[pptp-server] gre tunnels across a linux router
Cowles, Steve
Steve.Cowles at gte.net
Fri Jul 14 16:27:02 CDT 2000
> -----Original Message-----
> From: Shane Boulter [mailto:sboulter at ariasolutions.com]
> Sent: Friday, July 14, 2000 12:56 PM
> To: eharashe at mediaone.net
> Cc: PPTP mailinglist
> Subject: RE: [pptp-server] gre tunnels across a linux router
>
>
> My mistake I forgot my ip configs.
>
> the poptop server is 192.168.1.9
> eth1 on the firewall is 192.168.1.254
> eth0 on the firewall has a real ip $externalip
>
> The external clients ip's are going to vary since most people
> in the company have laptops that they travel from site to site
> with.
>
> Another firewall rule denys packets that have private ip's
> (192.168.x.y) on eth0 so I thought that it wouldn't matter
> too much to have that rule implemented.
>
> Shane
>
I run a similar configuration (masq'd PopTop server behind a linux based
firewall)
The following steps outline what I had to do to make a masq'd PopTop server
work behind a firewall so that external windows based users could connect to
the external ip address of my firewall...
1) Insure your firewall kernel (not the masq'd PopTop server kernel) is
patched with the IP Masq VPN patch from John Hardin's site. This will create
a module "ip_masq_pptp". You can obtain this patch from
http://www.wolfenet.com/~jhardin/ip_masq_vpn.html Download the one that
applies to your kernel revision on your firewall.
2) On your firewall, using ipchains, set your external interface to accept
proto 47 and port 1723. Since you have not mentioned your ipchain
policies... I can only offer the following examples. Modify to fit your
network design.
ipchains -A input -p TCP --dport 1723 -j ACCEPT
ipchains -A input -p 47 -d $external_ip -j ACCEPT
The above implies the source IP address to be 0.0.0.0/0
3) Use ipmasqadm to port forward 1723 to internal PopTop server.
ipmasqadm portfw -a -P tcp -L $external_ip 1723 -R 192.168.1.9 1723
4) Use ipfwd to forward "protocol" 47 to internal PopTop server.
ipfwd --masq 192.168.1.9 47 &
John Hardin's site also contains links for ipmasqadm and ipfwd. If your
interested... download and install Seawall (an ipchains firewall) that
already has support for PopTop built-in. By editing a couple of (well
documented) configuration files, it will run the appropriate ipchains,
ipmasqadm, ipfwd based on your network environment. Check out
http://seawall.sourceforge.net to obtain Seawall.
Good Luck
Steve Cowles
More information about the pptp-server
mailing list