[lug] iptables/PPTP VPN question...

John Hernandez John.Hernandez at noaa.gov
Tue Mar 12 10:01:10 MST 2002


The following experpt is taken from 
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html

---

Masquerading a single [PPTP] VPN client using IPtables is fairly simple 
to set up, and requires no special patches. The following is thanks to 
Joshua Eichorn <jeichorn at JoshuaEichorn.com>. I haven't tried it myself.

#!/bin/bash
# Load the NAT module (this pulls in all the others).
/sbin/modprobe iptable_nat

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

# CBQ setup
/usr/local/sbin/iptables -I PREROUTING -t mangle -p tcp -d 
JoshuaEichorn.com -j MARK --set-mark 1

/sbin/tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw 
classid 1:1

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
/usr/local/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

---

Also, this matrix for ip_nat modules for 2.4 kernels & netfilter has 
some info about a PPTP MASQ module written by Brian Kuschak.
http://www.e-infomax.com/ipmasq/matrix24.html

If you only have one PPTP client behind NAT, maybe the first solution 
will work for you.  Good luck and let us know if you get it working.

-John

Rob Peacock wrote:

> Have a question for you all. Here's my situation. I have an XP laptop
> sitting on a private IP lan, going through an iptables NAT firewall,
> through the Internet to a VPN server with a public IP. 
> 
> XP Laptop  -->  Cisco 4000   -->   Firewall -->   Internet --> VPN Server
> 192.168.10.12  192.168.10.254    eth1 192.168.40.6		xx.xx.xx.xx
> 		 192.168.40.5	      eth0 xx.xx.xx.xx
> 
> The XP laptop is using M$'s built-in PPTP client. I have no choice in this,
> it's my wife's employer that insists on it, and they are willing to do zip
> to help support anyone not using a real IP directly on the 'net.
> 
> The Cisco 4000 is doing nothing but straight routing of a /24 and 3 /30
> networks.
> 
> The firewall is RH 7.2 with a custom 2.4.7-10 kernel, all networking
> support is compiled in, so no modules.
> 
> iptables is v 1.2.3
> 
> I am only using the firewall for NAT right now, there are no other rules on
> it and I can't get the GRE packets to traverse through the NAT.
> 
> I have tried to find HOW-TO's and FAQ's for this but most suggest
> recompiling the kernel with a dozen patches, and a half-dozen patches
> applied to ipchains. I would prefer to go with iptables as it has already
> been announced that ipchains will no longer be supported in kernel 2.6 and
> above. (The way things move, that'll probably mean next year.)
> 
> I can provide more info, including tcpdump traces, if needed.
> 
> Thanks all,
> 
> --->Rob
> 
> ---
> Linux RedHat: The Ultimate NT Service Pack
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 


-- 

   - John Hernandez - Network Engineer - 303-497-6392 -
  |  National Oceanic and Atmospheric Administration   |
  |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
   ----------------------------------------------------




More information about the LUG mailing list