netfilter digest, Vol 1 #860 - 11 msgs
Sat, 14 Jul 2001 08:44:15 +0000
On Friday 13 July 2001 17:08, Steve Gajek wrote:
> Is it possible to run more than 1 VPN session through the NETFILTER
> firewall (IPTABLES) at anyone time.
> I am using the following commands
> #Port Forwarding rules...
> #iptables -t nat -A PREROUTING -p tcp -d $externalipnumber --dport 172
> 3 -j DNAT --to 192.168.0.1:1723
> #iptables -t nat -A PREROUTING -p tcp -d $externalipnumber --dport 47
> -j DNAT --to 192.168.0.01:47
> Forwarded onto NT 4 server.
You are probably trying to use PPTP for your VPN, from what I can see...
However, I'm afraid you probably misunderstood (or a typo..?) how
it actually works...
the second command should allow the _PROTOCOL_ 47 (use '-p 47' or
'-p gre' if you have the following line in your /etc/protocols)
$ cat /etc/protocols | grep 47
gre 47 GRE # Generic Routing Encapsulation
rather than tcp port 47 (which has nothing to do with PPTP ;-)
$ cat /etc/services | grep \ 47/tcp
ni-ftp 47/tcp NI FTP
pptp use port 1723 as the control connection, and GRE (proto 47)
as the actual tunnel if I'm not wrong.
The problem with having several pptp connections initiated
behind the NATing box, is that the NAT box is not able to know
for who is the GRE packet that comes from outside. If you have
only one box making a gre connection, then it's no problem for netfilter...
but for 2 boxes, netfilter for now has no idea who to forward the gre packet
Hope this helps,
"Silly hacker, root is for administrators"