VPN through IPchains firewall

snowdog12 · 04-10-2003, 02:43 PM

Hello everyone. I'm running an older firewall using a 2.2 kernel and IPchains. I have an enduser that is trying to connect to a Win2K server on another network through our firewall via MS's built in VPN adapter. She is reaching the server and it is challenging her for a password, but it errors out after a minute saying that the server can't be reached. We know it works from other networks, so I'm convinced its my firewall that is doing it. After much research, I know I need to open up port 1723 and
protocols 47 and 6. When I execute the below commands, however, it still doesn't get through. (x.x.x.x is our firewall's external IP)

[root@masq sysconfig]# /sbin/ipchains -I forward -p tcp -d x.x.x.x 1723
-j ACCEPT
[root@masq sysconfig]# /sbin/ipchains -A forward -p tcp -s x.x.x.x 1723
-j ACCEPT
[root@masq sysconfig]# /sbin/ipchains -A forward -p 47 -d x.x.x.x -j
ACCEPT
[root@masq sysconfig]# /sbin/ipchains -A forward -p 47 -s x.x.x.x -j
ACCEPT

Anyone have any ideas? I've posted over at linuxnewbie, and am not getting much of a response - if I've left out any info please let me know. I'm suspicious that most people don't use ipchains anymore and may not remember how to get around this.

Sutekh · 04-26-2003, 06:06 PM

It has been a while since using ipchains but there are a few things I can suggest.

Firstly whith ipchains the packets traverse the INPUT, FORWARD and OUTPUT chains, so it is possible the it is being dropped in another chain. You ipchains -L -v to view a break down of all the chains and see if there is any byte counts next to the chains you are expecting the packets to be using.

Secondly you can use the LOG target at the end of each chain (INPUT, OUTPUT and FORWARD) to get detail of what exactly failed and why. You need to put this LOG line in before the final DROP (or if your policy is to DROP then simply as the last line).

Thirdly you probalby wont get the reply coming in on port 1723. Most tcp protocols have a fixed server port (that is a port that the server listens on for a connection, in this case 1723) and the client generates a semi-random port of it's own (it may be 5534 for example, generally a number between 1024 and 65525). So typically in a ipchains enviroment you had to open up all the ports in that range (1024->65535) to let the client ports back in. That is pretty much why iptables is so good because you don't have to arbitrarily open all these ports, you can check the state of the packet before accepting it.