PPTP hell (IPtables)

steppin_razor · 11-09-2001, 03:39 AM

Day 3 of my crash course in Linux firewalls.

The good news - I've got it working. I like it. It port forwards. Wee.

The bad news - PPTP is beating me down.

Ideally, I'd like to port forward VPN (1723 + GRE) connections to my Win2K VPN server on the back network. I haven't been able to get this working. I tried the following (with and without the FORWARD rules) - I noticed that I would see a message about the VPN-1723 when I tried a VPN connection from the outside world, but I never saw the GRE rule fire (not sure if it is even supposed to) -- end result is that it just wouldn't work.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1723 -j LOG --log-prefix "VPN-1723: "
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1723 -j DNAT --to 10.0.0.51
iptables -A FORWARD -i eth1 -o eth0 -p 47 -d 10.0.0.51 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p 47 -j LOG --log-prefix "VPN-GRE: "
iptables -t nat -A PREROUTING -i eth1 -p 47 -j DNAT --to 10.0.0.51
iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 10.0.0.51 --dport 1723 -j ACCEPT

I dug around and found this:

http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

It said:

>Server masquerade for PPTP also works with the default >masquerade code. Add the following rules:
>
>PPTP (1723/tcp and 47/ip):
>
>/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1723 -
>j DNAT --to 192.168.0.5
>/sbin/iptables -t nat -A PREROUTING -i eth1 -p 47 -j DNAT --to
>192.168.0.5
>
>...where 192.168.0.5 is the local-network IP address of the PPTP
>server. I have not had any reports regarding IPsec server
>masquerade.
>
>Masquerading multiple clients talking to the same remote
>gateway will require protocol-specific support in the form of
>kernel patches, which are not yet available. Sorry.

I'm not sure exactly how to interpret this, but I assume that it means my SOL?...

Any help on getting the port forwarding to work would be super appreciated.

In the meantime, I've been trying to figure out how to get PPTPD to work and support MS style PPTP connections (i.e. CHAP.. etc)...

*RANT*
I know that the Linux/Unix world isn't full of MS lovers.. etc, but you'd think that people would be building in support for the largest installed based of desktops by default. I'm still struggling with applying the kernel/PPP/pptpd patches/configurations to get this all working (kernel recompile # I've lost count running right now)..

Thanks again for all the help!!!

dangel · 11-09-2001, 06:03 PM

*well*
only one comment. if M$ didn't make their own propietary version of IPSEC - and *BREAK* it. you wouldn't be having the problems your having.

:P

pptp is very unstable. i suggest *if you can* switch over to ipsec and your problems will go away.

steppin_razor · 11-09-2001, 06:26 PM

It took a bit of struggling, but I did get PPTPD working. I haven't really "burn tested" it, but I appear to be able to VPN in and then map network drives.

If I have problems with it, I guess I'll go hunt down an L2PT/IPSEC implementation.

It would still be nice though if I could just get the firewall to port forward to the MS VPN server.

dangel · 11-09-2001, 06:37 PM

yes. i agree. regardless what you want it to do what it is supposed to do. =) forward the ports damnit! hehe
---
good to hear it worked. so what was the deal?

steppin_razor · 11-09-2001, 10:27 PM

I downloaded the source for PPP-2.4.1 and PPTPD-1.01. I got patches (ppp-2.4.1-MSCHAPv2-fix.patch and ppp-2.4.1-openssl-0.9.6-mppe-patch) for PPP and applied them. I also applied linux-2.4.4-openssl-0.9.6.a-mppe.patch to my Linux Kernel (2.4.7-10). The kernel patch had the kernel version hardcoded into it so I had to change that.

I then followed the directions (mostly - with the differences outlined above) in the directions at:

http://poptop.lineo.com/releases/PoP...dHat-HOWTO.txt

I had problems when I tried compiling in the PPP options directly into the Kernel. I took a cue from the a posting I had seen from someone else and installed them as modules.

dangel · 11-09-2001, 10:51 PM

sweet.

iamnotherbert · 02-05-2002, 06:39 PM

Sounds like your firewalls good to go. How do you like the pptpd? Any hickups? I have been thinking about changing from the vpn-masq to the pptpd on my firewalls. If your still interested in pass the vpn through here's the deal...

You can't (yet) masq multiple vpn with iptables. You have to use ipchains and an older kernel. Grab a kernel with vpn-masq support. Example... Grab 2.2.17, grab the patches from the howto and apply them.. hint you need to select yes for prompt for development and incomplete code/drivers. Once that is selected you can select the vpn masq stuff under networking options. Build - Install - Reboot with new kern.. Test away..

If you need any help or a better explanation let me know..

-d