Topic: VPN: GRE forwarding

[Philippe Pache]

Hi !

i want to forward protocol 47 and port 1723 to a linux box in my lan. How can i achieve this. I looked the threads talking about this but can't find an answer.

What are the commands with ipchains ??

thanks for your help

[Graeme Robinson]

Look at the HOWTOS for port forwarding - your answer is there.  Although wot is 'protocol 47'? assume you mean port 47.

[Philippe Pache]

I really mean Protocol 47. I tried ipmasqadm to forward port 1723 but i cannot achieve it with protocol 47

[Ritchie Logan]

Looks like you're trying to connect to a PPTP VPN server through your linux box.

I managed to get my IPSec client to connect thru e-smith by doctoring the IPCHAINS setup. Here's a link to the instructions I know work for IPSec.

http://forums.contribs.org/index.php?topic=1855.msg6169#msg6169

IPSec uses UDP port 500 and protocol 50. Try changing the IPCHAINS lines for your PPTP pass thru' reqts.

Let me know if it works.

Cheers

Ritchie

[Ritchie Logan]

ahhh... I had a look at the PPTP files on my box..... I think there's a mistake in the default IPCHAINS setups. I compared them to the IPCHAINS lines I use for IPSec and found a difference.

Follow the instructions in the link above up to the point where you edit 45AllowIPSecMasq.

Instead, edit 45AllowPPTP.

Change the line:
/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 1723 -j ACCEPT

to

/sbin/ipchains --append input -p tcp -s 0/0 1723 -d $OUTERNET 1723 -j ACCEPT

This may have been stopping your packets getting passed through.

Let me know if this works.

Cheers

Ritchie

[Philippe Pache]

Hi Ritchie,

Thanks for your help !! i think i have one problem with my ipchains rules. I will explain a little more what i want to do.

1 e-smith server extip: 192.168.2.2 intip:192.168.1.249
1 win2kstattion_a ip:192.168.2.6
1 win2kstattion_b ip:192.168.1.41

win2kstation_a<---->e-smith-box<----->win2kstation_b

i try to connect a pptp client from win2kstation_a to a pptp win2k server who actually is win2kstation_b

i managed to receive packet tcp 1723 in my win2kstation_b but i cannont do it for GRE

here is my config file for protocol 47

 /sbin/ipchains --append input -p 47 -s 0/0 -d $OUTERNET -j ACCEPT -l -i eth1
 /sbin/ipchains --append output -p 47 -d 0/0 -s $OUTERNET -j ACCEPT -l -i eth1
 
i also have ipfws --masq 192.168.1.41 47

whats's wrong with my ip-chains ???

Thanks for your help

Philippe

[Ritchie Logan]

looking at your setup, I think you are connecting in the reverse direction from myself.... your VPN client is OUTSIDE your E-Smith box, and your VPN server is INSIDE.

This is exactly the reverse of my situation. I think I'm getting to the limits of my ipchains knowledge without doing any further reading up on the HOWTO (I stopped after I got my VPN working OK!)

Here are both the ipchains lines I use to ensure my VPN client INSIDE my lan can receive IPSec packets from OUTSIDE.

/sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT
/sbin/ipchains --append input -p udp -s 0/0 500 -d $OUTERNET 500 -j ACCEPT

I don't see why these should not work for PPTP, so substitute for PPTP protocol 47 & tcp 1723
/sbin/ipchains --append input -p 47 -s 0/0 -d $OUTERNET -j ACCEPT
/sbin/ipchains --append input -p tcp -s 0/0 1723 -d $OUTERNET 1723 -j ACCEPT

You probably want to remove the "-l -i eth1" from the end of your statement.... -I is in conflict with the "--append" at the beginning, and you should not need to specify the interface - omitting the "-i eth1" means that all packets will be forwarded from any interface (this may be your problem).

Cheers

Ritchie