[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iptables and masquerading: how to allow vpnc from lan

Hi,

I am running an old computer as a router using Debian Sarge and kernel
2.6.10 kernel and iptables 1.2.11-10. Here is my setup:

                        CompR
                     ,-----------.
(INTERNET) -->ppp0--->eth1    eth0 ---->SWITCH--->192.168.0.0/24
                     `-----------'

CompR(which contains eth0 and eth1) is the router computer (doing NAT or
IP masquerading) running iptables and doing masquerading. ppp0, the ADSL
modem, has my external internet address given by my ISP. eth1 is
192.168.2.10 and eth0 is 192.168.0.1. My LAN is 192.168.0.0/16.

Before I set up this computer I had a D-Link router in its place with
the option of VPN enabled. At that time, a Windows machine in my LAN was
able to connect to an external VPN server(at my university) using a VPN
client (Cisco's) and was able to sustain the connection.

After I set up my router computer(and removed D-Link router), the
Windows client can connect to the external VPN server but cannot sustain
the connection. The connection seems to be breaking multiple times every
hour. I have been trying various rules (searched from google) and have
this stanza relating to this in CompR's iptables rules set:
        # --- IN ---
        for VPNS in $VPN_SERVERS; do
            $IPTABLES -A INPUT -p udp -s $VPNS \
                -i $EXTIF --dport 500 -j ACCEPT
        done
        # --- OUT ---
        for VPNS in $VPN_SERVERS; do
            $IPTABLES -A OUTPUT -p udp -d $VPNS \
                -o $EXTIF --dport 500 -j ACCEPT
        done
        $IPTABLES -A FORWARD -i ${EXTIF} -p tcp --dport 500 -j ACCEPT
        $IPTABLES -A FORWARD -i ${EXTIF} -p udp --dport 500 -j ACCEPT
        $IPTABLES -t nat -A PREROUTING -p udp -i ${EXTIF} \
           --dport 500 -j DNAT --to-destination 192.168.0.15:500


After the Windows client (192.168.0.15) connects, I do not see any
traffic any 500 port when I use "iptables -nvL" command to see what is
going on in CompR. Looks like none of the above rules is accepting any
packets at all.

What am I doing wrong here? I have never dealt with this, VPN, situation
before. Do I need to open other ports or allow other protocals? If
somebody could shed some light on this, it would be great.

thanks,
->HS



-- 
Please remove the underscores ( the '_' symbols) from my email address
to obtain the correct one. Apologies, but the fudging is to remove spam.
Reply to: