LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-01-2005, 10:00 PM   #1
RijilV
Member
 
Registered: Sep 2002
Location: somewhere
Distribution: gentoo
Posts: 123

Rep: Reputation: 15
Connecting to a M$ VPN server


so okay heres the deal:


<M$ VPN Server> -- [ the internet ] --- < my Linux router > --- < housemate's computer >

What I need to work is for my housemate to beable to connect to the M$ VPN server out there. Since this is my housemate's system, I can't really test anything out and we don't have congruent schedules so testing anything out hasn't been working very well.

I tried just to allow GRE to pass but it doesn't seem to be working. Thanks in advance
 
Old 07-02-2005, 06:08 AM   #2
DaneM
Member
 
Registered: Oct 2003
Location: Chico, CA, USA
Distribution: Linux Mint
Posts: 727

Rep: Reputation: 75
Hi, RijilV.

It sounds to me like the first step is to get your room mate's permission to try things in his absence. Most problems can be resolved by reading the documentation and just fiddling around.

Second, I would temporarily configure the router to let EVERYTHING through, so as to make sure that it's not a firewall problem. Beyond that, you'll have to talk (write) to someone more knowledgeable than myself about VPNs.

Good luck!

--Dane
 
Old 07-02-2005, 10:00 AM   #3
michaelk
Moderator
 
Registered: Aug 2002
Posts: 11,890

Rep: Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743
pptp uses TCP port 1723 in addition to gre.
Might want to post your firewall rules so we can check your syntax too.
 
Old 07-02-2005, 12:08 PM   #4
RijilV
Member
 
Registered: Sep 2002
Location: somewhere
Distribution: gentoo
Posts: 123

Original Poster
Rep: Reputation: 15
as for port 1723, I see the windows box connecting to port 1723 on the server outbound, but all of my tcpdumps never show an incoming connection to port 1723. Perhaps iptables doesn't keep state on GRE? I dunno for sure. Its unlikely I'll get permission to use his VPN, after all whats the point of a VPN if you're going to let unauthorized people on it...

the VPN server is not on the inside of the firewall, its out on the net, I just need the client to connect to it.

here are my rulez:
Code:
# Generated by iptables-save v1.2.11 on Sat Jul  2 09:55:37 2005
*nat
:PREROUTING ACCEPT [64478282:3573374901]
:POSTROUTING ACCEPT [10609014:831673500]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 23571 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 23571 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 65000:65535 -j DNAT --to-destination 176.16.2.80 
-A PREROUTING -d 149.101.1.101 -i eth1 -p udp -m udp --dport 65000:65535 -j DNAT --to-destination 176.16.2.80 
-A PREROUTING -d 176.16.2.1 -i eth2 -p udp -m udp --dport 53 -j DNAT --to-destination 149.101.1.3   
-A PREROUTING -d ! 176.16.1.1 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 176.16.1.0/255.255.255.0 -o eth1 -j SNAT --to-source 149.101.1.101
-A POSTROUTING -s 176.16.2.0/255.255.255.0 -o eth1 -j SNAT --to-source 149.101.1.101
COMMIT
# Completed on Sat Jul  2 09:55:37 2005
# Generated by iptables-save v1.2.11 on Sat Jul  2 09:55:37 2005
*filter
:INPUT DROP [1:126]
:FORWARD DROP [99:61903]
:OUTPUT DROP [25:16388]
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 176.16.1.1 -i lo -j ACCEPT
-A INPUT -s 176.16.2.1 -i lo -j ACCEPT
-A INPUT -s 149.101.1.101 -i lo -j ACCEPT
-A INPUT -d 149.101.1.255 -i eth1 -j DROP
-A INPUT -d 176.16.1.0 -i eth0 -j DROP
-A INPUT -d 176.16.2.255 -i eth2 -j DROP
-A INPUT -d ! 149.101.1.101 -i eth1 -j DROP
-A INPUT -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 3127 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "DROPl:"
-A INPUT -j DROP
-A FORWARD -d 149.101.1.255 -o eth1 -j DROP
-A FORWARD -d 176.16.1.255 -o eth0 -j DROP
-A FORWARD -d 176.16.2.255 -o eth2 -j DROP
-A INPUT -d ! 149.101.1.101 -i eth1 -j DROP
-A INPUT -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT                                                          -A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 3127 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT                                                        -A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT                                                                                      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "DROPl:" 
-A INPUT -j DROP 
-A FORWARD -d 149.101.1.255 -o eth1 -j DROP
-A FORWARD -d 176.16.1.255 -o eth0 -j DROP 
-A FORWARD -d 176.16.2.255 -o eth2 -j DROP
-A FORWARD -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A FORWARD -d ! 176.16.1.0/255.255.255.0 -o eth0 -j DROP
-A FORWARD -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A FORWARD -d ! 176.16.2.0/255.255.255.0 -o eth2 -j DROP
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -o eth1 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT                                                                                     -A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -o eth2 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT                                                                                     -A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p gre -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p udp -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 37 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 873 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p udp -m udp --dport 37 -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 23571 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.80 -i eth1 -o eth2 -p udp -m udp --dport 65000:65535 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "DROPl:"
-A FORWARD -j DROP
-A OUTPUT -d 149.1.101.255 -o eth1 -j DROP
-A OUTPUT -d 176.16.1.0 -o eth0 -j DROP
-A OUTPUT -d 176.16.2.255 -o eth2 -j DROP
-A OUTPUT -d ! 176.16.1.0/255.255.255.0 -o eth0 -j DROP
-A OUTPUT -d ! 176.16.2.0/255.255.255.0 -o eth2 -j DROP
-A OUTPUT -s ! 149.101.1.101 -o eth1 -j DROP
-A OUTPUT -s 149.101.1.101 -o eth1 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A OUTPUT -s 176.16.2.1 -o eth2 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A OUTPUT -s 149.101.1.101 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A OUTPUT -s 149.101.1.101 -o eth1 -p udp -m state --state NEW -j ACCEPT
-A OUTPUT -s 176.16.1.1 -d 176.16.1.1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 127.0.0.1 -o lo -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "DROPl:"
-A OUTPUT -j DROP
COMMIT
# Completed on Sat Jul  2 09:55:37 2005

Last edited by RijilV; 07-02-2005 at 12:12 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Connecting to a VPN server fatrandy13 Linux - Networking 8 09-15-2005 07:19 PM
Probs connecting to vpn server magoot Linux - Networking 2 08-19-2005 11:28 AM
VPN Question Win98->internet->Router->Linux VPN Server->Win2k Server patrickrea Linux - Networking 1 08-10-2004 02:09 AM
How do i connect Ciscos VPN client to Checkpoint VPN server Klas Linux - Networking 1 11-29-2003 08:00 AM
Connecting to vpn server vvk Solaris / OpenSolaris 3 07-13-2003 06:37 AM


All times are GMT -5. The time now is 03:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration