LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-02-2008, 10:23 PM   #1
ashwin_think
Member
 
Registered: Aug 2007
Posts: 35

Rep: Reputation: 15
Unhappy MS VPN access through iptables.


Hey, I've got one iptables script on web. But I'm not able to implement it on my FC3 server. Please look into the following url, -

http://lists.debian.org/debian-firew.../msg00090.html

What I want to do is same which mentioned in the above url but it's not working on my server. I'm getting several warnings which I saw in the message log, -

====================================================================
Oct 2 15:40:17 nashik kernel: ## FW_I_BLOCK ## IN=ppp0 OUT= MAC= SRC=203.197.174.81 DST=59.95.54.252 LEN=1492 TOS=0x00 PREC=0x00 TTL=55 ID=24677 PROTO=TCP SPT=80 DPT=2313 WINDOW=6432 RES=0x00 ACK URGP=0
Oct 2 15:40:17 nashik kernel: ## FW_I_BLOCK ## IN=ppp0 OUT= MAC= SRC=218.248.240.24 DST=59.95.54.252 LEN=364 TOS=0x00 PREC=0x00 TTL=25 ID=63219 PROTO=UDP SPT=53 DPT=1034 LEN=344
Oct 2 15:40:20 nashik kernel: ACPI: PCI interrupt 0000:00:02.0[A] -> GSI 10 (level, low) -> IRQ 10
Oct 2 15:40:20 nashik kernel: [drm] Initialized i915 1.1.0 20040405 on minor 0:
Oct 2 15:40:20 nashik kernel: mtrr: base(0xd0020000) is not aligned on a size(0x300000) boundary
Oct 2 15:40:25 nashik kernel: ## FW_F_BLOCK ## IN=eth0 OUT=ppp0 SRC=192.168.0.112 DST=220.119.176.238 LEN=53 TOS=0x00 PREC=0x00 TTL=127 ID=46691 PROTO=UDP SPT=15536 DPT=11268 LEN=33
Oct 2 15:40:25 nashik kernel: ## FW_F_BLOCK ## IN=eth0 OUT=ppp0 SRC=192.168.0.112 DST=116.42.57.42 LEN=53 TOS=0x00 PREC=0x00 TTL=127 ID=46692 PROTO=UDP SPT=15536 DPT=15188 LEN=33
Oct 2 15:40:25 nashik kernel: ## FW_F_BLOCK ## IN=eth0 OUT=ppp0 SRC=192.168.0.112 DST=122.164.226.253 LEN=53 TOS=0x00 PREC=0x00 TTL=127 ID=46693 PROTO=UDP SPT=15536 DPT=27214 LEN=33
Oct 2 15:40:25 nashik kernel: ## FW_F_BLOCK ## IN=eth0 OUT=ppp0 SRC=192.168.0.112 DST=89.39.185.77 LEN=53 TOS=0x00 PREC=0x00 TTL=127 ID=46694 PROTO=UDP SPT=15536 DPT=9634 LEN=33
Oct 2 15:40:25 nashik kernel: ## FW_F_BLOCK ## IN=eth0 OUT=ppp0 SRC=192.168.0.112 DST=75.39.22.137 LEN=53 TOS=0x00 PREC=0x00 TTL=127 ID=46695 PROTO=UDP SPT=15536 DPT=8819 LEN=33
Oct 2 15:40:34 nashik kernel: ## FW_I_BLOCK ## IN=ppp0 OUT= MAC= SRC=203.197.114.21 DST=59.95.54.252 LEN=48 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=80 DPT=1438 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Oct 2 15:40:35 nashik kernel: ## FW_I_BLOCK ## IN=ppp0 OUT= MAC= SRC=203.200.85.168 DST=59.95.54.252 LEN=48 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=80 DPT=2327 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Oct 2 15:40:36 nashik kernel: ## FW_I_BLOCK ## IN=ppp0 OUT= MAC= SRC=217.163.21.31 DST=59.95.54.252 LEN=1492 TOS=0x00 PREC=0x00 TTL=51 ID=42717 PROTO=TCP SPT=80 DPT=2328 WINDOW=8001 RES=0x00 ACK URGP=0
Oct 2 15:41:01 nashik crond(pam_unix)[3293]: session opened for user root by (uid=0)

====================================================================


Also here is my ifconfig output, -

===============================================
eth0 Link encap:Ethernet HWaddr 00:134:19:CE:37
inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:135663 errors:0 dropped:0 overruns:0 frame:0
TX packets:139336 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
Interrupt:5 Base address:0xe400

eth1 Link encap:Ethernet HWaddr 00:08:A1:78:26:A6
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:200113 errors:0 dropped:0 overruns:0 frame:0
TX packets:103677 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
Interrupt:11 Base address:0xe000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:44691 errors:0 dropped:0 overruns:0 frame:0
TX packets:44691 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

ppp0 Link encap:Point-to-Point Protocol
inet addr:59.96.27.221 P-t-P:59.96.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:199370 errors:0 dropped:0 overruns:0 frame:0
TX packets:102927 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3

===============================================


Please help me to develop a VPN server so I can access it through the firewall.

Thanks.

Regards,
Ashwin
 
Old 10-04-2008, 03:10 PM   #2
zmanea
Member
 
Registered: Sep 2003
Location: Colorado
Posts: 85

Rep: Reputation: 15
Your rules look overly complex, it would help if you posted the output of this command: iptables -L && iptables -L -t nat

You should also use tcpdump to figure out if the GRE & TCP 1723 is getting to the server and back to the client.

If the traffic is getting to/from the server then it is most likely the config on your windows server. How many nics does the windows server have?
 
Old 10-12-2008, 11:03 PM   #3
ashwin_think
Member
 
Registered: Aug 2007
Posts: 35

Original Poster
Rep: Reputation: 15
Hi,

Thanks for your help. I've sorted out my problem with the following script, -

iptables -t nat -I PREROUTING -p 47 -s $SOURCE-IP -d $PUBLIC-IP-OF-GATEWAY -j DNAT --to $INTERNAL-VPN-SERVER
iptables -I FORWARD -p 47 -d $INTERNAL-VPN-SERVER -j ACCEPT
iptables -t nat -I POSTROUTING -p 47 -d $INTERNAL-VPN-SERVER -j MASQUERADE


iptables -t nat -I PREROUTING -p tcp -d $PUBLIC-IP-OF-GATEWAY --dport 1723 -j DNAT --to $INTERNAL-VPN-SERVER:1723
iptables -I FORWARD -p tcp -d $INTERNAL-VPN-SERVER --dport 1723 -j ACCEPT
iptables -t nat -I POSTROUTING -p tcp -d $INTERNAL-VPN-SERVER --dport 1723 -j MASQUERADE

Those rules port forward port 1723 to the local machine.

iptables -I FORWARD -p 47 -j ACCEPT
iptables -t nat -I POSTROUTING -p 47 -j MASQUERADE
iptables -I FORWARD -p tcp -s $INTERNAL-VPN-SERVER -j ACCEPT
iptables -t nat -I POSTROUTING -p tcp -s $INTERNAL-VPN-SERVER -j MASQUERADE


But I've one problem with this script. I'm using this script after disabling the iptables. I want to incorporate this script with running the firewall. How I can able to run these commands during the boot with running firewall as I've tried this through rc.local file but it just hangs during the boot.

Just little more help needed.


Thanks & Regards,
Ashwin.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables and VPN dellcom1800 Linux - Networking 3 06-05-2008 07:59 AM
sharing VPN access with lan + after vpn connected unable to ping lan/public ip xxx_anuj_xxx Linux - Networking 1 03-14-2008 02:50 AM
IPTABLES Interet access / VPN access vlady_s Linux - Newbie 2 01-24-2008 08:12 PM
How to make non-vpn machines to access VPN server deepugopi Linux - Networking 0 07-31-2007 06:55 AM
How to access VPN + LAN in iptables Firewall pradeepjagtap Linux - Security 4 10-24-2006 12:08 AM


All times are GMT -5. The time now is 03:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration