Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
The subject sorta says it all. I am trying to get PPTP traffic, and GRE (which is part of it) forwarded through the firewall. So far TCP 1723 is forwarding correctly, but I can't seem to get GRE to forward. Anyone have any success with this?
Also anyone have any success with this using FWBuilder? If so have you been able to set this up?
Thanks,
Pair
Click here to see the post LQ members have rated as the most helpful post in this thread.
I opened up Protocol 47, and port 47. Still no go. I can see GRE traffic on the outside interface when I connect from the outside, but not the internal interface. Any other ideas?
Lemme see what I can do. The most difficult thing for me at least, is scanning through the list of iptables rules, and trying to translate them in my brain into FWBuilder rules. Let me see if I can paste the results of an iptables -L into a post. I am running Mandrake 9.2 BTW.
Chain INPUT (policy DROP)
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <Outside IP>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere <Outside IP>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere <Outside IP>state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere 192.168.3.4 state NEW
ACCEPT tcp -- anywhere Firewall multiport dports http,https state NEW
ACCEPT tcp -- anywhere <Outside IP>multiport dports http,https state NEW
ACCEPT tcp -- anywhere Firewall multiport dports http,https state NEW
ACCEPT tcp -- anywhere 192.168.3.4 multiport dports http,https state NEW
ACCEPT all -- Firewall BASE-ADDRESS.MCAST.NET/4state NEW
ACCEPT all -- <Outside IP> base-address.mcast.net/4state NEW
ACCEPT all -- Firewall base-address.mcast.net/4state NEW
ACCEPT all -- 192.168.3.4 base-address.mcast.net/4state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- <Outside IP> anywhere state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- 192.168.3.4 anywhere state NEW
ACCEPT all -- 192.168.3.0/24 anywhere state NEW
ACCEPT all -- 192.168.9.0/24 anywhere state NEW
ACCEPT all -- 172.16.1.0/24 anywhere state NEW
RULE_8 all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.3.9 tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere <mailserver>multiport dports https,pop3,imap,imaps state NEW
RULE_3 tcp -- anywhere <client_machine_name>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <client_machine_name>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere <client_machine_name>state NEW
ACCEPT all -- 192.168.3.0/24 anywhere state NEW
ACCEPT all -- 192.168.9.0/24 anywhere state NEW
ACCEPT all -- 172.16.1.0/24 anywhere state NEW
RULE_8 all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.3.9 tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere <mailserver>multiport dports https,pop3,imap,imaps state NEW
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <Outside IP>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere <Outside IP>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere <Outside IP>state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere 192.168.3.4 state NEW
RULE_3 tcp -- anywhere <client_machine_name>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <client_machine_name>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere <client_machine_name>state NEW
ACCEPT udp -- Firewall 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- Firewall 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT udp -- <Outside IP> 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- <Outside IP> 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT udp -- Firewall 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- Firewall 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT udp -- 192.168.3.4 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- 192.168.3.4 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT all -- Firewall base-address.mcast.net/4state NEW
ACCEPT all -- <Outside IP> base-address.mcast.net/4state NEW
ACCEPT all -- Firewall base-address.mcast.net/4state NEW
ACCEPT all -- 192.168.3.4 base-address.mcast.net/4state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- <Outside IP> anywhere state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- 192.168.3.4 anywhere state NEW
ACCEPT all -- 192.168.3.0/24 anywhere state NEW
ACCEPT all -- 192.168.9.0/24 anywhere state NEW
ACCEPT all -- 172.16.1.0/24 anywhere state NEW
RULE_8 all -- anywhere anywhere
On Linux, it's a major pain to forward pptp using iptables.
Use pptpproxy. It was designed for that and it works like a charm.
I've been using it both at home and at the office (where it forwards
connection to an internal Windoze PPTP server), and it's been working
without a glitch for more than two years.
stevesl you are my hero! I have spent hours messing about looking for a solution to my problem that I could actually cut and paste into my iptables file (after s little tweaking to suit my circumstances).
I have same problem (need to Forward VPN connection to a MSWinServer behind a Linux, and the solution as not worked :/
But the Zn99 solution with pptpproxy, yes..
I saw this: {oops first post so I can't tell you the link, just that it's on ubuntuforums.org I think}
and am trying the same kind of thing (forward back data through listening tunnel (like PPTP I guess).
I'm a real nub when it comes to firewall scripts for linux, can anyone tell me if there's a gaping hole anywhere? Send me a PM or email if you think it's serious. Thanks a bunch for the real gurus probably using these forums. I understand about port obfuscation, but I've been too busy to properly research these things lately.
Code:
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3690
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
9 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: '
10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT all -- 10.8.0.0/24 0.0.0.0/0 to:<an internet facing IP Ver 4 address>
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.