Microsoft VPN behind IPTABLES firewall
Hello,
we have a company firewall (iptables, Debian 3.0/Woody, 2.4.20 Kernel)
and a VPN server (Microsoft VPN Server, Windows 2003 Server) behind the
firewall.
The firewall is called "spiderman" and the VPN server "batman".
Clients (using Windows) should be able to use VPN from their homes.
The Microsoft VPN Server is configured to use PPTP.
This is the scenario I want to achieve:
Windows Client ----> (( INTERNET )) ----> [spiderman] ----> [batman]
192.168.0.1 192.168.0.3
(firewall) (vpn server)
Windows Client ===================== VPN Connection ======> [batman]
It is possible to connect from our internal network (192.168.0.x) to VPN
servers outside our company network, so SNAT & forwarding of GRE traffic
seems to work properly.
How must iptables be configured to let Microsoft clients establish a VPN
connection? Here are excerpts from my firewall script:
eth1 = external interface of firewall "spiderman" (xx.xx.xx.xx)
eth2 = internal interface of firewall "spiderman" (192.168.0.1)
vpn server "batman" (192.168.0.3)
----------------8<----------------8<----------------8<----------------
INTIF=eth2
EXTIF=eth1
TCP_SERVICES="ssh,smtp,www,pop3,imap2,https,lotusnote,ftp,\
ftp-data,1723,8080,81"
TCP_SERVICES_TOEXT="ssh,smtp,www,pop3,imap2,https,domain,ftp,\
ftp-data,nntp,1723,3048,20338,7618,8022"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
# ========= DNAT =========
# do not route VPN connections coming from inside to "batman":
iptables -t nat -A PREROUTING -i ${INTIF} -p tcp -s ! 192.168.0.0/24 \
--dport 1723 -j DNAT --to 192.168.0.3:1723
iptables -t nat -A PREROUTING -i ${INTIF} -p gre -s ! 192.168.0.0/24 \
-j DNAT --to 192.168.0.3
# all other VPN connections from the outside go to "batman":
iptables -t nat -A PREROUTING -i ${EXTIF} -p tcp \
--dport 1723 -j DNAT --to 192.168.0.3:1723
iptables -t nat -A PREROUTING -i ${EXTIF} -p gre \
-j DNAT --to 192.168.0.3
# maybe the same as above (not sure about this):
iptables -t nat -A PREROUTING -p gre -d xx.xx.xx.xx \
-j DNAT --to 192.168.0.3
iptables -t nat -A PREROUTING -p tcp -d xx.xx.xx.xx \
--dport 1723 -j DNAT --to 192.168.0.3:1723
# ========= INPUT =========
iptables -P INPUT DROP
# accept incoming VPN connections (not sure about this):
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
iptables -A INPUT -p tcp --source-port 1723 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0 --source-port 1723 -j ACCEPT
# standard rules go here:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp \
-m multiport --dport $TCP_SERVICES -j ACCEPT
iptables -A INPUT -i $INTIF -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -m limit -j LOG --log-prefix "## FW_I_BLOCK ## "
# ========= FORWARD =========
iptables -P FORWARD DROP
# accept TCP connections that do not "leave" our network:
iptables -A FORWARD -p tcp -i $INTIF -o $INTIF -j ACCEPT
# forward VPN connections to our VPN server "batman":
iptables -A FORWARD -p tcp -d 192.168.0.3 --dport 1723 -j ACCEPT
iptables -A FORWARD -i ${INTIF} -p gre -j ACCEPT
# another way of doing the above (not sure about this):
iptables -A FORWARD -p tcp -d 192.168.0.3 --dport 1723 -j ACCEPT
iptables -A FORWARD -p gre -d 192.168.0.3 -j ACCEPT
# accept TCP connections to the outside:
iptables -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -p tcp \
-m multiport --dport $TCP_SERVICES_TOEXT -j ACCEPT
# accept VPN outgoing traffic:
iptables -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -p gre \
-j ACCEPT
# accept VPN incoming traffic (not sure about this):
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW -p gre \
-j ACCEPT
# accept ICMP messages:
iptables -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -p icmp \
-j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW -p icmp \
-j ACCEPT
# all established connections can reach the outside:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# EMERGENCY SWITCH: do not touch this ;)
# iptables -A FORWARD -m limit -j LOG --log-prefix "## FW_FWD_ALL ## "
# iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# iptables -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
iptables -A FORWARD -m limit -j LOG --log-prefix "## FW_F_BLOCK ## "
# ========= OUTPUT =========
iptables -P OUTPUT ACCEPT
# ========= SNAT =========
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
----------------8<----------------8<----------------8<----------------
Any help is appreciated, many thanks in advance! I have the feeling that
the cause of our problem is the Microsoft VPN server itself and not the
firewall, but I'm not sure.
I would also like to hear your opinion about the firewall script. I read
the HOWTOs of Rusty Russel and also the VPN HOWTO. I am convinced that
the 2.4.20 kernel needs no patch regarding forwarding or masquerading
the GRE traffic (VPN connections can be established from the inside
going to the outside and we do SNAT or masquerading at least).
--
Best regards, Bernhard Lukas
Pericom Communication Consulting GmbH
1060 Wien, Mariahilfer Strasse 47/5/5
Tel. 01 585 64 90 - 63
Fax. 01 585 64 90 - 33
Web. www.pericom.at
Reply to: