Topic: VPN through firewall

[SMESA]

Hi guys,

I'm using SME6 for my own fileserver and the rest of the network's firewall.In this network there is a W2k3 server setup as a VPN server.How do I forward all VPN(pptp) traffic to this server? I'm already forwarding port 1723 on tcp/udp to the server's address under "Security-Port Forwarding". Anything else I can look at?

Thanks

[SMESA]

Ok,

I found a script in the forums http://forums.contribs.org/index.php?topic=24078.0
here it is:

vpnserver="192.168.11.4"
RED_DEV="ppp0"
/sbin/iptables -N pptp
/sbin/iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT
/sbin/iptables -A pptp -p 47 --dst $vpnserver -j ACCEPT
/sbin/iptables -I FORWARD -j pptp
/sbin/iptables -t nat -N pptp
/sbin/iptables -t nat -A pptp -i $RED_DEV -p tcp --dport 1723 -j DNAT --to vpnserver:1723
/sbin/iptables -t nat -A pptp -i $RED_DEV -p 47 -j DNAT --to $vpnserver
/sbin/iptables -t nat -A PREROUTING -j pptp

When I run it though I get this error:
iptables v1.2.5: Bad IP address vpnserver'

I replaced above ip address with my vpn server address.
Any ideas?

[SMESA]

Ooops!!

Incorrect syntax in

sbin/iptables -t nat -A pptp -i $RED_DEV -p tcp --dport 1723 -j DNAT --to vpnserver:1723

should be $vpnserver !!

[funkusmunkus]

hi,

did that solve it ??? if not this is how I got it working:
I made a file called 55AllowGREpass
and the content of it was this code

Code: [Select]


vpnserver="192.168.0.99"
RED_DEV="ppp0"
/sbin/iptables -N pptp
/sbin/iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT
/sbin/iptables -A pptp -p 47 --dst $vpnserver -j ACCEPT
/sbin/iptables -I FORWARD -j pptp
/sbin/iptables -t nat -N pptp
/sbin/iptables -t nat -A pptp -i $RED_DEV -p tcp --dport 1723 -j DNAT --to 192.168.0.99:1723
/sbin/iptables -t nat -A pptp -i $RED_DEV -p 47 -j DNAT --to $vpnserver
/sbin/iptables -t nat -A PREROUTING -j pptp
(note 192.168.0.99 is the windows sbs 2003)
(note I used 192.168.0.99 twice)

and placed the 55AllowGREpass in etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
and I expand the template
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
and restart masq
/etc/init.d/masq restart

and that should solve it.

hope that helps

[SMESA]

Thanks for the reply funkusmunkus!

When I expanded the template, it added the chain to the end of the "masq" script.I moved it to the body of the script, but I still can't get to my w2k3VPNbox.

here is the output of iptables -L

Code: [Select]


[root@hulk root]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
state_chk  all  --  anywhere             anywhere
local_chk  all  --  anywhere             anywhere
PPPconn    all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
InboundICMP  icmp --  anywhere             anywhere
denylog    icmp --  anywhere             anywhere
InboundTCP  tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN
denylog    tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN
InboundUDP  udp  --  anywhere             anywhere
denylog    udp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere           udp spts:bootps:bootpc
gre-in     gre  --  anywhere             anywhere
denylog    gre  --  anywhere             anywhere
denylog    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
pptp       all  --  anywhere             anywhere
state_chk  all  --  anywhere             anywhere
local_chk  all  --  anywhere             anywhere
ForwardedTCP  tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN
ForwardedUDP  udp  --  anywhere             anywhere
denylog    all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PPPconn    all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
OutboundICMP  icmp --  anywhere             anywhere
denylog    icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain ForwardedTCP (1 references)
target     prot opt source               destination
ForwardedTCP_4414  all  --  anywhere             anywhere
denylog    tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN

Chain ForwardedTCP_4414 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             nova.rts.net       tcp dpt:5500
ACCEPT     tcp  --  anywhere             nova.rts.net       tcp dpt:5800
ACCEPT     tcp  --  anywhere             nova.rts.net       tcp dpt:5900
ACCEPT     tcp  --  anywhere             nova.rts.net       tcp dpt:1723

Chain ForwardedUDP (1 references)
target     prot opt source               destination
ForwardedUDP_4414  all  --  anywhere             anywhere
denylog    udp  --  anywhere             anywhere

Chain ForwardedUDP_4414 (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             nova.rts.net       udp dpt:5500
ACCEPT     udp  --  anywhere             nova.rts.net       udp dpt:5800
ACCEPT     udp  --  anywhere             nova.rts.net       udp dpt:5900
ACCEPT     udp  --  anywhere             nova.rts.net       udp dpt:1723

Chain InboundICMP (1 references)
target     prot opt source               destination
InboundICMP_4414  all  --  anywhere             anywhere
denylog    icmp --  anywhere             anywhere

Chain InboundICMP_4414 (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere           icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere           icmp source-quench
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere           icmp parameter-problem
denylog    all  --  anywhere             anywhere

Chain InboundTCP (1 references)
target     prot opt source               destination
InboundTCP_4414  all  --  anywhere             anywhere
denylog    tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN

Chain InboundTCP_4414 (1 references)
target     prot opt source               destination
denylog    all  --  anywhere            !192.168.0.1
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
denylog    tcp  --  anywhere             anywhere           tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https
denylog    tcp  --  anywhere             anywhere           tcp dpt:imap2
denylog    tcp  --  anywhere             anywhere           tcp dpt:ldap
denylog    tcp  --  anywhere             anywhere           tcp dpt:pop3
denylog    tcp  --  anywhere             anywhere           tcp dpt:1723
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
denylog    tcp  --  anywhere             anywhere           tcp dpt:ssh
denylog    tcp  --  anywhere             anywhere           tcp dpt:telnet

Chain InboundUDP (1 references)
target     prot opt source               destination
InboundUDP_4414  all  --  anywhere             anywhere
denylog    udp  --  anywhere             anywhere

Chain InboundUDP_4414 (1 references)
target     prot opt source               destination
denylog    all  --  anywhere            !192.168.0.1

Chain OutboundICMP (1 references)
target     prot opt source               destination
OutboundICMP_4414  all  --  anywhere             anywhere
denylog    icmp --  anywhere             anywhere

Chain OutboundICMP_4414 (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere           icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere           icmp source-quench
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere           icmp parameter-problem
denylog    all  --  anywhere             anywhere

Chain PPPconn (2 references)
target     prot opt source               destination
PPPconn_1  all  --  anywhere             anywhere

Chain PPPconn_1 (1 references)
target     prot opt source               destination

Chain denylog (26 references)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere           udp dpt:route
DROP       udp  --  anywhere             anywhere           udp dpts:netbios-ns:netbios-ssn
DROP       tcp  --  anywhere             anywhere           tcp dpts:netbios-ns:netbios-ssn
LOG        all  --  anywhere             anywhere           LOG level warning prefix denylog:'
DROP       all  --  anywhere             anywhere

Chain gre-in (1 references)
target     prot opt source               destination
denylog    all  --  anywhere            !192.168.0.1
denylog    all  --  anywhere             anywhere

Chain local_chk (2 references)
target     prot opt source               destination
local_chk_4414  all  --  anywhere             anywhere

Chain local_chk_4414 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  192.168.11.0/24      anywhere

Chain pptp (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             nova.rts.net       tcp dpt:1723
ACCEPT     gre  --  anywhere             nova.rts.net

Chain state_chk (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED


Does that look like your code is reflected in "Chain pptp"?
Thanks again

[funkusmunkus]

here's my iptable s-L output

Code: [Select]


[root@company /]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere           tcp dpt:squid
DROP       udp  --  anywhere             anywhere           udp dpt:3128
state_chk  all  --  anywhere             anywhere
local_chk  all  --  anywhere             anywhere
PPPconn    all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
InboundICMP  icmp --  anywhere             anywhere
denylog    icmp --  anywhere             anywhere
InboundTCP  tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN
denylog    tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN
InboundUDP  udp  --  anywhere             anywhere
denylog    udp  --  anywhere             anywhere
gre-in     gre  --  anywhere             anywhere
denylog    gre  --  anywhere             anywhere
denylog    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
pptp       all  --  anywhere             anywhere
state_chk  all  --  anywhere             anywhere
local_chk  all  --  anywhere             anywhere
ForwardedTCP  tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN
ForwardedUDP  udp  --  anywhere             anywhere
denylog    all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PPPconn    all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4
OutboundICMP  icmp --  anywhere             anywhere
denylog    icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain ForwardedTCP (1 references)
target     prot opt source               destination
ForwardedTCP_15925  all  --  anywhere             anywhere
denylog    tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN

Chain ForwardedTCP_15925 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.0.254      tcp dpt:6699
ACCEPT     tcp  --  anywhere             192.168.0.99       tcp dpt:3389
ACCEPT     tcp  --  anywhere             192.168.0.254      tcp dpt:6257
ACCEPT     tcp  --  anywhere             192.168.0.254      tcp dpt:1214

Chain ForwardedUDP (1 references)
target     prot opt source               destination
ForwardedUDP_15925  all  --  anywhere             anywhere
denylog    udp  --  anywhere             anywhere

Chain ForwardedUDP_15925 (1 references)
target     prot opt source               destination

Chain InboundICMP (1 references)
target     prot opt source               destination
InboundICMP_15925  all  --  anywhere             anywhere
denylog    icmp --  anywhere             anywhere

Chain InboundICMP_15925 (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere           icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere           icmp source-quench
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere           icmp parameter-problem
denylog    all  --  anywhere             anywhere

Chain InboundTCP (1 references)
target     prot opt source               destination
InboundTCP_15925  all  --  anywhere             anywhere
denylog    tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN

Chain InboundTCP_15925 (1 references)
target     prot opt source               destination
denylog    all  --  anywhere            !10.0.0.2
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:imap2
denylog    tcp  --  anywhere             anywhere           tcp dpt:ldap
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:1723
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
denylog    tcp  --  anywhere             anywhere           tcp dpt:telnet

Chain InboundUDP (1 references)
target     prot opt source               destination
InboundUDP_15925  all  --  anywhere             anywhere
denylog    udp  --  anywhere             anywhere

Chain InboundUDP_15925 (1 references)
target     prot opt source               destination
denylog    all  --  anywhere            !10.0.0.2

Chain OutboundICMP (1 references)
target     prot opt source               destination
OutboundICMP_15925  all  --  anywhere             anywhere
denylog    icmp --  anywhere             anywhere

Chain OutboundICMP_15925 (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request
ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere           icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere           icmp source-quench
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere           icmp parameter-problem
denylog    all  --  anywhere             anywhere

Chain PPPconn (2 references)
target     prot opt source               destination
PPPconn_15925  all  --  anywhere             anywhere

Chain PPPconn_15925 (1 references)
target     prot opt source               destination

Chain denylog (20 references)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere           udp dpt:route
DROP       udp  --  anywhere             anywhere           udp dpts:netbios-ns:netbios-ssn
DROP       tcp  --  anywhere             anywhere           tcp dpts:netbios-ns:netbios-ssn
LOG        all  --  anywhere             anywhere           LOG level warning prefix denylog:'
DROP       all  --  anywhere             anywhere

Chain gre-in (1 references)
target     prot opt source               destination
denylog    all  --  anywhere            !10.0.0.2
ACCEPT     all  --  anywhere             anywhere

Chain local_chk (2 references)
target     prot opt source               destination
local_chk_15925  all  --  anywhere             anywhere

Chain local_chk_15925 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  192.168.0.0/24       anywhere

Chain pptp (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.0.99       tcp dpt:1723
ACCEPT     gre  --  anywhere             192.168.0.99

Chain state_chk (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED


[SMESA]

These parts look pretty similar

Code: [Select]


Chain pptp (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.0.99       tcp dpt:1723
ACCEPT     gre  --  anywhere             192.168.0.99

Code: [Select]


Chain pptp (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             nova.rts.net       tcp dpt:1723
ACCEPT     gre  --  anywhere             nova.rts.net


But still no joy.Will have to delve a bit further.I know my router is fine because if I enable SME as a VPN server, I can connect to it.When I disable it and try to forward VPN to W2k3 i get VPN error:800 and 678 ... connection issues.So my thinking is I'm not getting pass SME?

[funkusmunkus]

SME 6.0.1 uses pptp not l2tp, it doesn't need GRE to pass through the router only tcp 1723.
So it could be the router that's causing it

[SMESA]

Ok, so this is my setup now.


internet
   |
   |  165.xx.xx.xx
router  
   | 192.168.0.2
   |
   | 192.168.0.1
SME
   | 192.168.11.1
   |
   | 192.168.11.4
VPN Server + Rest of Network

The router is port forwarding 1723 to SME(192.168.0.1) who then forwards it to VPN Server(192.168.11.4).

Is this the right setup, or should port forwarding at the router be pointing to VPN server(192.168.11.4) although it's on the otherside of SME(192.168.0.1) ?

Hope that makes some sort of sense?

[funkusmunkus]

The setup is fine, the only thing is that pptp (which is what SME uses for 6.0.1 doesn't need GRE) however l2tp (which is what win 2003 uses) needs GRE, so I think that your SME is forwarding the GRE requests, but your router isn't, can it forward GRE ?? what brand and modul is the router ??

[CharlieBrady]

The setup is fine, the only thing is that pptp (which is what SME uses for 6.0.1 doesn't need GRE) however l2tp (which is what win 2003 uses) needs GRE, so I think that your SME is forwarding the GRE requests, but your router isn't, can it forward GRE ?? what brand and modul is the router ??

You are incorrect. PPTP does use GRE (and l2tp does not).

[SMESA]

Thanks FunkusMunkus!

It seems that it was the router, could not foward the gre protocol.Had to place firewall in the DMZ of the router, VPN up !

Thanks man, good luck to AUS in the upcoming ODIs.

[funkusmunkus]

You are incorrect. PPTP does use GRE (and l2tp does not).

you are correct.

Damn your nitpickiness Charlie the point is that it was the router