[pptp-server] My Win2k/Linux fw setup
Ricky Bowen
ricky.bowen at healthcentral.com
Wed Jun 14 12:00:07 CDT 2000
Hey all,
I just wanted to share my successful Linux 2.2.14 ipchains firewall
port-forwarding to Win2k PPTP setup. I can get win2k, NT4, and Win98 PPTP
clients to connect to this, but haven't tried pptp-linux yet though. I find
this is a great setup for simple internal LAN (mail, files) access for a
small NT-based corporate network - the execs love the simplicity of the user
end and the security of having a Linux firewall at the front.
This document came in handy:
http://www.redhat.com/mirrors/LDP/HOWTO/VPN-Masquerade-HOWTO-3.html
<http://www.redhat.com/mirrors/LDP/HOWTO/VPN-Masquerade-HOWTO-3.html> . I
got the VPN masquerade patch from
http://www.soleman.org/~jhardin/masquerade/ip_masq_vpn-2.2.14.patch.gz
<http://www.soleman.org/~jhardin/masquerade/ip_masq_vpn-2.2.14.patch.gz> ,
and a good HOWTO from
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
<ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html>
My firewall was masquerading traffic properly before I tried this - yours
should be too. I recompiled my kernel with the following options:
CONFIG_IP_TRANSPARENT_PROXY=y (not sure if this was required..)
CONFIG_IP_MASQUERADE_MOD=y
CONFIG_IP_MASQUERADE_IPAUTOFW=y
CONFIG_IP_MASQUERADE_IPPORTFW=y
CONFIG_IP_MASQUERADE_PPTP=y
DEBUG_IP_MASQUERADE_PPTP=y
CONFIG_NET_IPIP=y
CONFIG_NET_IPGRE=y
I am using ipchains 1.3.9, 17-Mar-1999, here are the pptp specific rules:
My INPUT chain;
-A input -s 0.0.0.0/0.0.0.0 -d external-ip/255.255.255.255 1723:1723 -i eth0
-p 6 -j ACCEPT -l
-A input -s 0.0.0.0/0.0.0.0 -d external-ip/255.255.255.255 -p 47 -j ACCEPT
-l
E.g.:
target prot opt source destination ports
ACCEPT tcp ----l- anywhere external-ip any -> 1723
ACCEPT gre ----l- anywhere external-ip n/a
The first rule is allowing all traffic from anywhere to the firewall itself,
from any port to port 1723. The second rule is for GRE.
My FORWARD chain;
target prot opt source destination ports
-A forward -s 172.16.61.10/255.255.255.255 1723:1723 -d 0.0.0.0/0.0.0.0 -p 6
-j MASQ -l
-A forward -s 172.16.61.10/255.255.255.255 -d 0.0.0.0/0.0.0.0 -p 47 -j MASQ
-l
-A forward -s 0.0.0.0/0.0.0.0 -d 172.16.61.10/255.255.255.255 1723:1723 -p 6
-j MASQ -l
-A forward -s 0.0.0.0/0.0.0.0 -d 172.16.61.10/255.255.255.255 -p 47 -j MASQ
-l
E.g.:
MASQ tcp ----l- 172.16.61.10 anywhere 1723 ->
any
MASQ gre ----l- 172.16.61.10 anywhere n/a
MASQ tcp ----l- anywhere 172.16.61.10 any ->
1723
MASQ gre ----l- anywhere 172.16.61.10 n/a
The first rule is for masquerading outbound port 1723, the second is for
GRE. The third rule is for masquerading inbound port 1723, and the second
for GRE.
In my /etc/rc.d/rc.local I put the following so things would work on a
reboot.
/usr/sbin/ipfwd --masq 172.16.61.10 47 &
# starts up ipfwd, the protocol redirector for GRE.
/usr/sbin/ipmasqadm portfw -a -P tcp -L 208.49.175.6 1723 -R 172.16.61.10
1723
# starts up ipmasqadm for forwarding 1723 from the firewall's external
interface to the internal host.
Logically, here's how everything works:
1) Pptpclient opens connection to firewall using vanilla windoze DUN.
2) firewall forwards port 1723 and GRE of the external interface to
172.16.61.10, which is the Win2k PPTP server.
3) ipchains masquerades outbound port 1723 and GRE to pptpclient
4) things work.
Pptpclient <--> firewall <--> Win2kpptp
OK.. I don't think I forgot anything...
Ricky Bowen
System Administrator
HealthCentralRx.com
(510) 250-3802
"If all else fails, follow the directions."
More information about the pptp-server
mailing list