[pptp-server] My Win2k/Linux fw setup

Ricky Bowen ricky.bowen at healthcentral.com
Wed Jun 14 12:00:07 CDT 2000 

Hey all, 
I just wanted to share my successful Linux 2.2.14 ipchains firewall
port-forwarding to Win2k PPTP setup. I can get win2k, NT4, and Win98 PPTP
clients to connect to this, but haven't tried pptp-linux yet though. I find
this is a great setup for simple internal LAN (mail, files) access for a
small NT-based corporate network - the execs love the simplicity of the user
end and the security of having a Linux firewall at the front. 
This document came in handy:
http://www.redhat.com/mirrors/LDP/HOWTO/VPN-Masquerade-HOWTO-3.html
<http://www.redhat.com/mirrors/LDP/HOWTO/VPN-Masquerade-HOWTO-3.html> . I
got the VPN masquerade patch from
http://www.soleman.org/~jhardin/masquerade/ip_masq_vpn-2.2.14.patch.gz
<http://www.soleman.org/~jhardin/masquerade/ip_masq_vpn-2.2.14.patch.gz> ,
and a good HOWTO from
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
<ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html> 

My firewall was masquerading traffic properly before I tried this - yours
should be too. I recompiled my kernel with the following options:

CONFIG_IP_TRANSPARENT_PROXY=y (not sure if this was required..)
CONFIG_IP_MASQUERADE_MOD=y
CONFIG_IP_MASQUERADE_IPAUTOFW=y
CONFIG_IP_MASQUERADE_IPPORTFW=y
CONFIG_IP_MASQUERADE_PPTP=y
DEBUG_IP_MASQUERADE_PPTP=y
CONFIG_NET_IPIP=y
CONFIG_NET_IPGRE=y

I am using ipchains 1.3.9, 17-Mar-1999, here are the pptp specific rules:

My INPUT chain;
-A input -s 0.0.0.0/0.0.0.0 -d external-ip/255.255.255.255 1723:1723 -i eth0
-p 6 -j ACCEPT -l
-A input -s 0.0.0.0/0.0.0.0 -d external-ip/255.255.255.255 -p 47 -j ACCEPT
-l
E.g.:
target     prot opt     source                destination           ports
ACCEPT     tcp  ----l-  anywhere             external-ip    any ->   1723
ACCEPT     gre  ----l-  anywhere             external-ip    n/a

The first rule is allowing all traffic from anywhere to the firewall itself,
from any port to port 1723. The second rule is for GRE.

My FORWARD chain;
target     prot opt     source                destination           ports
-A forward -s 172.16.61.10/255.255.255.255 1723:1723 -d 0.0.0.0/0.0.0.0 -p 6
-j MASQ -l
-A forward -s 172.16.61.10/255.255.255.255 -d 0.0.0.0/0.0.0.0 -p 47 -j MASQ
-l
-A forward -s 0.0.0.0/0.0.0.0 -d 172.16.61.10/255.255.255.255 1723:1723 -p 6
-j MASQ -l
-A forward -s 0.0.0.0/0.0.0.0 -d 172.16.61.10/255.255.255.255 -p 47 -j MASQ
-l
E.g.:
MASQ       tcp  ----l-  172.16.61.10         anywhere              1723 ->
any
MASQ       gre  ----l-  172.16.61.10         anywhere              n/a
MASQ       tcp  ----l-  anywhere             172.16.61.10          any ->
1723
MASQ       gre  ----l-  anywhere             172.16.61.10          n/a

The first rule is for masquerading outbound port 1723, the second is for
GRE. The third rule is for masquerading inbound port 1723, and the second
for GRE.

In my /etc/rc.d/rc.local I put the following so things would work on a
reboot.

/usr/sbin/ipfwd --masq 172.16.61.10 47 &
# starts up ipfwd, the protocol redirector for GRE.

/usr/sbin/ipmasqadm portfw -a -P tcp -L 208.49.175.6 1723 -R 172.16.61.10
1723
# starts up ipmasqadm for forwarding 1723 from the firewall's external
interface to the internal host.

Logically, here's how everything works:
1) Pptpclient opens connection to firewall using vanilla windoze DUN.
2) firewall forwards port 1723 and GRE of the external interface to
172.16.61.10, which is the Win2k PPTP server.
3) ipchains masquerades outbound port 1723 and GRE to pptpclient
4) things work.

Pptpclient <--> firewall <--> Win2kpptp

OK.. I don't think I forgot anything...

Ricky Bowen
System Administrator
HealthCentralRx.com
(510) 250-3802
"If all else fails, follow the directions."

More information about the pptp-server mailing list