Apparently flakey behavior with DNAT, SNAT, and masquerading

Ramin Alidousti ramin@UU.NET
Fri, 8 Jun 2001 21:55:06 -0400 

On Thu, Jun 07, 2001 at 05:25:54PM -0500, Greg Scott wrote:

> Hi all - 
> 
> I'm trying to set up a VPN based on PPTP and NAT.  Based on lots of reading, here's what I think is supposed to happen:  The client sends a TCP Port 1723 packet to set up the connection.  Once that happens, the client and server exchange IP Protocol 47 (GRE) packets with the encrypted payloads enclosed.  (I know the encryption isn't the best but that's another problem.)
> 
> It all kind of works, except when I run it thru the Internet.  I know that sounds bizarre.  I can connect a test VPN client to the attached hub of our DSL router and VPN to my heart's content.  Last week, I even got it to work across the Internet from another location.  But now, I can't get VPN packets in here to save my life.  Maybe there's a problem with our ISP, so I brought in a couple Cisco 2501 routers, disconnected the entire network from the Internet, and tried my VPN testing through them - still no luck.  So it isn't the ISP. 
> 
> I am doing something subtly (or maybe blatantly?) wrong and that's why the weird symptoms.
> 
> My internal network has 3 LANs, LAN1, LAN2, and DMZ.  I haven't implemented the DMZ yet.  Each of the internal LANs has its own VPN server and I am trying to use NAT to redirect VPN traffic to the appropriate server.  
> 
> Here's what I want to do:
> 
> Public IP LAN1 <--> NAT <--> 192.168.0.253
> Public IP LAN2 <--> NAT <--> 192.168.10.253
> 
> I'm pasting in my NAT rules at the bottom of this note (I edited the public IP addresses out)
> 
> Here are my questions:
> 
> 1.  As I understand things, I want to fudge in my internal destination IP address in place of the public IP address for inbound packets to my VPN server.  Then my firewall rules in the filtering tables should test against the internal IP address.  And then on the way out, I want to fudge back in the public source IP address, so the rest of the world thinks the VPN lives at the public addresses.  Is this right?  Did I get the rules right (see below)?


Your assumption is correct. As for the rules, send the rules; I'm kind of weak
in reading the output of the '-L'.

> 
> 2.  What is the purpose of the built-in OUTPUT chain inside the nat table?  Where does this OUTPUT chain fit with Rusty's famous ASCII art drawings?  How is this OUTPUT chain different than the filtering table's OUTPUT chain?

You have different tables like filter or nat. These two tables have an OUTPUT
chain. These are two distinct chains though.

> 
> 3.  I want to do this specific DNAT and SNAT for my VPN traffic, then MASQUERADE everything else, so the outside world thinks all traffic is coming from the firewall IP Address.  Did I get these right?

Send the rules. BTW, did it work when you tested?

Ramin
PS. Use line breaks. These long lines are kind of annoying to read.