Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: zaleeu on October 01, 2009, 10:05:41 AM
-
Hi,
I have read several posts about the GRE protocol and the ports that need to be open .
I am still however getting connection errors after trying to connect ( Error 721 ).
I have one static IP address that I use for outside ( internet ) access ( 196.213.94.58 ) and I need the logon information ( authentication) to be passed to my Win2k3 server ( 192. 168. 2.2 ).
Below I have posted my IP tables . Can anyone please tell me if I have configured something wrong ?
[root@sme ~]# iptables -L -n -t filter
Chain INPUT (policy DROP)
target prot opt source destination
state_chk all -- 0.0.0.0/0 0.0.0.0/0
local_chk all -- 0.0.0.0/0 0.0.0.0/0
PPPconn all -- 0.0.0.0/0 0.0.0.0/0
denylog all -- 224.0.0.0/4 0.0.0.0/0
denylog all -- 0.0.0.0/0 224.0.0.0/4
InboundICMP icmp -- 0.0.0.0/0 0.0.0.0/0
denylog icmp -- 0.0.0.0/0 0.0.0.0/0
InboundTCP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
InboundUDP udp -- 0.0.0.0/0 0.0.0.0/0
denylog udp -- 0.0.0.0/0 0.0.0.0/0
gre-in 47 -- 0.0.0.0/0 0.0.0.0/0
denylog 47 -- 0.0.0.0/0 0.0.0.0/0
denylog all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
state_chk all -- 0.0.0.0/0 0.0.0.0/0
local_chk all -- 0.0.0.0/0 0.0.0.0/0
ForwardedTCP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
ForwardedUDP udp -- 0.0.0.0/0 0.0.0.0/0
denylog all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PPPconn all -- 0.0.0.0/0 0.0.0.0/0
denylog all -- 224.0.0.0/4 0.0.0.0/0
denylog all -- 0.0.0.0/0 224.0.0.0/4
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_10488 all -- 0.0.0.0/0 0.0.0.0/0
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
Chain ForwardedTCP_10488 (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:135
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:137
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:139
ACCEPT tcp -- 0.0.0.0/0 192.168.2.3 tcp dpt:16527
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:1723
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 192.168.2.3 tcp dpt:3389
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:3389
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:4125
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:50
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:500
ACCEPT tcp -- 0.0.0.0/0 192.168.2.2 tcp dpt:80
Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_10488 all -- 0.0.0.0/0 0.0.0.0/0
denylog udp -- 0.0.0.0/0 0.0.0.0/0
Chain ForwardedUDP_10488 (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 192.168.2.2 udp dpt:1723
ACCEPT udp -- 0.0.0.0/0 192.168.2.2 udp dpt:500
Chain InboundICMP (1 references)
target prot opt source destination
InboundICMP_10488 all -- 0.0.0.0/0 0.0.0.0/0
denylog icmp -- 0.0.0.0/0 0.0.0.0/0
Chain InboundICMP_10488 (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
denylog all -- 0.0.0.0/0 0.0.0.0/0
Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_10488 all -- 0.0.0.0/0 0.0.0.0/0
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
Chain InboundTCP_10488 (1 references)
target prot opt source destination
denylog all -- 0.0.0.0/0 !196.213.94.58
REJECT tcp -- 0.0.0.0/0 196.213.94.58 tcp dpt:113 reject-with tcp-reset
ACCEPT tcp -- 0.0.0.0/0 196.213.94.58 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 196.213.94.58 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 196.213.94.58 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 196.213.94.58 tcp dpt:1723
ACCEPT tcp -- 0.0.0.0/0 196.213.94.58 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 196.213.94.58 tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3388
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1753
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_10488 all -- 0.0.0.0/0 0.0.0.0/0
denylog udp -- 0.0.0.0/0 0.0.0.0/0
Chain InboundUDP_10488 (1 references)
target prot opt source destination
denylog all -- 0.0.0.0/0 !196.213.94.58
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3389
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3388
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1753
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1723
Chain PPPconn (2 references)
target prot opt source destination
PPPconn_1 all -- 0.0.0.0/0 0.0.0.0/0
Chain PPPconn_1 (1 references)
target prot opt source destination
Chain denylog (19 references)
target prot opt source destination
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139
ULOG all -- 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `denylog:' queue_threshold 1
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain gre-in (1 references)
target prot opt source destination
denylog all -- 0.0.0.0/0 !196.213.94.58
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain local_chk (2 references)
target prot opt source destination
local_chk_10488 all -- 0.0.0.0/0 0.0.0.0/0
Chain local_chk_10488 (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.2.0/24 0.0.0.0/0
Chain state_chk (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
-
zaleeu
sme server does not support passthrough VPN connections, which I think is what you are trying to do.
Refer
http://wiki.contribs.org/VPN_practical_tips
Support for the GRE protocol is "more than/different than" just opening ports.
By the way, sme server in server gateway mode has a very good port forwarding and opening panel in server manager, so you do not need to create seperate firewall rules.
Also sme server in server gateway mode only supports one external IP address.
-
:???:
Seems weird to me that a Firewall appliance wont allow VPN connections to get through . Think I am missing something somewhere.
-
zaleeu:
if you "firewall appliance" is SME, then no, passthrough vpn are not supported.
please describe your lan structure, thank you