Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Linux gateway. How to forward VPN to a Win2kServer behind it
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
char0x30
n00b
n00b


Joined: 21 Nov 2004
Posts: 16
PostPosted: Tue Feb 01, 2005 4:05 pm    Post subject: Linux gateway. How to forward VPN to a Win2kServer behind it Reply with quote
The setup:
WAN--Linux Gateway(192.168.0.1)--(192.168.0.2)Linksys Router(192.168.204.4)--(192.168.204.0)LAN

On the LAN is a Windows 2000 Server machine accepting VPN connections.

I know if I can get the appropriate connections passed to the Linksys Router, that it will pass through to the Windows 2000 Server machine.

I already have a few other ports forwarded.

I tried forwarding the appropriate ports:

Code:
iptables -t nat -I PREROUTING -p tcp --dport 1723 -i eth1 -j DNAT --to 192.168.0.2
iptables -t nat -I PREROUTING -p tcp --dport 47 -i eth1 -j DNAT --to 192.168.0.2
iptables -t nat -I PREROUTING -p udp --dport 47 -i eth1 -j DNAT --to 192.168.0.2


When trying to vpn from the outside, I get no response. I can make the VPN connection from the Linux Gateway.

Is there some trick with VPN?

Last edited by char0x30 on Tue Feb 01, 2005 5:57 pm; edited 2 times in total
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
PostPosted: Tue Feb 01, 2005 4:14 pm    Post subject: Reply with quote
This will do port forwarding, but not routing.
You have to set up a separate route to the 192.168.204 network or else traffic destined for it will be bounced back out to the Internet.

Code:
route add -net 192.168.204.0 eth0

Also - 192.168.204/16 ? No such thing, dude.

EDIT: Oh, and DNAT incoming traffic to the Windows box, of course - not to the Linksys router!
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
char0x30
n00b
n00b


Joined: 21 Nov 2004
Posts: 16
PostPosted: Tue Feb 01, 2005 5:21 pm    Post subject: Reply with quote
Quote:
Code:
route add -net 192.168.204.0 eth0

Returns:
Code:
SIOCADDRT: Invalid argument


Quote:
Also - 192.168.204/16 ? No such thing, dude.

Oops. 192.168.204.0/8. Fixed in post.

Quote:
EDIT: Oh, and DNAT incoming traffic to the Windows box, of course - not to the Linksys router!

The windows box is behind the Linksys router. I can't see it directly. I have to forward ports on the Linksys.
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
PostPosted: Tue Feb 01, 2005 5:24 pm    Post subject: Reply with quote
Well... could you post the routing table perhaps ?
Quote:
Oops. 192.168.204.0/8

No - /24.

So the VPN packets essentially get NATted twice ?

What do you need the second router to NAT for ?
The Linux box should already take care of that.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
char0x30
n00b
n00b


Joined: 21 Nov 2004
Posts: 16
PostPosted: Tue Feb 01, 2005 5:35 pm    Post subject: Reply with quote
Quote:
So the VPN packets essentially get NATted twice?

Yes, thats the goal.

Quote:
What do you need the second router to NAT for ?
The Linux box should already take care of that.

We have a network set up with the Linksys out in front. We have a PIX, and wanted to use that to VPN to our offsite servers, but nobody knows how to set up the PIX. So I dropped the Linux Gateway running pptp and some routes in where the PIX should be. Don't want to change the rest of the network.

(Everybody is thrilled with me right now that they don't have to VPN individually, but when they go home this weekend and discover they can't VPN back into the office. . . maybe they'll hire somebody to set up the PIX.)

Here's the result of iptables --list:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.151.0.0/16        anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.151.0.0/16        anywhere           
ACCEPT     all  --  anywhere             10.151.0.0/16       
DROP       all  --  anywhere             192.168.0.0/16     
ACCEPT     all  --  192.168.0.0/16       anywhere           
ACCEPT     all  --  anywhere             192.168.0.0/16     
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.15.0.0/1


iptables -t nat --list:
Code:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       udp  --  anywhere             anywhere            udp dpt:47 to:192.168.0.2
DNAT       tcp  --  anywhere             anywhere            tcp dpt:47 to:192.168.0.2
DNAT       tcp  --  anywhere             anywhere            tcp dpt:1723 to:192.168.0.2
DNAT       tcp  --  anywhere             anywhere            tcp dpt:www to:192.168.0.2

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere           
MASQUERADE  all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


route:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.151.147.17   *               255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.204.0   *               255.255.255.0   U     0      0        0 eth0
10.151.147.0    *               255.255.255.0   U     0      0        0 ppp0
66.x.x.x        *               255.255.248.0   U     0      0        0 eth1
default         66.x.x.x        0.0.0.0         UG    0      0        0 eth1


Last edited by char0x30 on Tue Feb 01, 2005 5:49 pm; edited 4 times in total
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
PostPosted: Tue Feb 01, 2005 5:40 pm    Post subject: Reply with quote
Code:
route add -net 192.168.204.0 netmask 255.255.255.0 dev eth0

But the first one should work, too.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
char0x30
n00b
n00b


Joined: 21 Nov 2004
Posts: 16
PostPosted: Tue Feb 01, 2005 5:46 pm    Post subject: Reply with quote
adaptr wrote:
Code:
route add -net 192.168.204.0 netmask 255.255.255.0 dev eth0


I can add the route, but it doesn't do anything. The whole 192.168.204.0 subnet is behind the linksys. The only 192.168.x.x that the linux box can see are 192.168.0.1 (itself) and 192.168.0.2 (the Linksys).
Back to top
View user's profile Send private message
char0x30
n00b
n00b


Joined: 21 Nov 2004
Posts: 16
PostPosted: Wed Feb 09, 2005 9:59 pm    Post subject: Reply with quote
I changed the network setup, hopefully this will be easier to handle:

Internet--Linux Gateway(192.168.204.1)--LAN(192.168.204.0/24)

On the LAN is a Windows 2000 Server machine (192.168.204.10) accepting VPN connections.

I want to connect to the VPN server (192.168.204.10) from the internet. What do I have to do on the gateway?

I think I have to do something with GRE, but I have no idea what.
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
PostPosted: Wed Feb 09, 2005 10:23 pm    Post subject: Reply with quote
That depends on whether the clients use L2TP or PPTP to connect to the VPN server.
For L2TP you must forward UDP 1701 to the server; for PPTP it is TCP 1723.
But depending on what transport mode etc. is used you may have to make the kernel itself "IPsec-aware" in order to forward the packets without corrupting any encrypted payload.

The whole subject is a bugger ;-)

I found these:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314831

and this is probably a good general overview of the ugly bits behind IPsec:
http://www.tcpipguide.com/free/t_IPSecurityIPSecProtocols.htm
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
char0x30
n00b
n00b


Joined: 21 Nov 2004
Posts: 16
PostPosted: Thu Feb 10, 2005 1:05 pm    Post subject: Reply with quote
I'm using PPTP. (The clients are windows boxes.) I have TCP 1723 forwarded, and the clients can hit the VPN server, but not get a reply. I think there is something to do with allowing the GRE protocol to get through.
Back to top
View user's profile Send private message
danj
n00b
n00b


Joined: 28 Jan 2005
Posts: 19
PostPosted: Fri Feb 11, 2005 11:36 am    Post subject: Reply with quote
Ive had this problem in the past. Try looking here: http://martybugs.net/smoothwall/vpn.cgi

It would suggest you need something like this:


Code:

iptables -N pptp
iptables -A pptp -p tcp --destination-port 1723 --dst 192.168.0.2 -j ACCEPT
iptables -A pptp -p 47 --dst 192.168.0.2 -j ACCEPT
iptables -I FORWARD -j pptp
iptables -t nat -N pptp
iptables -t nat -A pptp -i eth1 -p tcp --dport 1723 -j DNAT --to 192.168.0.2
iptables -t nat -A pptp -i eth1 -p 47 -j DNAT --to 192.168.0.2
iptables -t nat -A PREROUTING -j pptp
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy