A few months back, I decided to turn my server machine into a gateway for my network, the system has two NIC's and is configured to connect to my DSL provider through one of them. I wrote an iptables script to configure forwarding so hosts on my LAN could access the internet, and poke holes to allow me to connect to my machine remotely. It all worked fine, other PC's on my network could access the internet, and everything worked (MSN, AIM, Skype etc). I wanted a better setup than a bog-standard home router could do, without spending the money on expensive Cisco gear which would be overkill. The only problem, is that PPTP was not working.
My dad uses PPTP (that built-in windows VPN client) to connect to his company network, and it works fine through the bog-standard home router I have, but it wont work when connecting through my gateway machine. This means I have to stick with the old setup, so that he can still connect in when he needs to, and it means I cant have my gateway machine to do what I want, including auto-scanning downloads for viruses using a transparent proxy.
I wiped the machine clean and installed Ubuntu Server 8.04 using kernel 2.6.24-19-server 64bit, I configured the machine to connect to the DSL provider and I used the same IPTables script I had used before under Debian.
I had tried seeking support for the problem on an Irish site (boards.ie), as well as Experts Exchange and also on debian's forums and mailing list and I got none. It was a friend of mine who told me that Ubuntu offers better support, and since its debian based, the system would be familier to me, which is why I reinstalled it.
My iptables script is as follows:
I searched Google for information on PPTP forwarding through NAT, and a lot of what I found pertains to using v2.4 of the kernel and modules: ip_nat_proto_gre & ip_conntrack_proto_greCode:#!/bin/sh # # Firewall & Gateway Script v0.3 # # Delete Existing Rules # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # # GREEN LAYER - Always Accept (Trusted Stuff) # # Always Accept Loopback Traffic # iptables -A INPUT -i lo -j ACCEPT # Always Accept LAN Traffic from our Network # We might remove this later, so we can restrict outgoing traffic.. # iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT # # BLUE LAYER - Logging.. # iptables -A FORWARD -j LOG --log-prefix "IPTF: " iptables -A INPUT -j LOG --log-prefix "IPTI: " # # YELLOW LAYER - Configure our Gateway # # PPTP Forward/Passthrough # iptables -A INPUT -p gre -j ACCEPT iptables -A FORWARD -p gre -j ACCEPT # Allow Established Connections # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow Outgoing to the Internet # iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT # Enable NAT Masquerade # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Transparent Proxy Redirect # #iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.0.254 -p tcp --dport 80 -j DNAT --to 192.168.0.254:3128 # # ORANGE LAYER - Poke Holes for Services # # Allow HTTP # iptables -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT # Allow Restricted Access to SSH # iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT # # RED LAYER - Drop Everything like a Hot Potato # iptables -P INPUT DROP iptables -P FORWARD DROP # Enable Forwarding # echo 1 > /proc/sys/net/ipv4/ip_forward
I had found threads here on the matter, but they suggested no problems with using PPTP over an iptables NAT. But they dont tell me much beyond that, and I am stuck on this issue, having found no useful help or advice anywhere else.
I tried loading ip_nat_pptp and ip_conntrack_pptp modules, which loads a few others including nf_conntrack_proto_gre and nf_nat_proto_gre. I dont know if they are newer versions of the older ip_nat_proto_gre/ip_conntrack_proto_gre modules or not. I has also read that GRE/PPTP support is broken in kernel 2.6.
I have only one physical machine that I can use as a gateway, and it also operates as a File/Print and DNS server for my home network (the latter because my ISP's DNS servers are flakey, and OpenDNS caused me problems).
I tried connecting both before, and after loading the ip_nat_pptp/ip_conntrack_pptp modules, with no success. I also tried re-running the firewall script after it. I have watched the logs while I tried to connect.. and connections were established on TCP port 1723.. but no GRE connections were established (or logged), not even attempted.. its like there is no support for it.. and I am honestly at a loss and desperate for help on this issue. If I cant fix it, I will just have to stick with my home router.. or install a dedicated distribution like IPCop, SmoothWall or ClarkConnect.. and install Samba and Bind on top of that... not an ideal situation.
Bookmarks