UNSUBSCRIBE
----- Original Message -----
From: "Bernhard Lukas" <bernhard.lukas@pericom.at>
To: <debian-firewall@lists.debian.org>
Sent: Wednesday, April 21, 2004 10:28 AM
Subject: Microsoft VPN behind IPTABLES firewall
> Hello,
>
> we have a company firewall (iptables, Debian 3.0/Woody, 2.4.20 Kernel)
> and a VPN server (Microsoft VPN Server, Windows 2003 Server) behind the
> firewall.
>
> The firewall is called "spiderman" and the VPN server "batman".
> Clients (using Windows) should be able to use VPN from their homes.
> The Microsoft VPN Server is configured to use PPTP.
>
> This is the scenario I want to achieve:
>
> Windows Client ----> (( INTERNET )) ----> [spiderman] ----> [batman]
> 192.168.0.1 192.168.0.3
> (firewall) (vpn server)
>
> Windows Client ===================== VPN Connection ======> [batman]
>
>
> It is possible to connect from our internal network (192.168.0.x) to VPN
> servers outside our company network, so SNAT & forwarding of GRE traffic
> seems to work properly.
>
>
> How must iptables be configured to let Microsoft clients establish a VPN
> connection? Here are excerpts from my firewall script:
>
> eth1 = external interface of firewall "spiderman" (xx.xx.xx.xx)
> eth2 = internal interface of firewall "spiderman" (192.168.0.1)
> vpn server "batman" (192.168.0.3)
>
> ----------------8<----------------8<----------------8<----------------
>
> INTIF=eth2
> EXTIF=eth1
>
> TCP_SERVICES="ssh,smtp,www,pop3,imap2,https,lotusnote,ftp,\
> ftp-data,1723,8080,81"
> TCP_SERVICES_TOEXT="ssh,smtp,www,pop3,imap2,https,domain,ftp,\
> ftp-data,nntp,1723,3048,20338,7618,8022"
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> iptables -F INPUT
> iptables -F FORWARD
> iptables -F OUTPUT
> iptables -t nat -F PREROUTING
> iptables -t nat -F POSTROUTING
>
> # ========= DNAT =========
>
> # do not route VPN connections coming from inside to "batman":
> iptables -t nat -A PREROUTING -i ${INTIF} -p tcp -s ! 192.168.0.0/24 \
> --dport 1723 -j DNAT --to 192.168.0.3:1723
> iptables -t nat -A PREROUTING -i ${INTIF} -p gre -s ! 192.168.0.0/24 \
> -j DNAT --to 192.168.0.3
>
> # all other VPN connections from the outside go to "batman":
> iptables -t nat -A PREROUTING -i ${EXTIF} -p tcp \
> --dport 1723 -j DNAT --to 192.168.0.3:1723
> iptables -t nat -A PREROUTING -i ${EXTIF} -p gre \
> -j DNAT --to 192.168.0.3
>
> # maybe the same as above (not sure about this):
> iptables -t nat -A PREROUTING -p gre -d xx.xx.xx.xx \
> -j DNAT --to 192.168.0.3
> iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.xx \
> --dport 1723 -j DNAT --to 192.168.0.3:1723
>
> # ========= INPUT =========
>
> iptables -P INPUT DROP
>
> # accept incoming VPN connections (not sure about this):
> iptables -A INPUT -p gre -j ACCEPT
> iptables -A INPUT -p 47 -j ACCEPT
> iptables -A INPUT -p tcp --source-port 1723 -j ACCEPT
> iptables -A INPUT -p tcp -s 0.0.0.0/0 --source-port 1723 -j ACCEPT
>
> # standard rules go here:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp \
> -m multiport --dport $TCP_SERVICES -j ACCEPT
> iptables -A INPUT -i $INTIF -m state --state NEW -j ACCEPT
> iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
>
> iptables -A INPUT -m limit -j LOG --log-prefix "## FW_I_BLOCK ## "
>
> # ========= FORWARD =========
>
> iptables -P FORWARD DROP
>
> # accept TCP connections that do not "leave" our network:
> iptables -A FORWARD -p tcp -i $INTIF -o $INTIF -j ACCEPT
>
> # forward VPN connections to our VPN server "batman":
> iptables -A FORWARD -p tcp -d 192.168.0.3 --dport 1723 -j ACCEPT
> iptables -A FORWARD -i ${INTIF} -p gre -j ACCEPT
>
> # another way of doing the above (not sure about this):
> iptables -A FORWARD -p tcp -d 192.168.0.3 --dport 1723 -j ACCEPT
> iptables -A FORWARD -p gre -d 192.168.0.3 -j ACCEPT
>
> # accept TCP connections to the outside:
> iptables -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -p tcp \
> -m multiport --dport $TCP_SERVICES_TOEXT -j ACCEPT
>
> # accept VPN outgoing traffic:
> iptables -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -p gre \
> -j ACCEPT
>
> # accept VPN incoming traffic (not sure about this):
> iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW -p gre \
> -j ACCEPT
>
> # accept ICMP messages:
> iptables -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -p icmp \
> -j ACCEPT
> iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW -p icmp \
> -j ACCEPT
>
> # all established connections can reach the outside:
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # EMERGENCY SWITCH: do not touch this ;)
> # iptables -A FORWARD -m limit -j LOG --log-prefix "## FW_FWD_ALL ## "
> # iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> # iptables -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
>
> iptables -A FORWARD -m limit -j LOG --log-prefix "## FW_F_BLOCK ## "
>
> # ========= OUTPUT =========
>
> iptables -P OUTPUT ACCEPT
>
> # ========= SNAT =========
>
> iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> ----------------8<----------------8<----------------8<----------------
>
> Any help is appreciated, many thanks in advance! I have the feeling that
> the cause of our problem is the Microsoft VPN server itself and not the
> firewall, but I'm not sure.
>
> I would also like to hear your opinion about the firewall script. I read
> the HOWTOs of Rusty Russel and also the VPN HOWTO. I am convinced that
> the 2.4.20 kernel needs no patch regarding forwarding or masquerading
> the GRE traffic (VPN connections can be established from the inside
> going to the outside and we do SNAT or masquerading at least).
>
> --
> Best regards, Bernhard Lukas
>
> Pericom Communication Consulting GmbH
> 1060 Wien, Mariahilfer Strasse 47/5/5
> Tel. 01 585 64 90 - 63
> Fax. 01 585 64 90 - 33
> Web. www.pericom.at
>
>
> --
> To email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
Reply to: