Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
<M$ VPN Server> -- [ the internet ] --- < my Linux router > --- < housemate's computer >
What I need to work is for my housemate to beable to connect to the M$ VPN server out there. Since this is my housemate's system, I can't really test anything out and we don't have congruent schedules so testing anything out hasn't been working very well.
I tried just to allow GRE to pass but it doesn't seem to be working. Thanks in advance
It sounds to me like the first step is to get your room mate's permission to try things in his absence. Most problems can be resolved by reading the documentation and just fiddling around.
Second, I would temporarily configure the router to let EVERYTHING through, so as to make sure that it's not a firewall problem. Beyond that, you'll have to talk (write) to someone more knowledgeable than myself about VPNs.
as for port 1723, I see the windows box connecting to port 1723 on the server outbound, but all of my tcpdumps never show an incoming connection to port 1723. Perhaps iptables doesn't keep state on GRE? I dunno for sure. Its unlikely I'll get permission to use his VPN, after all whats the point of a VPN if you're going to let unauthorized people on it...
the VPN server is not on the inside of the firewall, its out on the net, I just need the client to connect to it.
here are my rulez:
Code:
# Generated by iptables-save v1.2.11 on Sat Jul 2 09:55:37 2005
*nat
:PREROUTING ACCEPT [64478282:3573374901]
:POSTROUTING ACCEPT [10609014:831673500]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth0 -p tcp -m tcp --dport 23571 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 23571 -j DNAT --to-destination 176.16.2.99
-A PREROUTING -d 149.101.1.101 -i eth1 -p tcp -m tcp --dport 65000:65535 -j DNAT --to-destination 176.16.2.80
-A PREROUTING -d 149.101.1.101 -i eth1 -p udp -m udp --dport 65000:65535 -j DNAT --to-destination 176.16.2.80
-A PREROUTING -d 176.16.2.1 -i eth2 -p udp -m udp --dport 53 -j DNAT --to-destination 149.101.1.3
-A PREROUTING -d ! 176.16.1.1 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 176.16.1.0/255.255.255.0 -o eth1 -j SNAT --to-source 149.101.1.101
-A POSTROUTING -s 176.16.2.0/255.255.255.0 -o eth1 -j SNAT --to-source 149.101.1.101
COMMIT
# Completed on Sat Jul 2 09:55:37 2005
# Generated by iptables-save v1.2.11 on Sat Jul 2 09:55:37 2005
*filter
:INPUT DROP [1:126]
:FORWARD DROP [99:61903]
:OUTPUT DROP [25:16388]
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 176.16.1.1 -i lo -j ACCEPT
-A INPUT -s 176.16.2.1 -i lo -j ACCEPT
-A INPUT -s 149.101.1.101 -i lo -j ACCEPT
-A INPUT -d 149.101.1.255 -i eth1 -j DROP
-A INPUT -d 176.16.1.0 -i eth0 -j DROP
-A INPUT -d 176.16.2.255 -i eth2 -j DROP
-A INPUT -d ! 149.101.1.101 -i eth1 -j DROP
-A INPUT -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 3127 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "DROPl:"
-A INPUT -j DROP
-A FORWARD -d 149.101.1.255 -o eth1 -j DROP
-A FORWARD -d 176.16.1.255 -o eth0 -j DROP
-A FORWARD -d 176.16.2.255 -o eth2 -j DROP
-A INPUT -d ! 149.101.1.101 -i eth1 -j DROP
-A INPUT -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A INPUT -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p tcp -m tcp --dport 3127 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A INPUT -s 176.16.1.0/255.255.255.0 -d 176.16.1.1 -i eth0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "DROPl:"
-A INPUT -j DROP
-A FORWARD -d 149.101.1.255 -o eth1 -j DROP
-A FORWARD -d 176.16.1.255 -o eth0 -j DROP
-A FORWARD -d 176.16.2.255 -o eth2 -j DROP
-A FORWARD -s ! 176.16.1.0/255.255.255.0 -i eth0 -j DROP
-A FORWARD -d ! 176.16.1.0/255.255.255.0 -o eth0 -j DROP
-A FORWARD -s ! 176.16.2.0/255.255.255.0 -i eth2 -j DROP
-A FORWARD -d ! 176.16.2.0/255.255.255.0 -o eth2 -j DROP
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -o eth1 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT -A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -o eth2 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT -A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p gre -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.1.0/255.255.255.0 -i eth0 -p udp -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 37 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p tcp -m tcp --dport 873 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A FORWARD -s 176.16.2.0/255.255.255.0 -i eth2 -o eth1 -p udp -m udp --dport 37 -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.99 -i eth1 -o eth2 -p tcp -m tcp --dport 23571 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -d 176.16.2.80 -i eth1 -o eth2 -p udp -m udp --dport 65000:65535 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "DROPl:"
-A FORWARD -j DROP
-A OUTPUT -d 149.1.101.255 -o eth1 -j DROP
-A OUTPUT -d 176.16.1.0 -o eth0 -j DROP
-A OUTPUT -d 176.16.2.255 -o eth2 -j DROP
-A OUTPUT -d ! 176.16.1.0/255.255.255.0 -o eth0 -j DROP
-A OUTPUT -d ! 176.16.2.0/255.255.255.0 -o eth2 -j DROP
-A OUTPUT -s ! 149.101.1.101 -o eth1 -j DROP
-A OUTPUT -s 149.101.1.101 -o eth1 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A OUTPUT -s 176.16.2.1 -o eth2 -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A OUTPUT -s 149.101.1.101 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A OUTPUT -s 149.101.1.101 -o eth1 -p udp -m state --state NEW -j ACCEPT
-A OUTPUT -s 176.16.1.1 -d 176.16.1.1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -s 127.0.0.1 -o lo -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "DROPl:"
-A OUTPUT -j DROP
COMMIT
# Completed on Sat Jul 2 09:55:37 2005
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.