LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-27-2004, 03:44 PM   #1
twistedpair
Member
 
Registered: Jan 2004
Posts: 71

Rep: Reputation: 15
Port forward GRE and PPTP using IPtables


Hi all,
The subject sorta says it all. I am trying to get PPTP traffic, and GRE (which is part of it) forwarded through the firewall. So far TCP 1723 is forwarding correctly, but I can't seem to get GRE to forward. Anyone have any success with this?

Also anyone have any success with this using FWBuilder? If so have you been able to set this up?

Thanks,
Pair
 
Old 07-27-2004, 04:01 PM   #2
michaelk
Moderator
 
Registered: Aug 2002
Posts: 11,899

Rep: Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746
GRE is port 47. I do not use FWBuilder but I would think you would configure it the same as port 1723
 
Old 07-27-2004, 04:13 PM   #3
twistedpair
Member
 
Registered: Jan 2004
Posts: 71

Original Poster
Rep: Reputation: 15
Hmm, I thought it was Protocol 47? I will give it a try, and post back. Thanks!

Pair
 
Old 07-27-2004, 04:24 PM   #4
michaelk
Moderator
 
Registered: Aug 2002
Posts: 11,899

Rep: Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746
Nevermind what was I thinking.... Your correct it is protocol 47... I'm tired

Check this out:
http://lists.debian.org/debian-firew.../msg00090.html

Last edited by michaelk; 07-27-2004 at 04:39 PM.
 
Old 07-27-2004, 04:24 PM   #5
twistedpair
Member
 
Registered: Jan 2004
Posts: 71

Original Poster
Rep: Reputation: 15
I opened up Protocol 47, and port 47. Still no go. I can see GRE traffic on the outside interface when I connect from the outside, but not the internal interface. Any other ideas?

Pair
 
Old 07-27-2004, 05:07 PM   #6
michaelk
Moderator
 
Registered: Aug 2002
Posts: 11,899

Rep: Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746
I assume the distro your running uses iptables? I could look at the generated iptables script and probably find the problem.

I quick scan of the manual does not provide any easy answers.
 
Old 07-27-2004, 05:09 PM   #7
twistedpair
Member
 
Registered: Jan 2004
Posts: 71

Original Poster
Rep: Reputation: 15
Lemme see what I can do. The most difficult thing for me at least, is scanning through the list of iptables rules, and trying to translate them in my brain into FWBuilder rules. Let me see if I can paste the results of an iptables -L into a post. I am running Mandrake 9.2 BTW.

Thank you
Pair
 
Old 07-27-2004, 05:17 PM   #8
twistedpair
Member
 
Registered: Jan 2004
Posts: 71

Original Poster
Rep: Reputation: 15
Here it is . . . Any ideas?

Thanks again,
Pair

Chain INPUT (policy DROP)
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <Outside IP>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere <Outside IP>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere <Outside IP>state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere 192.168.3.4 state NEW
ACCEPT tcp -- anywhere Firewall multiport dports http,https state NEW
ACCEPT tcp -- anywhere <Outside IP>multiport dports http,https state NEW
ACCEPT tcp -- anywhere Firewall multiport dports http,https state NEW
ACCEPT tcp -- anywhere 192.168.3.4 multiport dports http,https state NEW
ACCEPT all -- Firewall BASE-ADDRESS.MCAST.NET/4state NEW
ACCEPT all -- <Outside IP> base-address.mcast.net/4state NEW
ACCEPT all -- Firewall base-address.mcast.net/4state NEW
ACCEPT all -- 192.168.3.4 base-address.mcast.net/4state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- <Outside IP> anywhere state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- 192.168.3.4 anywhere state NEW
ACCEPT all -- 192.168.3.0/24 anywhere state NEW
ACCEPT all -- 192.168.9.0/24 anywhere state NEW
ACCEPT all -- 172.16.1.0/24 anywhere state NEW
RULE_8 all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.3.9 tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere <mailserver>multiport dports https,pop3,imap,imaps state NEW
RULE_3 tcp -- anywhere <client_machine_name>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <client_machine_name>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere <client_machine_name>state NEW
ACCEPT all -- 192.168.3.0/24 anywhere state NEW
ACCEPT all -- 192.168.9.0/24 anywhere state NEW
ACCEPT all -- 172.16.1.0/24 anywhere state NEW
RULE_8 all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.3.9 tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere <mailserver>multiport dports https,pop3,imap,imaps state NEW
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <Outside IP>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere <Outside IP>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere Firewall multiport dports ftp,ftp-data,1723 state NEW
RULE_3 tcp -- anywhere 192.168.3.4 multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere <Outside IP>state NEW
RULE_3 gre -- anywhere Firewall state NEW
RULE_3 gre -- anywhere 192.168.3.4 state NEW
RULE_3 tcp -- anywhere <client_machine_name>tcp spt:ftp-data dpts:1024:65535 state NEW
RULE_3 tcp -- anywhere <client_machine_name>multiport dports ftp,ftp-data,1723 state NEW
RULE_3 gre -- anywhere <client_machine_name>state NEW
ACCEPT udp -- Firewall 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- Firewall 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT udp -- <Outside IP> 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- <Outside IP> 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT udp -- Firewall 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- Firewall 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT udp -- 192.168.3.4 192.168.3.0/24 udp dpt:domain state NEW
ACCEPT udp -- 192.168.3.4 192.168.9.0/24 udp dpt:domain state NEW
ACCEPT all -- Firewall base-address.mcast.net/4state NEW
ACCEPT all -- <Outside IP> base-address.mcast.net/4state NEW
ACCEPT all -- Firewall base-address.mcast.net/4state NEW
ACCEPT all -- 192.168.3.4 base-address.mcast.net/4state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- <Outside IP> anywhere state NEW
ACCEPT all -- Firewall anywhere state NEW
ACCEPT all -- 192.168.3.4 anywhere state NEW
ACCEPT all -- 192.168.3.0/24 anywhere state NEW
ACCEPT all -- 192.168.9.0/24 anywhere state NEW
ACCEPT all -- 172.16.1.0/24 anywhere state NEW
RULE_8 all -- anywhere anywhere

Chain RULE_3 (30 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `RULE 3 -- ACCEPT '
ACCEPT all -- anywhere anywhere

Chain RULE_8 (3 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `RULE 8 -- DENY '
DROP all -- anywhere anywhere
 
Old 08-01-2004, 04:38 AM   #9
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
That's a horrible format to try and read...

Try using iptables-save and post that please

You should have modules ip_conntrack_pptp & ip_nat_pptp loaded at least.
do lsmod to check and modprobe ip_nat_pptp to load both..
 
1 members found this post helpful.
Old 05-27-2005, 02:41 PM   #10
stevesl
LQ Newbie
 
Registered: May 2005
Location: Cincinnati, Ohio
Posts: 8

Rep: Reputation: 0
I guess you never got an answer to this so I thought to through in my 2 cents.

VPN (in the simplified MicroS*ft rras 56-but encryption client sense) is IP protocol # 47 (or GRE) AND IP protocol TCP port 1723.

EX:
assume for simplicity: iptables -P FORWARD ACCEPT
then:
echo ">>>--- setup nat VPN"
iptables -t nat -A PREROUTING -i <Public-IFace> -p gre -d <VPN-Public-IP> -j DNAT --to-destination <VPN-DMZ-IP>
iptables -t nat -A PREROUTING -i <Public-IFace> -p tcp --sport 1024:65535 -d <VPN-Public-IP> --dport 1723 -j DNAT --to-destination <VPN-DMZ-IP>
 
Old 07-09-2005, 11:14 PM   #11
zn99
LQ Newbie
 
Registered: Jul 2005
Posts: 1

Rep: Reputation: 0
Use pptp proxy !!!!!

On Linux, it's a major pain to forward pptp using iptables.

Use pptpproxy. It was designed for that and it works like a charm.

I've been using it both at home and at the office (where it forwards
connection to an internal Windoze PPTP server), and it's been working
without a glitch for more than two years.

Get it here : http://www.mgix.com/pptpproxy
 
Old 11-13-2008, 06:04 PM   #12
furrie
LQ Newbie
 
Registered: Dec 2001
Location: Yate, Bristol, England, UK
Distribution: CentOS, Ubuntu, FreeBSD
Posts: 23

Rep: Reputation: 15
Talking

stevesl you are my hero! I have spent hours messing about looking for a solution to my problem that I could actually cut and paste into my iptables file (after s little tweaking to suit my circumstances).
 
Old 10-02-2009, 08:23 PM   #13
abinf
LQ Newbie
 
Registered: Jul 2009
Location: Faro
Distribution: Fedora
Posts: 3

Rep: Reputation: 0
Hi!

I have same problem (need to Forward VPN connection to a MSWinServer behind a Linux, and the solution as not worked :/
But the Zn99 solution with pptpproxy, yes..

any idea?

I have open the issue some months ago in here

Best regards,
 
Old 05-07-2011, 04:41 AM   #14
CodeKrash
LQ Newbie
 
Registered: May 2011
Posts: 21

Rep: Reputation: 1
Port Forwarding - SNAT = Secure or not!?

Hi, first post

I saw this: {oops first post so I can't tell you the link, just that it's on ubuntuforums.org I think}

and am trying the same kind of thing (forward back data through listening tunnel (like PPTP I guess).

I'm a real nub when it comes to firewall scripts for linux, can anyone tell me if there's a gaping hole anywhere? Send me a PM or email if you think it's serious. Thanks a bunch for the real gurus probably using these forums. I understand about port obfuscation, but I've been too busy to properly research these things lately.

Code:
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    REJECT     all  --  0.0.0.0/0            127.0.0.0/8         reject-with icmp-port-unreachable
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1194
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3690
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
8    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
9    LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: '
10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    SNAT       all  --  10.8.0.0/24          0.0.0.0/0           to:<an internet facing IP Ver 4 address>

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Last edited by CodeKrash; 05-07-2011 at 04:42 AM.
 
Old 05-07-2011, 05:06 AM   #15
CodeKrash
LQ Newbie
 
Registered: May 2011
Posts: 21

Rep: Reputation: 1
This might help:

Code:
# Generated by iptables-save v1.4.3.1 on Sat May  7 05:56:53 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [63260:29151195]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -i ! lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3690 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Sat May  7 05:56:53 2011
# Generated by iptables-save v1.4.3.1 on Sat May  7 05:56:53 2011
*nat
:PREROUTING ACCEPT [5462:510154]
:POSTROUTING ACCEPT [22:1595]
:OUTPUT ACCEPT [22:1595]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source <an internet facing IP Ver 4 address>
COMMIT
# Completed on Sat May  7 05:56:53 2011
This is what stuck out to me: SNAT, and the accept all indicator on the previosu readout, that looks a bit scary.

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source <an internet facing IP Ver 4 address>


Implicit DNAT (or something like that) . How to I forward ports to my ip (static IP)?

I read that:

Quote:
13 POSTROUTE is just another chain

* Selective rules can be used
* Different manipulations are possible
* Use -j ACCEPT to let the packet through untouched

I'll give this a whack:

Code:
iptables -A INPUT -i eth1 -s 0.0.0.0/32 \  
          -d 10.8.0.6 -p tcp \  
          --sport 8080 -m state \  
          --state ESTABLISHED,RELATED -j ACCEPT
to forward the port 8080 to my open vpn client?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES and GRE PPTP working jbrandis Linux - Security 3 10-27-2005 10:15 AM
iptables forward one port on same IP baetmaen Linux - Networking 2 01-27-2005 08:47 AM
How to port forward with IPTABLES... Scrag Linux - Security 6 12-13-2004 04:57 AM
IPTABLES port forward wanaka Linux - Security 3 09-28-2004 07:07 PM
Port Forward with iptables nymig94 Linux - Networking 5 12-02-2001 09:22 PM


All times are GMT -5. The time now is 07:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration