iptables and VPN

Drakonblayde · February 2004

Alright, need a little help

For starters, here's my network map

24.xxx.xxx.xxx
Linksys BEFSR41 (Public IP)
|
192.168.1.1
Linksys BEFSR41 (Private IP)
|
192.168.1.50
WINTERFELL (Red Hat

eth0 (Public)
192.168.2.1
WINTERFELL eth1 (Private)
|

5-Port Switch

Port 1 - 192.168.2.1 (see above)
Port 2 - 192.168.2.7 AEMON (Win2k Server DC)
Port 3 - 192.168.2.x (DHCP Client) DAENERYS (Win XP Pro)
Port 4 - 192.168.2.245 VALYRIA (802.11g WAP)
|
192.168.2.x (DHCP Client) TYRION (Win XP Pro, 802.11g Client)

So basically, my linux box with 2 nics is connected to a Linksys router on the first interface and to a switch for my own private subnet on the interface. It's running iptables tightly locked down to provide firewall support and NAT for the machines behind it. AEMON is my 2k domain controller. I've set it up to allow VPN connections, and I can connect to it from any of the clients behind the firewall with no problems. What I need to do is allow VPN sessions from outside the eth0 interface as well as those from outside the BEFSR41 public interface to be able to connect to AEMON. I do have PPTP and IPSec passthru active on the BEFSR41, and I am forwarding port 1723 to 192.168.1.50. With iptables I both forwarded and prerouted traffic for ip protocol 47 (GRE) and port 1723 to AEMON. I can't even get a nibble. The only way I can get AEMON to take an incoming session is to place the eth0 interface in the DMZ and then drop all iptables rules, allowing everything to passthrough and performing no NAT. Obviously I do *not* want this, as it leaves my subnet wide open. I realize it's overkill to have NAT being performed on the linux box seeing as how it's just going to get nat'd again by the linksys router, the only thing this does is hide my computers from the other two computers hooked into the BEFSR41, but even just dropping my NAT rules for iptables doesn't help, and I don't want to leave WINTERFELL in the DMZ under any circumstances. Now, I've been hearing that PPTP doesn't play nice through NAT, but Linksys says the BEFSR41 will allow 1 incoming VPN session, and like I said, I've gotten it to work by opening the system up, so it has to be somewhere at my internal firewall that the VPN session is getting dropped. Anybody have any idea how I can make this work without purchasing new hardware? I haven't tried to make L2TP/IPSec work instead of PPTP, am I barking up the wrong tree with this?

I realize I'm asking for help with a fairly advanced and complex issue. I'm hoping that some of you might have run into a similar situation and were able to work out of it, or maybe some of y'all will know where to point me. At any rate, I'd greatly appreciate any help, it'd be really nice to have access to my home network when I'm not at home.

Webmaster · February 2004

Check out the last alinea of the summary on the following page:
http://support.microsoft.com/default.aspx?scid=kb;en-us;263925

L2TP/IPSec won't work behind NAT either (unless the device that performs NAT is the end-point), at least not with Windows 2000. You can make it work with Windows 2003 though, although I'm not so sure it will work if it has to pass a NAT device twice...

For some more info about IPsec behind NAT:
New features of IPSec
http://support.microsoft.com/default.aspx?scid=kb;en-us;818043

Doesn't the Linksys router support VPN connections?

Sartan · February 2004

In my experience, PPTP works wonders over NAT... If you have UDP packets configured to make it through that awful corporate firewall.
IPSec is even more evil with it's port requirements.

Post your iptables rules please

(I'm going to stand by debugging PPTP... IPSec is a pain in the ass to get working. How about you run cipe on your linux box to host the vlan? or pptpd, it's really easy to config)

Sartan · February 2004

s/vlan/vpn/g

Drakonblayde · February 2004

echo 0 > /proc/sys/net/ipv4/ip_forward
echo Begin Filter
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -j LOG -i eth1 \! -s 192.168.2.0/24
iptables -A INPUT -j DROP -i eth1 \! -s 192.168.2.0/24
iptables -A FORWARD -j DROP -i eth1 \! -s 192.168.2.0/24
iptables -A INPUT -j DROP \! -i eth1 -s 192.168.2.0/24
iptables -A FORWARD -j DROP \! -i eth1 -s 192.168.2.0/24
iptables -A INPUT -j DROP -i \! lo -s 127.0.0.0/255.0.0.0
iptables -A FORWARD -j DROP -i \! lo -s 127.0.0.0/255.0.0.0
iptables -A INPUT -j ACCEPT -i lo
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -p \! icmp -j ACCEPT
iptables -A INPUT -m state --state NEW -i eth0 -j DROP
iptables -A FORWARD -m state --state NEW -i eth0 -j DROP
iptables -A INPUT -j ACCEPT -p all -i eth1 -s 192.168.2.0/24
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-reply -d 192.168.1.50
iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d 192.168.1.50
iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination-unreachable -d 192.168.1.50
echo 1 > /proc/sys/net/ipv4/ip_forward
echo End Filter

Hrm, from the article webmaster posted, 2k itself won't do it, but it's not handling my NAT, just Linux is. I've been googling around for folks who have gotten it to work, but in their cases, they only have a Linux box sitting between the public and private portions of the net instead of having to go through NAT twice like I've got it setup. iptables does have provisions for forwarding GRE, so it theoretically should work...

iptables and VPN

Comments