721 the remote computer did not respond...
    ... And ask them how can you forward GRE to a computer from your LAN. ... Here it says that it supports VPN pass-through. ... with a very basic firewall connecting from ISA to the Internet. ... routers on the user's network are also configured to allow GRE packets. ...
    (microsoft.public.isa)
  • Re: SBS 2003 RRAS
    ... Usually when it fails at verifying password, it means GRE 47 is not ... open/configure at the firewall. ... >>From an internal LAN client I can VPN connect to the server. ... I see nothing in the logs that a connection was ...
    (microsoft.public.windows.server.sbs)
  • Re: PPTP and NAT
    ... If you get an error 721 it is probably caused by GRE being blocked. ... the tunnelled data has a GRE header, ... Even a personal firewall on the client can do it. ... > forwarding from my firewall into the VPN server. ...
    (microsoft.public.windows.server.networking)