Re: [Nolug] VPN and iptables/NAT problem solved

From: Andrew S. Johnson <andy_at_asjohnson.com>
Date: Sat, 29 Nov 2003 22:55:46 -0600
Message-Id: <200311292255.46413.andy@asjohnson.com>

On Monday 24 November 2003 09:08 am, Dustin Puryear wrote:
> Is this for PPTP? Something else?
>
> ----- Original Message -----
> From: "Andrew S. Johnson" <andy@asjohnson.com>
> To: <nolug@joeykelly.net>
> Sent: Saturday, November 22, 2003 1:54 PM
> Subject: [Nolug] VPN and iptables/NAT
>
>
> > Has anyone configured iptables/NAT to allow a windows VPN
> > client on a private subnet to talk to a VPN server on the internet
> > through a Linux box?
> >
> > It works when connected directly to the DSL modem, but I haven't
> > gotten it to work otherwise.
> >
> > Andy Johnson
> >

Turns out after talking to a few folks at corporate IT that the problem
was that my internal subnet 192.168.230.0/24 was already in use
internally at the company. So, when my DHCP server gave the
laptop they gave me an address, it thought it was already inside
the firewall, so it started trying to talk to everything using private
addresses like 10.x.x.x. I saw this using tcpdump, but I didn't know
why it was happening. There are some config files deep on the C:
drive that had the internal ranges used, so I had to use something
outside of those. I had to readdress my server, update my
dhcpd.conf, printcap, iptables, mail/access, blah blah etc to get
it to work, but after that, I didn't have to do anything special in
iptables. Just straight NAT (from iptables-save):

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j SNAT --to external.static.ip.address
COMMIT

It wasn't a total waste of time. I went over my iptables rules with
a fine tooth comb, so maybe they're better. The logging is better,
to be sure.

Andy Johnson

___________________
Nolug mailing list
nolug@nolug.org
Received on 11/29/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST