Port forward GRE and PPTP using IPtables

twistedpair · 07-27-2004, 03:44 PM

Hi all,
The subject sorta says it all. I am trying to get PPTP traffic, and GRE (which is part of it) forwarded through the firewall. So far TCP 1723 is forwarding correctly, but I can't seem to get GRE to forward. Anyone have any success with this?

Also anyone have any success with this using FWBuilder? If so have you been able to set this up?

Thanks,
Pair

michaelk · 07-27-2004, 04:01 PM

GRE is port 47. I do not use FWBuilder but I would think you would configure it the same as port 1723

twistedpair · 07-27-2004, 04:13 PM

Hmm, I thought it was Protocol 47? I will give it a try, and post back. Thanks!

Pair

michaelk · 07-27-2004, 04:24 PM

Nevermind what was I thinking.... Your correct it is protocol 47... I'm tired

Check this out:
http://lists.debian.org/debian-firew.../msg00090.html

twistedpair · 07-27-2004, 04:24 PM

I opened up Protocol 47, and port 47. Still no go. I can see GRE traffic on the outside interface when I connect from the outside, but not the internal interface. Any other ideas?

Pair

michaelk · 07-27-2004, 05:07 PM

I assume the distro your running uses iptables? I could look at the generated iptables script and probably find the problem.

I quick scan of the manual does not provide any easy answers.

twistedpair · 07-27-2004, 05:09 PM

Lemme see what I can do. The most difficult thing for me at least, is scanning through the list of iptables rules, and trying to translate them in my brain into FWBuilder rules. Let me see if I can paste the results of an iptables -L into a post. I am running Mandrake 9.2 BTW.

Thank you
Pair

twistedpair · 07-27-2004, 05:17 PM

Here it is . . . Any ideas?

Thanks again,
Pair

Chain INPUT (policy DROP)
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <Outside IP>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere <Outside IP>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere <Outside IP>state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere 192.168.3.4 state NEW
ACCEPT tcp -- anywhere Firewall multiport dports http,https state NEW
ACCEPT tcp -- anywhere <Outside IP>multiport dports http,https state NEW
ACCEPT tcp -- anywhere Firewall multiport dports http,https state NEW
ACCEPT tcp -- anywhere 192.168.3.4 multiport dports http,https state NEW
ACCEPT all -- Firewall BASE-ADDRESS.MCAST.NET/4state NEW
ACCEPT all -- <Outside IP> base-address.mcast.net/4state NEW
ACCEPT all -- Firewall base-address.mcast.net/4state NEW
ACCEPT all -- 192.168.3.4 base-address.mcast.net/4state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- <Outside IP> anywhere state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- 192.168.3.4 anywhere state NEW
ACCEPT all -- 192.168.3.0/24 anywhere state NEW
ACCEPT all -- 192.168.9.0/24 anywhere state NEW
ACCEPT all -- 172.16.1.0/24 anywhere state NEW
RULE_8 all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.3.9 tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere <mailserver>multiport dports https,pop3,imap,imaps state NEW
RULE_3 tcp -- anywhere <client_machine_name>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <client_machine_name>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere <client_machine_name>state NEW
ACCEPT all -- 192.168.3.0/24 anywhere state NEW
ACCEPT all -- 192.168.9.0/24 anywhere state NEW
ACCEPT all -- 172.16.1.0/24 anywhere state NEW
RULE_8 all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.3.9 tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere <mailserver>multiport dports https,pop3,imap,imaps state NEW
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <Outside IP>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere <Outside IP>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere <Outside IP>state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere 192.168.3.4 state NEW
RULE_3 tcp -- anywhere <client_machine_name>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <client_machine_name>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere <client_machine_name>state NEW
ACCEPT udp -- Firewall 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- Firewall 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT udp -- <Outside IP> 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- <Outside IP> 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT udp -- Firewall 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- Firewall 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT udp -- 192.168.3.4 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- 192.168.3.4 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT all -- Firewall base-address.mcast.net/4state NEW
ACCEPT all -- <Outside IP> base-address.mcast.net/4state NEW
ACCEPT all -- Firewall base-address.mcast.net/4state NEW
ACCEPT all -- 192.168.3.4 base-address.mcast.net/4state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- <Outside IP> anywhere state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- 192.168.3.4 anywhere state NEW
ACCEPT all -- 192.168.3.0/24 anywhere state NEW
ACCEPT all -- 192.168.9.0/24 anywhere state NEW
ACCEPT all -- 172.16.1.0/24 anywhere state NEW
RULE_8 all -- anywhere anywhere

Chain RULE_3 (30 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `RULE 3 -- ACCEPT '
ACCEPT all -- anywhere anywhere

Chain RULE_8 (3 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `RULE 8 -- DENY '
DROP all -- anywhere anywhere

peter_robb · 08-01-2004, 04:38 AM

That's a horrible format to try and read...

Try using iptables-save and post that please

You should have modules ip_conntrack_pptp & ip_nat_pptp loaded at least.
do lsmod to check and modprobe ip_nat_pptp to load both..

stevesl · 05-27-2005, 02:41 PM

I guess you never got an answer to this so I thought to through in my 2 cents.

VPN (in the simplified MicroS*ft rras 56-but encryption client sense) is IP protocol # 47 (or GRE) AND IP protocol TCP port 1723.

EX:
assume for simplicity: iptables -P FORWARD ACCEPT
then:
echo ">>>--- setup nat VPN"
iptables -t nat -A PREROUTING -i <Public-IFace> -p gre -d <VPN-Public-IP> -j DNAT --to-destination <VPN-DMZ-IP>
iptables -t nat -A PREROUTING -i <Public-IFace> -p tcp --sport 1024:65535 -d <VPN-Public-IP> --dport 1723 -j DNAT --to-destination <VPN-DMZ-IP>

zn99 · 07-09-2005, 11:14 PM

On Linux, it's a major pain to forward pptp using iptables.

Use pptpproxy. It was designed for that and it works like a charm.

I've been using it both at home and at the office (where it forwards
connection to an internal Windoze PPTP server), and it's been working
without a glitch for more than two years.

Get it here : http://www.mgix.com/pptpproxy

furrie · 11-13-2008, 06:04 PM

stevesl you are my hero! I have spent hours messing about looking for a solution to my problem that I could actually cut and paste into my iptables file (after s little tweaking to suit my circumstances).

abinf · 10-02-2009, 08:23 PM

Hi!

I have same problem (need to Forward VPN connection to a MSWinServer behind a Linux, and the solution as not worked :/
But the Zn99 solution with pptpproxy, yes..

any idea?

I have open the issue some months ago in here

Best regards,

CodeKrash · 05-07-2011, 04:41 AM

Hi, first post

I saw this: {oops first post so I can't tell you the link, just that it's on ubuntuforums.org I think}

and am trying the same kind of thing (forward back data through listening tunnel (like PPTP I guess).

I'm a real nub when it comes to firewall scripts for linux, can anyone tell me if there's a gaping hole anywhere? Send me a PM or email if you think it's serious. Thanks a bunch for the real gurus probably using these forums. I understand about port obfuscation, but I've been too busy to properly research these things lately.

Code:

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    REJECT     all  --  0.0.0.0/0            127.0.0.0/8         reject-with icmp-port-unreachable
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1194
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3690
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
8    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
9    LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: '
10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    SNAT       all  --  10.8.0.0/24          0.0.0.0/0           to:<an internet facing IP Ver 4 address>

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

CodeKrash · 05-07-2011, 05:06 AM

This might help:

Code:

# Generated by iptables-save v1.4.3.1 on Sat May  7 05:56:53 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [63260:29151195]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -i ! lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3690 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Sat May  7 05:56:53 2011
# Generated by iptables-save v1.4.3.1 on Sat May  7 05:56:53 2011
*nat
:PREROUTING ACCEPT [5462:510154]
:POSTROUTING ACCEPT [22:1595]
:OUTPUT ACCEPT [22:1595]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source <an internet facing IP Ver 4 address>
COMMIT
# Completed on Sat May  7 05:56:53 2011

This is what stuck out to me: SNAT, and the accept all indicator on the previosu readout, that looks a bit scary.

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source <an internet facing IP Ver 4 address>

Implicit DNAT (or something like that) . How to I forward ports to my ip (static IP)?

I read that:

Quote:

13 POSTROUTE is just another chain

* Selective rules can be used
* Different manipulations are possible
* Use -j ACCEPT to let the packet through untouched

I'll give this a whack:

Code:

iptables -A INPUT -i eth1 -s 0.0.0.0/32 \  
          -d 10.8.0.6 -p tcp \  
          --sport 8080 -m state \  
          --state ESTABLISHED,RELATED -j ACCEPT

to forward the port 8080 to my open vpn client?