Re: iptables + pptp + special case

From: Ansgar -59cobalt- Wiechers <usenet-2007@xxxxxxxxxxxxxxxx>
Date: 13 Mar 2007 15:44:32 GMT

merrittr <merrittr@xxxxxxxxx> wrote:

I have a site with the iptables rules below (12/3/07 I added)
currently the firewall is set to forward all tcp:1723 and all GRE to
the internal VPN server.
However they need one PC inside the org connect to a outside VPN I
added the rules (12/3/07) hoping to add a special case whereby any
tcp:1723 and GRE from STRATOS_SERVER(12.23.94.89) should be forwarded
to the STRATOS_CLIENT PC. However my iptables logic doesn't seem to
add up can anyone shed some light to what might be the hang up?

[...]

#
# outgoing to stratos VPN added 12/3/07
#

iptables -A PREROUTING -t nat -p tcp -d ${STRATOS_SERVER} --dport 1723
-j DNAT --to ${STRATOS_CLIENT}:1723
iptables -A FORWARD -p tcp -d ${STRATOS_CLIENT} --dport 1723 -o eth1
-j ACCEPT
iptables -A PREROUTING -t nat -p 47 -d ${STRATOS_SERVER} -j DNAT --to
${STRATOS_CLIENT}
iptables -A FORWARD -p 47 -d ${STRATOS_CLIENT} -o eth1 -j ACCEPT

For outbound connections you need SNAT, not DNAT.

http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.1

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
.

References:
- iptables + pptp + special case
  - From: merrittr

Prev by Date: iptables + pptp + special case
Next by Date: Re: Destination Port 3171
Previous by thread: iptables + pptp + special case
Index(es):
- Date
- Thread

Relevant Pages

Re: VPN/Remote Access
... The event log on the vpn server shows the connection being established but cannot be completed and suggests the same GRE issue. ... I updated the firmware on the hardware firewall to the latest version but that didn't help. ... I don't want to go buy a new firewall only to learn it was something on the offsite client network that wasn't passing the GRE. ...
(microsoft.public.windows.server.sbs)
Re: ISA/VPN/Router
... I don't know how to enable IP GRE 47. ... after I forward port 47 to the SBS. ... I understand that when you try to establish a VPN ... >> a PPTP client and a PPTP server. ...
(microsoft.public.windows.server.sbs)
Re: VPN/Remote Access
... passing the GRE no matter that it said it was set to "vpn passthrough". ... So I ditched it and went back to a software firewall on the server. ... the one I was really trying to fix -- allow vpn access from a client ... It now appears that the client's network is also blocking the GRE. ...
(microsoft.public.windows.server.sbs)
Re: strange vpn behaviour ( for me at least ) long
... in my opinion, and now confirmed by what you have said, this firmware is not suitable to handle incoming vpn connections. ... You will not be able to establish VPN connections to SBS if the router cannot pass GRE along. ... was in bridging configuration and connection was handled by isa 2k. ...
(microsoft.public.windows.server.sbs)
Re: Error 720 connecting to server via VPN
... A connection between the VPN server and the VPN client XXX.110.88.173 has ... VPN client is not configured to allow Generic Routing Encapsulation (GRE) ... Should I setup a firewall rules to allow port 47? ...
(microsoft.public.windows.server.sbs)