IPTABLES with PPTP

**Nick_Ellis** · September 13th, 2015

Hello. Trying to setup a PPTP server, all works if I drop all tables and add only a couple rules. But if I load my normal rules the PPTP dies. Here is the configuration that doesn't work:

Code:

Chain INPUT (policy ACCEPT)target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1723
ACCEPT     gre  --  anywhere             anywhere
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssmtp


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  172.20.1.0/24        anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

The code in bold I've narrowed down to what's killing things. If I drop this line, the VPN works. I'm confused because it's the LAST rule, and the TCPMSS comes in at the top. Maybe I'm just missing something all together.
Code I used for trying to enable the VPN is as follows:

Code:

iptables -I INPUT 1 -p tcp --dport 1723 -j ACCEPTiptables -I INPUT 2 -p gre -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -s 172.20.1.0/24 -j TCPMSS  --clamp-mss-to-pmtu

This code is included in the first batch of code. The default rules (which I havent modified since it's not working right) that load on boot are:

Code:

  1 # Generated by iptables-save v1.4.8 on Mon Jun 24 17:32:26 2013  2 *security
  3 :INPUT ACCEPT [12776:1175563]
  4 :FORWARD ACCEPT [0:0]
  5 :OUTPUT ACCEPT [9582:10015269]
  6 COMMIT
  7 # Completed on Mon Jun 24 17:32:26 2013
  8 # Generated by iptables-save v1.4.8 on Mon Jun 24 17:32:26 2013
  9 *raw
 10 :PREROUTING ACCEPT [12788:1179667]
 11 :OUTPUT ACCEPT [9582:10015269]
 12 COMMIT
 13 # Completed on Mon Jun 24 17:32:26 2013
 14 # Generated by iptables-save v1.4.8 on Mon Jun 24 17:32:26 2013
 15 *nat
 16 :PREROUTING ACCEPT [329:18030]
 17 :INPUT ACCEPT [329:18030]
 18 :OUTPUT ACCEPT [159:10447]
 19 :POSTROUTING ACCEPT [159:10447]
 20 -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 21 COMMIT
 22 # Completed on Mon Jun 24 17:32:27 2013
 23 # Generated by iptables-save v1.4.8 on Mon Jun 24 17:32:27 2013
 24 *mangle
 25 :PREROUTING ACCEPT [12788:1179667]
 26 :INPUT ACCEPT [12776:1175563]
 27 :FORWARD ACCEPT [0:0]
 28 :OUTPUT ACCEPT [9582:10015269]
 29 :POSTROUTING ACCEPT [9582:10015269]
 30 COMMIT
 31 # Completed on Mon Jun 24 17:32:27 2013
 32 # Generated by iptables-save v1.4.8 on Mon Jun 24 17:32:27 2013
 33 *filter
 34 :INPUT ACCEPT [755:58944]
 35 :FORWARD ACCEPT [0:0]
 36 :OUTPUT ACCEPT [622:95776]
 37 :fail2ban-ssh - [0:0]
 38 -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
 39 -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
 40 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 41 -A FORWARD -s 10.8.0.0/24 -j ACCEPT
 42 -A FORWARD -j REJECT --reject-with icmp-port-unreachable
 43 -A fail2ban-ssh -j RETURN
 44 COMMIT
 45 # Completed on Mon Jun 24 17:32:27 2013
~
~

Error Logs include

Code:

kernel: iptables denied: IN=ppp0 OUT=eth0 MAC= SRC=172.20.1.2 DST=8.8.8.8 LEN=70 TOS=
kernel: iptables denied: IN=eth0 OUT= MAC=f2:3c:91  ES=0x00 ACK URGP=0
kernel: iptables denied: IN=eth0 OUT= MAC=f2:3c:91:70:98:25:84:78:ac:5a:19:41:08:00 SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=65053 DF PROTO=TCP SPT=60497 DPT=80 WINDOW=693 RES=0x00 ACK URGP=0

How can I get the PPTP to work without getting rid of the drop rule? Thanks!

**tgalati4** · September 14th, 2015

It's not obvious to me why your last rule kills your pptp connection, but I found a couple of links that explain how pptp works so that may shed some light on the rule conflict:

http://www.smallbusinesscomputing.co...ng-Through.htm

Depending on your router's VPN capabilities, the reverse IP translation may be failing and your REJECT forwarding rule might be the cause. I don't know what to change it to.

What router are you using and what are its VPN and PPTP capabilities?

**Nick_Ellis** · September 15th, 2015

Thanks for the time to reply.

The VPN is hosted on linode, so no router involved there. The router I'm going through to connect to the linode can connect fine to other PPTP VPN's so I don't think that's the problem. It's an ATT Uverse modem which I can get the model for but like I said, the VPN is on linode/VPS.

**tgalati4** · September 15th, 2015

Try posting your question on the Linode forums: https://forum.linode.com/viewtopic.php?f=19&t=10617

Try changing REJECT all to REJECT tcp and then REJECT icmp and see if your VPN works. Some generic iptables settings for Linode servers: http://feross.org/how-to-setup-your-linode/

What distro are you running on your client machine? What distro are you running on Linode?