Re: [Nolug] VPN and iptables/NAT

From: Brad N Bendily <brad_at_selu.edu>
Date: Sun, 23 Nov 2003 09:21:32 -0600 (CST)
Message-ID: <Pine.LNX.4.44.0311230915210.21496-100000@cliffy.selu.edu>

On Sat, 22 Nov 2003, Andrew S. Johnson wrote:

> Has anyone configured iptables/NAT to allow a windows VPN
> client on a private subnet to talk to a VPN server on the internet
> through a Linux box?
>
> It works when connected directly to the DSL modem, but I haven't
> gotten it to work otherwise.
>
> Andy Johnson

We do this at work with iptables, but not with NAT, so I don't know
if this will help, but...

You have to allow protocols 50 & 51 and udp port 500.
Here is an example of how we have it setup, but with out NAT:

$IPT -A FORWARD -p 50 -s xxx.xxx.xxx.xxx -d xxx.xxx.xxx.xxx -j ACCEPT
$IPT -A FORWARD -p 50 -d xxx.xxx.xxx.xxx -s xxx.xxx.xxx.xxx -j ACCEPT
$IPT -A FORWARD -p 51 -s xxx.xxx.xxx.xxx -d xxx.xxx.xxx.xxx -j ACCEPT
$IPT -A FORWARD -p 51 -d xxx.xxx.xxx.xxx -s xxx.xxx.xxx.xxx -j ACCEPT

$IPT -A FORWARD -p udp -s xxx.xxx.xxx.xxx -d xxx.xxx.xxx.xxx --sport 500
--dport 500 -j ACCEPT
$IPT -A FORWARD -p udp -d xxx.xxx.xxx.xxx -s xxx.xxx.xxx.xxx --sport 500
--dport 500 -j ACCEPT

I"m not 100% sure about the order of these, the port 500 might have
to be above the protocols.

BB

___________________
Nolug mailing list
nolug@nolug.org
Received on 11/23/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST