VPN via iptables?!

Phillip A. Ryals support@admiralexpress.com
Wed, 6 Jun 2001 13:15:58 -0500 

I've been looking for the same thing over the last few days.  After too much
digging, I've found that apparently a patch doesn't exist for the 2.4 kernel
to allow VPN Masquarading.  So as far as I can tell, it's either setting up
a static route to a DMZ (which I'm still not completely clear on), or not
putting the client behind the firewall at all.

-phillip

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Christian Rasmussen
> Sent: Wednesday, June 06, 2001 1:09 PM
> To: 'netfilter@lists.samba.org'
> Subject: VPN via iptables?!
>
>
> Hi,
>
>
> I have a private LAN connected to the Internet via an iptables server
> performing NAT/Masquerading:
>
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d ! 10.0.0.0/24 -j SNAT
> --to $EXTIP
>
>
> I have also mapped port 80 to an internal server, which works just fine:
>
> iptables -t nat -A PREROUTING -d $EXTIP -p tcp --dport 80 -j DNAT --to
> 10.0.0.10:80
> iptables -A FORWARD -i eth0 -d 10.0.0.10 -j ACCEPT
>
>
> I would also like to be able to create a VPN connection through the
> iptables server to an internal VPN server, I've tried:
>
> iptables -t nat -A PREROUTING -d $EXTIP -p 47 -j DNAT --to 10.0.0.17
> iptables -t nat -A PREROUTING -d $EXTIP -p tcp --dport 1723 -j DNAT --to
> 10.0.0.17:1723
> iptables -A FORWARD -i eth0 -d 10.0.0.17 -j ACCEPT
>
>
> But it doesnt seem to work!! The client program said something like that
> the server didnt appear to be listening... I've once configured a Cisco
> router which was between the Internet and the VPN server to permit:
>
> access list 101 permit gre any host x.x.x.x
> access list 101 permit tcp any host x.x.x.x eq 1723
>
>
> this worked just fine, so I would think that I should just NAT' GRE and
> tcp port 1723 .... VPN is running on a Windows NT4 server with RAS.
> Anyone experienced with getting such a setup running??
>
>
> Any comments/suggestions would be greatly appriciated!
>
>
>
> Regards
> Christian Rasmussen
>
>