VPN via iptables?!

Richard Hansen rhansen@nobelcom.com
Wed, 06 Jun 2001 20:58:24 -0400 

I don't know if this is it, but it looks like it...

ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html

-Richard Hansen


At 14:15 2001-06-06, Phillip A. Ryals wrote:
>I've been looking for the same thing over the last few days.  After too much
>digging, I've found that apparently a patch doesn't exist for the 2.4 kernel
>to allow VPN Masquarading.  So as far as I can tell, it's either setting up
>a static route to a DMZ (which I'm still not completely clear on), or not
>putting the client behind the firewall at all.
>
>-phillip
>
> > -----Original Message-----
> > From: netfilter-admin@lists.samba.org
> > [mailto:netfilter-admin@lists.samba.org]On Behalf Of Christian Rasmussen
> > Sent: Wednesday, June 06, 2001 1:09 PM
> > To: 'netfilter@lists.samba.org'
> > Subject: VPN via iptables?!
> >
> >
> > Hi,
> >
> >
> > I have a private LAN connected to the Internet via an iptables server
> > performing NAT/Masquerading:
> >
> > iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d ! 10.0.0.0/24 -j SNAT
> > --to $EXTIP
> >
> >
> > I have also mapped port 80 to an internal server, which works just fine:
> >
> > iptables -t nat -A PREROUTING -d $EXTIP -p tcp --dport 80 -j DNAT --to
> > 10.0.0.10:80
> > iptables -A FORWARD -i eth0 -d 10.0.0.10 -j ACCEPT
> >
> >
> > I would also like to be able to create a VPN connection through the
> > iptables server to an internal VPN server, I've tried:
> >
> > iptables -t nat -A PREROUTING -d $EXTIP -p 47 -j DNAT --to 10.0.0.17
> > iptables -t nat -A PREROUTING -d $EXTIP -p tcp --dport 1723 -j DNAT --to
> > 10.0.0.17:1723
> > iptables -A FORWARD -i eth0 -d 10.0.0.17 -j ACCEPT
> >
> >
> > But it doesnt seem to work!! The client program said something like that
> > the server didnt appear to be listening... I've once configured a Cisco
> > router which was between the Internet and the VPN server to permit:
> >
> > access list 101 permit gre any host x.x.x.x
> > access list 101 permit tcp any host x.x.x.x eq 1723
> >
> >
> > this worked just fine, so I would think that I should just NAT' GRE and
> > tcp port 1723 .... VPN is running on a Windows NT4 server with RAS.
> > Anyone experienced with getting such a setup running??
> >
> >
> > Any comments/suggestions would be greatly appriciated!
> >
> >
> >
> > Regards
> > Christian Rasmussen
> >
> >