Connecting to a M$ VPN server

RijilV · 07-01-2005, 10:00 PM

so okay heres the deal:

<M$ VPN Server> -- [ the internet ] --- < my Linux router > --- < housemate's computer >

What I need to work is for my housemate to beable to connect to the M$ VPN server out there. Since this is my housemate's system, I can't really test anything out and we don't have congruent schedules so testing anything out hasn't been working very well.

I tried just to allow GRE to pass but it doesn't seem to be working. Thanks in advance

DaneM · 07-02-2005, 06:08 AM

Hi, RijilV.

It sounds to me like the first step is to get your room mate's permission to try things in his absence. Most problems can be resolved by reading the documentation and just fiddling around.

Second, I would temporarily configure the router to let EVERYTHING through, so as to make sure that it's not a firewall problem. Beyond that, you'll have to talk (write) to someone more knowledgeable than myself about VPNs.

Good luck!

--Dane

michaelk · 07-02-2005, 10:00 AM

pptp uses TCP port 1723 in addition to gre.
Might want to post your firewall rules so we can check your syntax too.

RijilV · 07-02-2005, 12:08 PM

as for port 1723, I see the windows box connecting to port 1723 on the server outbound, but all of my tcpdumps never show an incoming connection to port 1723. Perhaps iptables doesn't keep state on GRE? I dunno for sure. Its unlikely I'll get permission to use his VPN, after all whats the point of a VPN if you're going to let unauthorized people on it...

the VPN server is not on the inside of the firewall, its out on the net, I just need the client to connect to it.

here are my rulez:

Code:

# Generated by iptables-save v1.2.11 on Sat Jul  2 09:55:37 2005
*nat
:PREROUTING ACCEPT [64478282:3573374901]
:POSTROUTING ACCEPT [10609014:831673500]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 23571 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 23571 -j DNAT --to-destination 176.16.2.99 
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 65000:65535 -j DNAT --to-destination 176.16.2.80 
-A PREROUTING -d 149.101.1.101 -i eth1 -p udp -m udp --dport 65000:65535 -j DNAT --to-destination 176.16.2.80 
-A PREROUTING -d 176.16.2.1 -i eth2 -p udp -m udp --dport 53 -j DNAT --to-destination 149.101.1.3   
-A PREROUTING -d ! 176.16.1.1 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 176.16.1.0/255.255.255.0 -o eth1 -j SNAT --to-source 149.101.1.101
-A POSTROUTING -s 176.16.2.0/255.255.255.0 -o eth1 -j SNAT --to-source 149.101.1.101
COMMIT
# Completed on Sat Jul  2 09:55:37 2005
# Generated by iptables-save v1.2.11 on Sat Jul  2 09:55:37 2005
*filter
:INPUT DROP [1:126]
:FORWARD DROP [99:61903]
:OUTPUT DROP [25:16388]
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 176.16.1.1 -i lo -j ACCEPT
-A INPUT -s 176.16.2.1 -i lo -j ACCEPT
-A INPUT -s 149.101.1.101 -i lo -j ACCEPT
-A INPUT -d 149.101.1.255 -i eth1 -j DROP
-A INPUT -d 176.16.1.0 -i eth0 -j DROP
-A INPUT -d 176.16.2.255 -i eth2 -j DROP
-A INPUT -d ! 149.101.1.101 -i eth1 -j DROP
-A INPUT -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 3127 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "DROPl:"
-A INPUT -j DROP
-A FORWARD -d 149.101.1.255 -o eth1 -j DROP
-A FORWARD -d 176.16.1.255 -o eth0 -j DROP
-A FORWARD -d 176.16.2.255 -o eth2 -j DROP
-A INPUT -d ! 149.101.1.101 -i eth1 -j DROP
-A INPUT -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT                                                          -A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 3127 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT                                                        -A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT                                                                                      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "DROPl:" 
-A INPUT -j DROP 
-A FORWARD -d 149.101.1.255 -o eth1 -j DROP
-A FORWARD -d 176.16.1.255 -o eth0 -j DROP 
-A FORWARD -d 176.16.2.255 -o eth2 -j DROP
-A FORWARD -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A FORWARD -d ! 176.16.1.0/255.255.255.0 -o eth0 -j DROP
-A FORWARD -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A FORWARD -d ! 176.16.2.0/255.255.255.0 -o eth2 -j DROP
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -o eth1 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT                                                                                     -A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -o eth2 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT                                                                                     -A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p gre -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p udp -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 37 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 873 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p udp -m udp --dport 37 -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 23571 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.80 -i eth1 -o eth2 -p udp -m udp --dport 65000:65535 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "DROPl:"
-A FORWARD -j DROP
-A OUTPUT -d 149.1.101.255 -o eth1 -j DROP
-A OUTPUT -d 176.16.1.0 -o eth0 -j DROP
-A OUTPUT -d 176.16.2.255 -o eth2 -j DROP
-A OUTPUT -d ! 176.16.1.0/255.255.255.0 -o eth0 -j DROP
-A OUTPUT -d ! 176.16.2.0/255.255.255.0 -o eth2 -j DROP
-A OUTPUT -s ! 149.101.1.101 -o eth1 -j DROP
-A OUTPUT -s 149.101.1.101 -o eth1 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A OUTPUT -s 176.16.2.1 -o eth2 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A OUTPUT -s 149.101.1.101 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A OUTPUT -s 149.101.1.101 -o eth1 -p udp -m state --state NEW -j ACCEPT
-A OUTPUT -s 176.16.1.1 -d 176.16.1.1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 127.0.0.1 -o lo -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "DROPl:"
-A OUTPUT -j DROP
COMMIT
# Completed on Sat Jul  2 09:55:37 2005