[pptp-server] How to set iptables to doesn't masquerade the V PN traffic?

Thu Dec 20 15:00:31 CST 2001

So many posts I can't remember them all... Also make graphics go down the
mail, wrapping can be a real pain...

1) Does your firewall rules on Linux log ALL your DENY messages? You should
turn this on to see if the routes are denied or not.
2) The MASQ rule your using, did you specify the EXTERNAL ETHERNET card to
forward on? Eg.

ipchains -A forward -i eth1 -s 192.168.50.0/24 -j MASQ  # MUST insert "-i
EXTDEV"

    then your server should NOT MASQ internal users to the VPN user as that
user in on a PPP0/PPP1 device not ETH1.. so it's routed.
(This all depends on how your external connection is done ie. PPPoE
etc..etc..)

Your VPN user will not know how to get back to the internal users because of
your IP you giving them (192.168.0.1), it's not on the same network as the
internal users so it'll assume to send out via the internet and not the VPN.
This will mean you MUST supply a static/permanent route for that network
onto the VPN.. (what a pain)..

For this reason most people assign an internal IP for the VPN user so they
are part of the internal network and everything is sweet.
In your case:

192.168.50.1| PPTPD server |200.251.30.1 --------------------- 200.230.2.2 |
PPTPd client (NT)|192.168.50.250!!!!

This way, no routing is needed.. just use proxyarp in your servers options
file.

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L

-----Original Message-----
From: Bruno Negrão [mailto:bnegrao at engepel.com.br]
Sent: Thursday, 20 December 2001 10:33 PM
To: pptp-server at lists.schulte.org
Subject: Re: [pptp-server] How to set iptables to doesn't masquerade the
VPN traffic?

>
> What are the ip addresses, interfaces and are you using ipchains or
> iptables or what?
I'm sorry. I'm using iptables.

My network is:

192.168.50.1| PPTPD server |200.251.30.1 --------------------- 200.230.2.2 |
PPTPd client (NT)|192.168.0.1

\-----------------------------------------------------------------/
                                                          pptp tunnel on net
192.168.14.0
My clients in network 192.168.50/24 must be masqueraded when connecting the
internet but must be just forwarded when connecting with the 192.168.0.0/24
network.

>
>
> Bruno Negrão wrote:
>
> > Hy, since everyone here works with pptp somebody should have solved
> > this problem: My pptpd server is a linux 2.4.x kernel with two
> > interfaces (external and internal). I set it to masquerade the
> > outgoing traffic, but I don't want to masquerade the outgoing vpn
> > traffic passing through the ppp0 interface. It has got to be, instead,
> > forwarded with its original source addresses. Could someone show me
> > the iptables rules to make it work? (tips in routing would be
> > appreciated too). thank
> > you,-------------------------------------------------
> >  -- Bruno Negrão -- Suporte
> >  -- Plugway Acesso Internet Ltda.
> >  -- (31)34812311
> >  -- bnegrao at plugway.com.br
>
¦>i±êïz¹sSYb²Úi¶>
®÷«-+-²Ç!º[^¢¸!¶ÚþX¬¶Ë
?émzSàþf¢-f§þX¬¶)ß£úi¶>
®÷«N<§²æìr
¸>z
> -¢Ø^º¹cºËZn<Þ¶¬-)Þ

_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
--- To unsubscribe, go to the url just above this line. --