Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: SMESA on January 11, 2006, 08:25:05 AM
-
Hi guys,
I'm using SME6 for my own fileserver and the rest of the network's firewall.In this network there is a W2k3 server setup as a VPN server.How do I forward all VPN(pptp) traffic to this server? I'm already forwarding port 1723 on tcp/udp to the server's address under "Security-Port Forwarding". Anything else I can look at?
Thanks
-
Ok,
I found a script in the forums http://forums.contribs.org/index.php?topic=24078.0
here it is:
vpnserver="192.168.11.4"
RED_DEV="ppp0"
/sbin/iptables -N pptp
/sbin/iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT
/sbin/iptables -A pptp -p 47 --dst $vpnserver -j ACCEPT
/sbin/iptables -I FORWARD -j pptp
/sbin/iptables -t nat -N pptp
/sbin/iptables -t nat -A pptp -i $RED_DEV -p tcp --dport 1723 -j DNAT --to vpnserver:1723
/sbin/iptables -t nat -A pptp -i $RED_DEV -p 47 -j DNAT --to $vpnserver
/sbin/iptables -t nat -A PREROUTING -j pptp
When I run it though I get this error:
iptables v1.2.5: Bad IP address vpnserver'
I replaced above ip address with my vpn server address.
Any ideas?
-
Ooops!!
Incorrect syntax in
sbin/iptables -t nat -A pptp -i $RED_DEV -p tcp --dport 1723 -j DNAT --to vpnserver:1723
should be $vpnserver !!
-
hi,
did that solve it ??? if not this is how I got it working:
I made a file called 55AllowGREpass
and the content of it was this code
vpnserver="192.168.0.99"
RED_DEV="ppp0"
/sbin/iptables -N pptp
/sbin/iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT
/sbin/iptables -A pptp -p 47 --dst $vpnserver -j ACCEPT
/sbin/iptables -I FORWARD -j pptp
/sbin/iptables -t nat -N pptp
/sbin/iptables -t nat -A pptp -i $RED_DEV -p tcp --dport 1723 -j DNAT --to 192.168.0.99:1723
/sbin/iptables -t nat -A pptp -i $RED_DEV -p 47 -j DNAT --to $vpnserver
/sbin/iptables -t nat -A PREROUTING -j pptp
(note 192.168.0.99 is the windows sbs 2003)
(note I used 192.168.0.99 twice)
and placed the 55AllowGREpass in etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
and I expand the template
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
and restart masq
/etc/init.d/masq restart
and that should solve it.
hope that helps
-
Thanks for the reply funkusmunkus!
When I expanded the template, it added the chain to the end of the "masq" script.I moved it to the body of the script, but I still can't get to my w2k3VPNbox.
here is the output of iptables -L
[root@hulk root]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
InboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
InboundTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
InboundUDP udp -- anywhere anywhere
denylog udp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc
gre-in gre -- anywhere anywhere
denylog gre -- anywhere anywhere
denylog all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
pptp all -- anywhere anywhere
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
ForwardedTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ForwardedUDP udp -- anywhere anywhere
denylog all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
OutboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_4414 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain ForwardedTCP_4414 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere nova.rts.net tcp dpt:5500
ACCEPT tcp -- anywhere nova.rts.net tcp dpt:5800
ACCEPT tcp -- anywhere nova.rts.net tcp dpt:5900
ACCEPT tcp -- anywhere nova.rts.net tcp dpt:1723
Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_4414 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain ForwardedUDP_4414 (1 references)
target prot opt source destination
ACCEPT udp -- anywhere nova.rts.net udp dpt:5500
ACCEPT udp -- anywhere nova.rts.net udp dpt:5800
ACCEPT udp -- anywhere nova.rts.net udp dpt:5900
ACCEPT udp -- anywhere nova.rts.net udp dpt:1723
Chain InboundICMP (1 references)
target prot opt source destination
InboundICMP_4414 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain InboundICMP_4414 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_4414 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain InboundTCP_4414 (1 references)
target prot opt source destination
denylog all -- anywhere !192.168.0.1
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
denylog tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
denylog tcp -- anywhere anywhere tcp dpt:imap2
denylog tcp -- anywhere anywhere tcp dpt:ldap
denylog tcp -- anywhere anywhere tcp dpt:pop3
denylog tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
denylog tcp -- anywhere anywhere tcp dpt:ssh
denylog tcp -- anywhere anywhere tcp dpt:telnet
Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_4414 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain InboundUDP_4414 (1 references)
target prot opt source destination
denylog all -- anywhere !192.168.0.1
Chain OutboundICMP (1 references)
target prot opt source destination
OutboundICMP_4414 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain OutboundICMP_4414 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain PPPconn (2 references)
target prot opt source destination
PPPconn_1 all -- anywhere anywhere
Chain PPPconn_1 (1 references)
target prot opt source destination
Chain denylog (26 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
LOG all -- anywhere anywhere LOG level warning prefix denylog:'
DROP all -- anywhere anywhere
Chain gre-in (1 references)
target prot opt source destination
denylog all -- anywhere !192.168.0.1
denylog all -- anywhere anywhere
Chain local_chk (2 references)
target prot opt source destination
local_chk_4414 all -- anywhere anywhere
Chain local_chk_4414 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.11.0/24 anywhere
Chain pptp (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere nova.rts.net tcp dpt:1723
ACCEPT gre -- anywhere nova.rts.net
Chain state_chk (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Does that look like your code is reflected in "Chain pptp"?
Thanks again
-
here's my iptable s-L output
[root@company /]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:squid
DROP udp -- anywhere anywhere udp dpt:3128
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
InboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
InboundTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
InboundUDP udp -- anywhere anywhere
denylog udp -- anywhere anywhere
gre-in gre -- anywhere anywhere
denylog gre -- anywhere anywhere
denylog all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
pptp all -- anywhere anywhere
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
ForwardedTCP tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ForwardedUDP udp -- anywhere anywhere
denylog all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PPPconn all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
OutboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_15925 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain ForwardedTCP_15925 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.0.254 tcp dpt:6699
ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:3389
ACCEPT tcp -- anywhere 192.168.0.254 tcp dpt:6257
ACCEPT tcp -- anywhere 192.168.0.254 tcp dpt:1214
Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_15925 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain ForwardedUDP_15925 (1 references)
target prot opt source destination
Chain InboundICMP (1 references)
target prot opt source destination
InboundICMP_15925 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain InboundICMP_15925 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_15925 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain InboundTCP_15925 (1 references)
target prot opt source destination
denylog all -- anywhere !10.0.0.2
ACCEPT tcp -- anywhere anywhere tcp dpt:auth
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
denylog tcp -- anywhere anywhere tcp dpt:ldap
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
denylog tcp -- anywhere anywhere tcp dpt:telnet
Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_15925 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain InboundUDP_15925 (1 references)
target prot opt source destination
denylog all -- anywhere !10.0.0.2
Chain OutboundICMP (1 references)
target prot opt source destination
OutboundICMP_15925 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain OutboundICMP_15925 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain PPPconn (2 references)
target prot opt source destination
PPPconn_15925 all -- anywhere anywhere
Chain PPPconn_15925 (1 references)
target prot opt source destination
Chain denylog (20 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
LOG all -- anywhere anywhere LOG level warning prefix denylog:'
DROP all -- anywhere anywhere
Chain gre-in (1 references)
target prot opt source destination
denylog all -- anywhere !10.0.0.2
ACCEPT all -- anywhere anywhere
Chain local_chk (2 references)
target prot opt source destination
local_chk_15925 all -- anywhere anywhere
Chain local_chk_15925 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
Chain pptp (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:1723
ACCEPT gre -- anywhere 192.168.0.99
Chain state_chk (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
-
These parts look pretty similar
Chain pptp (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.0.99 tcp dpt:1723
ACCEPT gre -- anywhere 192.168.0.99
Chain pptp (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere nova.rts.net tcp dpt:1723
ACCEPT gre -- anywhere nova.rts.net
But still no joy.Will have to delve a bit further.I know my router is fine because if I enable SME as a VPN server, I can connect to it.When I disable it and try to forward VPN to W2k3 i get VPN error:800 and 678 ... connection issues.So my thinking is I'm not getting pass SME?
-
SME 6.0.1 uses pptp not l2tp, it doesn't need GRE to pass through the router only tcp 1723.
So it could be the router that's causing it
-
Ok, so this is my setup now.
internet
|
| 165.xx.xx.xx
router
| 192.168.0.2
|
| 192.168.0.1
SME
| 192.168.11.1
|
| 192.168.11.4
VPN Server + Rest of Network
The router is port forwarding 1723 to SME(192.168.0.1) who then forwards it to VPN Server(192.168.11.4).
Is this the right setup, or should port forwarding at the router be pointing to VPN server(192.168.11.4) although it's on the otherside of SME(192.168.0.1) ?
Hope that makes some sort of sense?
-
The setup is fine, the only thing is that pptp (which is what SME uses for 6.0.1 doesn't need GRE) however l2tp (which is what win 2003 uses) needs GRE, so I think that your SME is forwarding the GRE requests, but your router isn't, can it forward GRE ?? what brand and modul is the router ??
-
The setup is fine, the only thing is that pptp (which is what SME uses for 6.0.1 doesn't need GRE) however l2tp (which is what win 2003 uses) needs GRE, so I think that your SME is forwarding the GRE requests, but your router isn't, can it forward GRE ?? what brand and modul is the router ??
You are incorrect. PPTP does use GRE (and l2tp does not).
-
Thanks FunkusMunkus!
It seems that it was the router, could not foward the gre protocol.Had to place firewall in the DMZ of the router, VPN up !
Thanks man, good luck to AUS in the upcoming ODIs.
-
You are incorrect. PPTP does use GRE (and l2tp does not).
you are correct.
Damn your nitpickiness Charlie ;-) the point is that it was the router