LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-13-2015, 10:58 AM   #1
TiNik
LQ Newbie
 
Registered: Feb 2011
Posts: 7

Rep: Reputation: 0
NAT problem - internet works but VPN to remote server doesn't


Hi, I have a problem with nat on fw server. Internet for intranet network works fine, but when a client PC tries to connect to a remote VPN server (MS VPN) it is not able to.

Network schema:
VPN CLIENT <---192.168.1.1/24--->/eth1/ NAT FW /eth0/ <---10.0.0.0/24--->ROUTER (public IP) <---internet--->VPN SERVER

If i connect client pc right after router, VPN connection works.

NAT FW - iptables:
Code:
:INPUT DROP [77:8066]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [92:12477]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT

*nat
-A POSTROUTING -o eth0 -j MASQUERADE
Do you have any idea what are the specifics of MS VPN for FW settings ?
 
Old 10-13-2015, 02:12 PM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Change your FORWARD rule

Code:
-A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT
The reason for this is your inbound is looking for an active state but none have been established with the 2nd FORWARD rule as you are just letting things out without placing those connections in the pool.
 
Old 10-14-2015, 02:52 AM   #3
TiNik
LQ Newbie
 
Registered: Feb 2011
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by lazydog View Post
Change your FORWARD rule

Code:
-A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT
The reason for this is your inbound is looking for an active state but none have been established with the 2nd FORWARD rule as you are just letting things out without placing those connections in the pool.
Thanks for your advise. My iptables now look like this. But the connection still doesn't work
Code:
:INPUT DROP [171:14631]
:FORWARD DROP [38:1690]
:OUTPUT ACCEPT [4692:3252809]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT
COMMIT
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
 
Old 10-15-2015, 08:47 AM   #4
TiNik
LQ Newbie
 
Registered: Feb 2011
Posts: 7

Original Poster
Rep: Reputation: 0
Thumbs up

The problem was solved by loading following modules:

Code:
ip_nat_pptp
ip_conntrack_pptp
 
Old 10-16-2015, 07:51 AM   #5
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Glad to hear you got it working.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
connecting to remote public ip VPN , client behind iptables NAT problem markotitel Linux - Networking 0 05-31-2013 01:44 AM
How to remote control friend over the Internet, through NAT, for old persons? frenchn00b General 13 09-12-2009 05:21 AM
IPsec VPN - Dynamic Server IP, NAT, etc. jantman Linux - Networking 3 01-16-2007 12:11 AM
VPN Question Win98->internet->Router->Linux VPN Server->Win2k Server patrickrea Linux - Networking 1 08-10-2004 02:09 AM
linux nat windows xp vpn server saburo62 Linux - Networking 3 05-21-2004 03:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration