-   Linux - Newbie (
-   -   iptables questions for a vpn with fc3 workstation (

rchristophe 06-24-2005 07:35 PM

iptables questions for a vpn with fc3 workstation
hi there,
i am very new to linux and just setup my first vpn with fc3 workstation and the poptop vpn solution. what a great feeling to login to my system. here's my iptables questions:
when i flush the iptables -F
i can vpn in using pptpd, get an ipaddress, traverse my network and access the server that i have setup. once connected I can ping my local resources.

i want to lock this system down so that ONLY IP traffic goes from the client to the local server. Here's the scenario:
vpn client PPTP
connect to VPN server which is connected to Internet and a local netware gear hub
VPN server is connected to netgear hub
A Windows server is connected to the netgear hub

with the default iptables settings it doesn't work. with a flush, it works fine.

any excellent iptable guides available that some could recommend. Thanks.

- chris.

win32sux 06-25-2005 08:02 AM

welcome to LQ! :)

this is a nice iptables tutorial: http://iptables-tutorial.frozentux.n...-tutorial.html

as for the VPN thing, have you tried searching LQ to see if there's any info here that would help you find the rules you need?? you can search LQ using google like this:

BTW, according to this link:

A PPTP VPN server requires TCP port 1723 forwarded to the VPN server, as well as the GRE protocol (protocol 47).
so i did a search for "iptables 47 gre" here at LQ and the first result was:

the last post on that thread seems to sum it all up:

Originally posted by stevesl here
VPN (in the simplified MicroS*ft rras 56-but encryption client sense) is IP protocol # 47 (or GRE) AND IP protocol TCP port 1723.

assume for simplicity: iptables -P FORWARD ACCEPT
echo ">>>--- setup nat VPN"
iptables -t nat -A PREROUTING -i <Public-IFace> -p gre -d <VPN-Public-IP> -j DNAT --to-destination <VPN-DMZ-IP>
iptables -t nat -A PREROUTING -i <Public-IFace> -p tcp --sport 1024:65535 -d <VPN-Public-IP> --dport 1723 -j DNAT --to-destination <VPN-DMZ-IP>

anyways, i've never done any VPN so i'm not sure about any of this...

but i saw you hadn't received any replies so i figured i'd help get the ball rolling...

just my :twocents:... good luck...

All times are GMT -5. The time now is 06:33 AM.