Configuring VPN behind a Linux firewall

achyuth · 06-24-2002, 04:54 PM

I have a VPN setup on a Windows 2000 server. The network is a private network behind a Linux firewall. I have to configure the firewall in such a way that it forwards all the packets destined for the VPN server to the VPN server. Did anyone of you have any experience of doing this?

Thanks

netguy2000 · 10-22-2003, 01:52 AM

hi, thisw is rizwan from karachi, Pakistan. I am also try to do this that I have WIN 2000 VPN server behind Linux 8 router/ firewall, and can not access it from internet (but i can access it from my local LAN

) if u or anyone have some idea about this then plzzzzzzzzzzz inform me thanks aloooooooot.

Rizwan.

riaz2000 · 10-22-2003, 08:44 PM

Well Guys ,

First thing I want to know, which firewall package r u using, if u r using iptables, then it can be done by forwarding the ports to the IP of VPN Server on the external interface for incoming request...
Input chain should be used here................

netguy2000 · 10-23-2003, 12:38 AM

thanks for reply riaz2000,
i am using iptables for this and use this command in PREROUTING ------->

iptables -I PREROUTING -t nat -p tcp -d (sourceIP) --destination-port 1723 -j DNAT --to-destination (destinationIP)

and also use in POSTROUTING --------->

iptables -I POSTROUTING -t nat -s (sourceIP/32) -d ! (destinationIP/24) -j SNAT --to-source (2nd sourceIP)

but nothing works and client from internet not receiving any responce from VPN server plzz help me ?????????????????

Rizwan.

riaz2000 · 10-24-2003, 11:20 PM

Check out the ip of VPN and did u ping the ip of firewall from your vpn.......give me some detail about your ip and ports........and your iptable rules............

GJB · 10-26-2003, 11:22 PM

These are the rules I use for a forward from my linux firewall to my exchange server, i guess all you have to do is change the dport.

iptables -A INPUT -p tcp -i $ext_if -d $ext_ip --dport 25 -s $mailservers -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s $mailservers -d $ext_ip --dport 25 -j DNAT --to $masq_machine_ip:25
iptables -A FORWARD -p tcp -i $ext_if -o $local_if -d $masq_machine_ip --dport 25 -m state --state NEW -j ACCEPT

$ext_if is the ethernetcard connected to the internet
$ext_ip is the external ip
$local_if is the ethernetcatd connected to my internal network
$mailservers is the iprange of my bsmtp incoming servers
$masq_machine_ip is the exchangeserver behind my firewall

Hope this helps ...

GJ

netguy2000 · 11-21-2003, 01:04 AM

its still not working what i have to do now plz help me as i am using these commands. In iptables FORWARD rules i this therer is any mistake by me plz let me know how can i see my FORWARD or etc rules after setting them.

GJB · 11-21-2003, 05:41 AM

you can view your current iptables tules with iptables -L
If you have many rules it's easier to pipe them to a file with something like iptables -L >firewall this way a file calles firewall is created and you can view all your current active rules.

GJB

netguy2000 · 12-02-2003, 01:36 AM

iptables -I PREROUTING -t nat -p tcp -d 10.10.10.10 --destination-port
25 -j DNAT --to-destination 192.168.1.3:25
iptables -I PREROUTING -t nat -p udp -d 10.10.10.10 --destination-port
25 -j DNAT --to-destination 192.168.1.3:25
iptables -I PREROUTING -t nat -p udp -d 10.10.10.10 --destination-port
110 -j DNAT --to-destination 192.168.1.3:110
iptables -I PREROUTING -t nat -p tcp -d 10.10.10.10 --destination-port
110 -j DNAT --to-destination 192.168.1.3:110
iptables -I PREROUTING -t nat -p tcp -d 10.10.10.10 --destination-port
21 -j DNAT --to-destination 192.168.1.8:21

i also use PREROUTE port 1723 but no hope

command is below

iptables -I PREROUTING -t nat -p tcp -d 10.10.10.10 --destination-port
1723 -j DNAT --to-destination 192.168.1.45:1723

i forward & accept 1723 port but nothisg happeen pllzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz help me
plzzzzzzzzzzz give me write command line to accept/ forward /input for Gateway machine redhat 8 so my VPN Server accept connection through internet

chort · 12-02-2003, 02:16 AM

You need to alow all GRE traffic. It's protocol 47. You can't just use port rules because GRE encapsulates IP, so normal IP port rules are worthless.

netguy2000 · 12-02-2003, 02:21 AM

HOW ??????????????

chort · 12-02-2003, 02:46 AM

-p gre something I guess... I dunno, I never stuck with iptables long enough to figure that out. Not that it helps, but in pf it looks like this:

pass in on $INET proto gre all

chrisfirestar · 12-02-2003, 09:17 PM

One thing to check in your Rules is that the ORDER is correct... make sure that these packets are not relevent to any rules before you try to forward it.

also remember you must open the ports to the internet to
eg $iptables -A INPUT -i $OUTSIDE -s 0/0 -d $vpn -p tcp --dport 1723 -j ACCEPT

HOWEVER

I was under the impression that a VPN must be external??
when passing through the firewall the packets get changed which will then mean they are not certified to access the VPN?? I think it has something to do with the NAT etc

I could be wrong of course... I dont know much about VPN's though so yeah :P try the above first

chort · 12-03-2003, 01:17 AM

Depends what VPN software you're using. I've used both Nortel IPSec and Microsoft PPTP from behind a NAT (not even static NAT) and it worked fine. The only thing I had to do was make sure GRE was open.

Other things, like Free S/WAN are very picky about NAT. Also you need 500/UDP open if the remote side is going to start the handshake. Actually, this brings up a good point... Which side is initiating the VPN? If your side is recieving the connection attempt then you do need a global, non-NAT'd IP and you do need 500/UDP open I'm fairly sure.

chrisfirestar · 12-03-2003, 01:39 AM

yes this sounds more like it... so if someone is connecting TO YOU then must be global okay thanks

my thing for the day i've learnt aye