PPTP Server and PPTP clients on a firewalled gateway

Gary W. Smith gary at primeexalia.com
Mon Dec 6 01:58:32 CET 2004 

Ran into this problem recently (search the archives about 1-2 weeks
back).  Drop ip_nat_* from the load unless you are routing those
protocols to an internally NAT'd VPN server.  Since your firewall is
your VPN you do not need to route those.



> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org [mailto:netfilter-
> bounces at lists.netfilter.org] On Behalf Of A. Sayler
> Sent: Saturday, December 04, 2004 4:30 PM
> To: netfilter at lists.netfilter.org
> Subject: PPTP Server and PPTP clients on a firewalled gateway
> 
> Hi,
> 
> If anybody might some insight into this problem I would certainly
> appreciate it.
> 
> I have multiple wireless clients that need access to outside corporate
VPN
> servers through my system.  I also have a PPTP server listening on the
> local gateway host for other users to connect to our internal network
from
> outside.
> 
> I have a 2 NIC system.
> 
> I have an internal interface of WLAN0 and the external interface of
ETH0.
> 
> I have made sure to load the following modules...
> ip_conntrack_proto_gre
> ip_conntrack_pptp
> ip_nat_pptp
> ip_nat_proto_gre
> 
> I have added the following commands to the rest of my firewall rules
> 
> iptables -I INPUT -p 47 -j ACCEPT
> iptables -I INPUT -p tcp --dport 1723 -j ACCEPT
> 
> iptables -I OUTPUT -p 47 -j ACCEPT
> iptables -I OUTPUT -p tcp --dport 1723 -j ACCEPT
> 
> iptables -I FORWARD -p 47 -j ACCEPT
> iptables -I FORWARD -p tcp --dport 1723 -j ACCEPT
> 
> iptables -I FILTER -p 47 -j ACCEPT
> iptables -I FILTER -p tcp --dport 1723 -j ACCEPT
> 
> I'm masquerading all connections out.
> 
> currently the clients can get out and connect properly but the outside
> clients trying to connect to our local system via the PPTP server on
the
> gateway box can not get a connection.
> 
> I think it has something to do with how I'm routing the connection to
the
> local host but I'm not sure what I need to change. Or is this even
> possible?
> 
> Any thoughts?
> 
> Thanks,
> Adam

More information about the netfilter mailing list