vpn masquerading
Rob Sterenborg
rob at sterenborg.info
Thu Jan 19 19:05:06 CET 2006
> outch !!
Yes, well.. When I wrote this I was at work and unable to test.
Now I'm back home and tested this. I have all modules loaded
(ip_nat_pptp, ip_nat_proto_gre, ip_conntrack_pptp and
ip_conntrack_proto_gre) and that is the only way I can connect multiple
machines to a pptp server.
So, my info was incorrect : keep those modules loaded.
> -> Still, we don't know what you rule have so far concerning pptp...
> -> It's a little hard to give advice this way.
>
>
> I only have a "MASQUERADE" rule in POSTROTING nat table.
> That's all.
>
> I need a specific rule to masquerade VPN ?
Apparently that works (I have never used MASQUERADE on linux-2.4+), but
the prefered way is to use SNAT. Maybe that will also solve your
problem.
Try something like :
$ipt -P FORWARD DROP
$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -m state --state NEW -i <if_lan> -o <if_inet> \
-s <net_lan> -p gre -j ACCEPT
$ipt -A FORWARD -m state --state NEW -i <if_lan> -o <if_inet> \
-s <net_lan> -p tcp --dport 1723 -j ACCEPT
$ipt -t nat -A POSTROUTING -o <if_out> -s <net_lan> \
-j SNAT --to <inet_ip>
Gr,
Rob
More information about the netfilter
mailing list