VPN to W2k with PPTP over Linux firewall Problem

Hello,
I'm having problems setting up port forwarding for PPTP on a Linux Box to a
W2k VP-server.
I'm running Suse 7.2 with a 2.4.19 Kernel with PPTP-Masquerade patch
applied.
I managed to connect to my Server using its IP,but cannot get port
forwarding to run.
My setup:

Linux Box:
3 NICs:
eth0 172.23.71.99/20 to internal LAN
eth1 192.168.0.23/24 to Router-Subnet
eth2 192.168.10.1/24 to DMZ

W2K:
192.168.10.2/24 in the DMZ

iptables FORWARD policy is set to "ACCEPT",
I added with
iptables -t nat -D PREROUTING -i eth0 -p udp --dport 1723 -j DNAT --to
192.168.10.2:1723
iptables -A PREROUTING -i eth0 -p 47 -j ACCEPT --to 192.168.10.2
port forwarding for TCP port 1723 and GRE to the Windows server. Port
forwarding itself works, I tested that by forwarding port 80 to a apache
server running on the W2K-box.
Accessing the W2K-box with its IP was possible using SNATing traffic on eth2
to the Linux box's IP.
When trying out port forwarding I watched the traffic on eth2 and saw eth2
sending packets to the W2k-box but no responses.

Any Idea?
Thanks, Simon

"Simon Arnu" <(E-Mail Removed)> wrote in message
news:bgvvdm$s9ofv$(E-Mail Removed)...
> iptables -t nat -D PREROUTING -i eth0 -p udp --dport 1723 -j DNAT --to
> 192.168.10.2:1723
> iptables -A PREROUTING -i eth0 -p 47 -j ACCEPT --to 192.168.10.2

As well as my previous post

OOps - just noticed youhave forwarded udp packets in the first rule. You
need to forward tcp packets.

Also you have used the -D option when the -A option is used to add rules.

The second rule seem a bit weired as well because protocol 47 also has to be
forwarded

Firstly you need to allow the data to access the nat table

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p 47 -j ACCEPT

you need to let data out from the internal network and related data in

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT

then you need to forward PPTP on both protocols to your Win2K server

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1723 -j DNAT --to
192.168.10.2
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p 47 -j DNAT --to 192.168.10.2

you also need a way for the server to talk back through the firewall
Masquerade/SNAT

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

or

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP



> port forwarding for TCP port 1723 and GRE to the Windows server. Port
> forwarding itself works, I tested that by forwarding port 80 to a apache
> server running on the W2K-box.
> Accessing the W2K-box with its IP was possible using SNATing traffic on
eth2
> to the Linux box's IP.
> When trying out port forwarding I watched the traffic on eth2 and saw eth2
> sending packets to the W2k-box but no responses.
>
> Any Idea?
> Thanks, Simon

Hi,
like this it works:
#NAT for outgoing Traffic
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.0.23
#for inbound VPN-Traffic
iptables -A FORWARD -i eth0 -o eth2 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -p 47 -j ACCEPT
#outbound VPN-Traffic
iptables -A FORWARD -i eth2 -o eth0 -p 47 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to
192.168.10.2
iptables -t nat -A PREROUTING -i eth0 -p 47 -j DNAT --to 192.168.10.2
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.10.1
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 172.23.71.99

The last line (SNATing the response from the VPN-Server) did the trick.
Thank you for the help
Simon.


"Michael Hart" <mixstat-(E-Mail Removed)> schrieb im Newsbeitrag
news:l5oZa.26749$(E-Mail Removed)...
> "Simon Arnu" <(E-Mail Removed)> wrote in message
> news:bgvvdm$s9ofv$(E-Mail Removed)...
> > iptables -t nat -D PREROUTING -i eth0 -p udp --dport 1723 -j DNAT --to
> > 192.168.10.2:1723
> > iptables -A PREROUTING -i eth0 -p 47 -j ACCEPT --to 192.168.10.2
>
> As well as my previous post
>
> OOps - just noticed youhave forwarded udp packets in the first rule. You
> need to forward tcp packets.
>
> Also you have used the -D option when the -A option is used to add rules.
>
> The second rule seem a bit weired as well because protocol 47 also has to
be
> forwarded
>
> Firstly you need to allow the data to access the nat table
>
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1723 -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p 47 -j ACCEPT
>
> you need to let data out from the internal network and related data in
>
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> then you need to forward PPTP on both protocols to your Win2K server
>
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1723 -j DNAT --to
> 192.168.10.2
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p 47 -j DNAT --to 192.168.10.2
>
> you also need a way for the server to talk back through the firewall
> Masquerade/SNAT
>
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> or
>
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
>
>
>
> > port forwarding for TCP port 1723 and GRE to the Windows server. Port
> > forwarding itself works, I tested that by forwarding port 80 to a apache
> > server running on the W2K-box.
> > Accessing the W2K-box with its IP was possible using SNATing traffic on
> eth2
> > to the Linux box's IP.
> > When trying out port forwarding I watched the traffic on eth2 and saw
eth2
> > sending packets to the W2k-box but no responses.
> >
> > Any Idea?
> > Thanks, Simon
>
>