[pptp-server] pptp vpn and masquerading

Larry Rivera larrydog at coqui.net
Mon Aug 14 06:06:08 CDT 2000 

Thanks Steve and Gord.
Another one bites the dust! After setting up my ipchains rules per your
instructions, it all worked fine.
LR


"Cowles, Steve" wrote:

> > -----Original Message-----
> > From: Larry Rivera [mailto:larrydog at coqui.net]
> > Sent: Thursday, August 10, 2000 9:33 AM
> > To: pptp-server at lists.schulte.org
> > Subject: [pptp-server] pptp vpn and masquerading
> >
> >
> > Hello:
> >
> > I have a dedicated connection to the internet using a linux server
> > running kernel version 2.2.13. This server also is a member
> > of a privat lan in the normal firewall setup that is prevalent
> > these days.
> >
> > I have successfully configured the joining  of two remote
> > locations via pptp tunnels and these have their own subnet
> > assigned.  My problem is that since I had to turn off
> > masquerading in the kernel config, (because my incoming
> > connections were being masqueraded as the server's ethernet
> > ip address creating problems for printing, etc.) now my
> > outgoing clients cannot access the internet as before from
> > behind this server (these clients have private ip numbers).
> > I HAVE read all of the documentation out there but am still
> > unsure of several issues.
> > Is it possible to have the following setup?:
> >
> > 1. Masquerade outgoing connections for internet browsing from
> > a private
> > network behind firewall.
> > 2. DO NOT Masquerade incoming pptp connections so that remote machines
> > can access the applications server with their ip address intact.
> >
>
> Yes, The order that you enter your ipchain rules is critical in this case.
>
> 1) Specify the non-masq networks first
> 2) Specify the private networks last (MASQ)
>
> Example: My private network is 192.168.9.0/24 and the remote network (VPN)is
> 192.168.1.0/24. Notice the order that the rules are listed in the forward
> chain (see below). Packets destined for the remote network (192.168.1.0/24)
> are processed "first" then the MASQ'd rule for 192.168.9.0/24 and then DENY
> all others.
>
> firewall: root # ipchains -L forward -n
> Chain forward (policy REJECT):
> target     prot opt     source                destination           ports
> ACCEPT     all  ------  0.0.0.0/0            192.168.1.0/24        n/a
> ACCEPT     all  ------  192.168.1.0/24       0.0.0.0/0             n/a
> MASQ       all  ------  192.168.9.0/24       0.0.0.0/0             n/a
> DENY       all  ----l-  0.0.0.0/0            0.0.0.0/0             n/a
>
> Using the above rules, I am able to MASQ my internal network for internet
> access and also communicate with the remote LAN across the VPN. Hopefully
> the above will give you a good starting point to add the appropiate ipchain
> rules at your end. BTW:Don't forget about the other end of the tunnel.
>
> Steve Cowles
>
> > Has anyone seen a setup like this?
> > Thanks
> > LR
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> >
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list