> -----Original Message----- > From: George Agnelli > > > Ok, so I have upgraded to 7.3 which has Kernel 2.4.18-3 and I have > configured iptables 1.2.5 to do masquerading for my internal > network by following the instructions in the masquerading how-to > (http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIR EWALL-2.4.X). > This all works fine. > > When I try to connect my Windows 2000 server (I'm using this > as the client here as I don't have Win2KPro) to the external Win2k > VPN server the connection times out on authentication. Which presumably > means that the firewall is not letting in the right packets? > > So, I have attempted to adjust the iptables firewall rules to > fix this based on the VPN Masquerade how-to instructions for ipchains > (http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO-3.html#ss3.12) > . I'm not sure if this is correct because I'm new to this, but I have > the following in the firewall configuration script: > > iptables -A INPUT -p udp -s $VPNSERVERIP/32 --sport 500 -i $EXTIF \ > --dport 500 -j ACCEPT > iptables -A INPUT -p 50 -s $VPNSERVERIP/32 -i $EXTIF -j ACCEPT > iptables -A INPUT -p tcp -s $VPNSERVERIP/32 --sport 1723 \ > -i $EXTIF -j ACCEPT > iptables -A INPUT -p 47 -s $VPNSERVERIP/32 -i $EXTIF -j ACCEPT
Your using -A (append), are you sure that another DENY rule on your input chain is not kicking in prior to this rule??? Try using insert (-I) BTW: A pptp based tunnel only requires tcp port 1723 and protocol 47. Port 500 and proto 50 are for IPSEC based tunnels. > > This didn't seem to help. So I tried using forwarding as > though the client was a VPN server: > (from http://www.impsec.org/linux/masquerade/ip_masq_vpn.html) > iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1723 -j DNAT \ > --to 192.168.1.10 > iptables -t nat -A PREROUTING -i $EXTIF -p 47 -j DNAT \ > --to 192.168.1.10 > The above rules are only needed if your masquerading a PPTP server behind your firewall. > Now when I attempt to connect the VPN client to the server I > get this output on the linux router until authentication times > out. > IN=eth0 OUT=eth1 SRC=x.x.x.x DST=x.x.x.x LEN=62 TOS=0x00 > PREC=0x00 TTL=114 ID=3097 PROTO=47 > Be sure the rules you mentioned above accept tcp port 1723/proto 47 are inserted (-I) before all other DENY rules on your input chain. > As you can probably tell, I'm struggling with this as I don't > understand iptables fully. I'm still not sure if I need to patch > the kernel or whether I'm doing something else wrong. The VPN > Masquerade home page says ".. masquerading a single VPN client > using IPtables is fairly simple to set up, and requires no special > patches." Do I need to recompile the kernel and enable some > non-default option? The kernel patch referenced at the PPTP masq site is only needed if you are wanting to masquerade multiple VPN clients from behind your firewall. The stock iptables/netfilter package supports a single outbound connection. At least I have no problems here. If you were to apply the patch, you would then have to load some additional kernel modules (part of the patch) to support multiple pptp based connection tracking. i.e. ip_conntrack_pptp ip_nat_pptp Thats my two cents :-) Good luck Steve Cowles -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
