Thanks Jeff. Wow, I thought this was going to be an easy task. :( Surely there must be thousands of others that have done just this.
|---------------------| |-|----Client(9x,2K)----| | |---------------------| | |DSL Modem | | | | | |---------------------| | |-----Internet--------| | |---------------------| | | VPN | | |Public IP | |--------------------------| Nat |------------| | |----Firewall--------------|----------|Workstations| | |--Debian 2.2 W2.4Kernel---| |------------| | |--------------------------| 192.168.0.10-200 | NAT |192.168.0.1 | | | | | |----------------------------| | |---Windows NT 4.0 Server----| |-|---PP2P Installed-----------| |----------------------------| 192.168.0.2 Need up to 6 VPN connections to the NT Server Is this possible. Or is there just a better way to go about this. They don't have any money for Cisco or Hard Firewall. At first I was going to use 2.2 Kernel because I read if you recompile the kernel and install ipfwd you can GRE multi connections across, but now I just read that 2.4 hasn't been configured to allow multi connects across, but the date of the article is old. Oh how confusing this is. Cheers -Dave -----Original Message----- From: Jeff [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 06, 2002 10:14 AM To: Debian User Subject: Re: VPN on Kernel 2.4.18 Dave Scott, 2002-Mar-06 02:03 -0800: > Question on Kernel 2.4.18 and Netfilter > > Is there any way to forward GRE packets through Netfilter to a specific > Server behind the firewall? > > Also, can you have multiple GRE connections through the firewall at any > given time? > > -Dave Dave, You ought to be able to forward based on the protocol number (47). I don't know about the multiple connections. I'm guessing here: iptables -A PREROUTING -i $INETIF -p 47 -j ACCEPT --to-destination 10.10.10.10 However, consider the security issues: - you should consider terminating the tunnel at the firewall, then letting the firewall handle the packets from there - GRE has no data encryption, so consider encryption prior to GRE encapsulation - if not encrypted, anyone can read the data in the packet - if the MTU and Fragmentation settings are not set properly, DOS attacks (whether intentional or inadvertant) are possible -- Jeff Coppock Systems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]