iptables and VPN

DrakonblaydeDrakonblayde Member Posts: 542
Alright, need a little help

For starters, here's my network map

Linksys BEFSR41 (Public IP)
Linksys BEFSR41 (Private IP)
WINTERFELL (Red Hat icon_cool.gif eth0 (Public)
WINTERFELL eth1 (Private)
5-Port Switch
Port 1 - (see above)
Port 2 - AEMON (Win2k Server DC)
Port 3 - 192.168.2.x (DHCP Client) DAENERYS (Win XP Pro)
Port 4 - VALYRIA (802.11g WAP)
192.168.2.x (DHCP Client) TYRION (Win XP Pro, 802.11g Client)

So basically, my linux box with 2 nics is connected to a Linksys router on the first interface and to a switch for my own private subnet on the interface. It's running iptables tightly locked down to provide firewall support and NAT for the machines behind it. AEMON is my 2k domain controller. I've set it up to allow VPN connections, and I can connect to it from any of the clients behind the firewall with no problems. What I need to do is allow VPN sessions from outside the eth0 interface as well as those from outside the BEFSR41 public interface to be able to connect to AEMON. I do have PPTP and IPSec passthru active on the BEFSR41, and I am forwarding port 1723 to With iptables I both forwarded and prerouted traffic for ip protocol 47 (GRE) and port 1723 to AEMON. I can't even get a nibble. The only way I can get AEMON to take an incoming session is to place the eth0 interface in the DMZ and then drop all iptables rules, allowing everything to passthrough and performing no NAT. Obviously I do *not* want this, as it leaves my subnet wide open. I realize it's overkill to have NAT being performed on the linux box seeing as how it's just going to get nat'd again by the linksys router, the only thing this does is hide my computers from the other two computers hooked into the BEFSR41, but even just dropping my NAT rules for iptables doesn't help, and I don't want to leave WINTERFELL in the DMZ under any circumstances. Now, I've been hearing that PPTP doesn't play nice through NAT, but Linksys says the BEFSR41 will allow 1 incoming VPN session, and like I said, I've gotten it to work by opening the system up, so it has to be somewhere at my internal firewall that the VPN session is getting dropped. Anybody have any idea how I can make this work without purchasing new hardware? I haven't tried to make L2TP/IPSec work instead of PPTP, am I barking up the wrong tree with this?

I realize I'm asking for help with a fairly advanced and complex issue. I'm hoping that some of you might have run into a similar situation and were able to work out of it, or maybe some of y'all will know where to point me. At any rate, I'd greatly appreciate any help, it'd be really nice to have access to my home network when I'm not at home.
= Marcus Drakonblayde
==[X]===[X]====[ ]=====[ ]====[ ]==


  • WebmasterWebmaster Admin Posts: 10,292 Admin
    Check out the last alinea of the summary on the following page:

    L2TP/IPSec won't work behind NAT either (unless the device that performs NAT is the end-point), at least not with Windows 2000. You can make it work with Windows 2003 though, although I'm not so sure it will work if it has to pass a NAT device twice...

    For some more info about IPsec behind NAT:
    New features of IPSec

    Doesn't the Linksys router support VPN connections?
  • SartanSartan Inactive Imported Users Posts: 152
    In my experience, PPTP works wonders over NAT... If you have UDP packets configured to make it through that awful corporate firewall.
    IPSec is even more evil with it's port requirements.

    Post your iptables rules please :)

    (I'm going to stand by debugging PPTP... IPSec is a pain in the ass to get working. How about you run cipe on your linux box to host the vlan? or pptpd, it's really easy to config)
    Network Tech student, actively learning Windows 2000, Linux, Cisco, Cabling & Internet Security.
  • SartanSartan Inactive Imported Users Posts: 152
    Network Tech student, actively learning Windows 2000, Linux, Cisco, Cabling & Internet Security.
  • DrakonblaydeDrakonblayde Member Posts: 542
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo Begin Filter
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -A INPUT -j LOG -i eth1 \! -s
    iptables -A INPUT -j DROP -i eth1 \! -s
    iptables -A FORWARD -j DROP -i eth1 \! -s
    iptables -A INPUT -j DROP \! -i eth1 -s
    iptables -A FORWARD -j DROP \! -i eth1 -s
    iptables -A INPUT -j DROP -i \! lo -s
    iptables -A FORWARD -j DROP -i \! lo -s
    iptables -A INPUT -j ACCEPT -i lo
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -p \! icmp -j ACCEPT
    iptables -A INPUT -m state --state NEW -i eth0 -j DROP
    iptables -A FORWARD -m state --state NEW -i eth0 -j DROP
    iptables -A INPUT -j ACCEPT -p all -i eth1 -s
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-reply -d
    iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d
    iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination-unreachable -d
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo End Filter

    Hrm, from the article webmaster posted, 2k itself won't do it, but it's not handling my NAT, just Linux is. I've been googling around for folks who have gotten it to work, but in their cases, they only have a Linux box sitting between the public and private portions of the net instead of having to go through NAT twice like I've got it setup. iptables does have provisions for forwarding GRE, so it theoretically should work...
    = Marcus Drakonblayde
    ==[X]===[X]====[ ]=====[ ]====[ ]==
Sign In or Register to comment.