Ok, so I have upgraded to 7.3 which has Kernel 2.4.18-3 and I have configured iptables 1.2.5 to do masquerading for my internal network by following the instructions in the masquerading how-to (http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIR EWALL-2.4.X). This all works fine.
When I try to connect my Windows 2000 server (I'm using this as the client here as I don't have Win2KPro) to the external Win2k VPN server the connection times out on authentication. Which presumably means that the firewall is not letting in the right packets? So, I have attempted to adjust the iptables firewall rules to fix this based on the VPN Masquerade how-to instructions for ipchains (http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO-3.html#ss3.12). I'm not sure if this is correct because I'm new to this, but I have the following in the firewall configuration script: iptables -A INPUT -p udp -s $VPNSERVERIP/32 --sport 500 -i $EXTIF \ --dport 500 -j ACCEPT iptables -A INPUT -p 50 -s $VPNSERVERIP/32 -i $EXTIF -j ACCEPT iptables -A INPUT -p tcp -s $VPNSERVERIP/32 --sport 1723 \ -i $EXTIF -j ACCEPT iptables -A INPUT -p 47 -s $VPNSERVERIP/32 -i $EXTIF -j ACCEPT This didn't seem to help. So I tried using forwarding as though the client was a VPN server: (from http://www.impsec.org/linux/masquerade/ip_masq_vpn.html) iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1723 -j DNAT \ --to 192.168.1.10 iptables -t nat -A PREROUTING -i $EXTIF -p 47 -j DNAT \ --to 192.168.1.10 Now when I attempt to connect the VPN client to the server I get this output on the linux router until authentication times out. IN=eth0 OUT=eth1 SRC=x.x.x.x DST=x.x.x.x LEN=62 TOS=0x00 PREC=0x00 TTL=114 ID=3097 PROTO=47 As you can probably tell, I'm struggling with this as I don't understand iptables fully. I'm still not sure if I need to patch the kernel or whether I'm doing something else wrong. The VPN Masquerade home page says ".. masquerading a single VPN client using IPtables is fairly simple to set up, and requires no special patches." Do I need to recompile the kernel and enable some non-default option? Hope someone can help. George > I am not sure about 7.1, but presumably you can/should upgrade to the > latest 7.3 kernel anyway. > I changed from 6.2 to 7.3 recently. I masq MS PPTP from > a win98 machine to a win2k server. My recollection is that > it stops working under ipchains, so I took the opportunity (was forced) > to convert to iptables. It works with no patches needed, although > I tend to recompile from redhat kernel sources, > so I cannot comment about stock kernels. > > Cameron. > >> -----Original Message----- >> From: George Agnelli [mailto:[EMAIL PROTECTED]] >> Sent: Wednesday, 9 October 2002 19:30 >> To: RedHat list >> Subject: VPN Masquerade on Red Hat 7.1 >> >> >> Hi, I'm trying to set up my Linux gateway/firewall to >> masquerade an outgoing VPN client to a Windows 2000 VPN >> server. According to the Linux VPN Masquerade home page >> (http://www.impsec.org/linux/masquerade/ip_masq_vpn.html) it >> seems that I need to apply the VPN masquerade patch to the kernel. >> >> Could anyone confirm that this is necessary on Red Hat 7.1. I >> have kernel version 2.4.x out of the box with no other >> patches applied. Or does it already contain this patch? >> >> George >> >> >> >> -- >> redhat-list mailing list >> unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe >> https://listman.redhat.com/mailman/listinfo/redhat-list >> > > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list