[pptp-server] pptp vpn and masquerading

Cowles, Steve Steve.Cowles at gte.net
Thu Aug 10 11:20:46 CDT 2000 

> -----Original Message-----
> From: Larry Rivera [mailto:larrydog at coqui.net]
> Sent: Thursday, August 10, 2000 9:33 AM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] pptp vpn and masquerading
> 
> 
> Hello:
> 
> I have a dedicated connection to the internet using a linux server
> running kernel version 2.2.13. This server also is a member 
> of a privat lan in the normal firewall setup that is prevalent
> these days.
> 
> I have successfully configured the joining  of two remote 
> locations via pptp tunnels and these have their own subnet
> assigned.  My problem is that since I had to turn off 
> masquerading in the kernel config, (because my incoming
> connections were being masqueraded as the server's ethernet
> ip address creating problems for printing, etc.) now my 
> outgoing clients cannot access the internet as before from
> behind this server (these clients have private ip numbers).
> I HAVE read all of the documentation out there but am still
> unsure of several issues.
> Is it possible to have the following setup?:
> 
> 1. Masquerade outgoing connections for internet browsing from 
> a private
> network behind firewall.
> 2. DO NOT Masquerade incoming pptp connections so that remote machines
> can access the applications server with their ip address intact.
> 

Yes, The order that you enter your ipchain rules is critical in this case.

1) Specify the non-masq networks first
2) Specify the private networks last (MASQ)

Example: My private network is 192.168.9.0/24 and the remote network (VPN)is
192.168.1.0/24. Notice the order that the rules are listed in the forward
chain (see below). Packets destined for the remote network (192.168.1.0/24)
are processed "first" then the MASQ'd rule for 192.168.9.0/24 and then DENY
all others. 

firewall: root # ipchains -L forward -n
Chain forward (policy REJECT):
target     prot opt     source                destination           ports
ACCEPT     all  ------  0.0.0.0/0            192.168.1.0/24        n/a
ACCEPT     all  ------  192.168.1.0/24       0.0.0.0/0             n/a
MASQ       all  ------  192.168.9.0/24       0.0.0.0/0             n/a
DENY       all  ----l-  0.0.0.0/0            0.0.0.0/0             n/a

Using the above rules, I am able to MASQ my internal network for internet
access and also communicate with the remote LAN across the VPN. Hopefully
the above will give you a good starting point to add the appropiate ipchain
rules at your end. BTW:Don't forget about the other end of the tunnel.

Steve Cowles

> Has anyone seen a setup like this?
> Thanks
> LR
> 
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
>

More information about the pptp-server mailing list