LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-21-2008, 01:05 PM   #1
wachaca
LQ Newbie
 
Registered: Nov 2006
Location: Santiago, Chile
Distribution: Ubuntu LTS
Posts: 14

Rep: Reputation: 0
Question newbie cant connect to clients VPN through my NAT.


Hello,
I have several XP work stations, behind an Ubuntu 8.04 server providing NAT for the office.

When we had the DLINK router providing NAT, we were able to connect to a clients VPN based on PPTP/PPP using the windows VPN client without any problems.

Now we can no longer connect to the clients VPN.

My nat.sh file looks like this:
(I came up with this from diferent tutorials and howtos)

Code:
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -F
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Any help would be apreciated.

Thanks
 
Old 11-23-2008, 04:23 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Is it the ppp0 interface you want to MASQUERADE or some ethernet interface? (Is your Ubuntu box actively participating in the VPN trafic of the XP boxes or just passing through already encrypted traffic?)

A less important question (I think) is do you want to MASQUERADE or DNAT? MASQUERADE is designed for connections where the IP address is likely to change when an interrupted or dropped connection is re-established and DNAT is for stable IP addresses.

Also, let me give you a hint. The following commands (as root) are sometimes useful for troubleshooting:

Code:
iptables -nvL <optional chain name>
iptables -t nat -nvL <optional chain name>
The -v option on those commands will cause packet and byte counts to be shown with each rule. Each packet the rule processes that matches that rule will increase these counters. So if you your traffic is not too heavy you might get some clues what might be wrong.

Last edited by blackhole54; 11-23-2008 at 04:59 AM. Reason: minor wording change
 
Old 11-24-2008, 10:29 AM   #3
mostlyharmless
Senior Member
 
Registered: Jan 2008
Distribution: Slackware -current (multilib) with kernel 3.15.5
Posts: 1,500
Blog Entries: 12

Rep: Reputation: 155Reputation: 155
On our DLINK router we had to open specific ports to allow a VPN to connect. Did you have a setting in your router that you need to duplicate in your iptables?
 
Old 11-25-2008, 08:18 AM   #4
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by mostlyharmless View Post
On our DLINK router we had to open specific ports to allow a VPN to connect. Did you have a setting in your router that you need to duplicate in your iptables?
Are you describing a situation where a client is behind a DLINK router or where the server is behind the DLINK router? If it is the client, can you provide a link to info abou what needs to be opened? Thanks.
 
Old 11-25-2008, 01:17 PM   #5
mostlyharmless
Senior Member
 
Registered: Jan 2008
Distribution: Slackware -current (multilib) with kernel 3.15.5
Posts: 1,500
Blog Entries: 12

Rep: Reputation: 155Reputation: 155
The client is behind the router. Here's a link that might be helpful:

http://blogs.technet.com/rrasblog/ar...nectivity.aspx
 
Old 11-26-2008, 07:45 AM   #6
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Thanks for the link, mostlyharmless. The way I am reading it, that article is talking about ports that need to be opened for the server rather than at the client end. Am I missing something?

@wachaca,

Have you made any progress?
 
Old 11-26-2008, 08:00 AM   #7
mostlyharmless
Senior Member
 
Registered: Jan 2008
Distribution: Slackware -current (multilib) with kernel 3.15.5
Posts: 1,500
Blog Entries: 12

Rep: Reputation: 155Reputation: 155
My understanding is that they had to be open on the client side as well. Certainly, we couldn't get a VPN connection until we did that, and closing them again (which I did inadvertantly once) stopped the VPN connection from working.

I didn't read the specific link closely; I was just looking for a generic list of ports. For our specific work related VPN we got a list of ports from work to open on our home router to allow the VPN to connect.

Hope that clarifies things.
 
Old 11-26-2008, 08:32 AM   #8
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Thanks again, mostlyharmless.

I was inquiring because of my involvement with another thread with pptp problems. After doing some more Internet search and looking at the Wikipedia page I see that NAT and firewall can cause problems because both GRE and a TCP connection are involved. Indeed, I see that netfilter has a special module to track pptp connections. So after letting this digest in my own mind for a while, I'll try to pass on my partial understanding to the other poster in hopes of helping him.

Thanks again.
 
  


Reply

Tags
nat, ppp, pptp, vpn, xp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pptp multiple clients behind iptables nat saf Linux - Networking 4 08-06-2012 02:43 PM
Clients not working properly with NAT bratch Linux - Networking 1 07-29-2007 01:53 PM
multiple ipsec vpn clients behind nat egarnel Linux - Networking 1 12-30-2005 05:18 PM
blocking some port for NAT clients freelinuxcpp Linux - Networking 2 02-14-2004 05:06 AM
How do i connect Ciscos VPN client to Checkpoint VPN server Klas Linux - Networking 1 11-29-2003 08:00 AM


All times are GMT -5. The time now is 02:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration