# VPN/PPTP + iptables troubles

## hooliz

Hello i'm setting VPN server on my gentoo machine, and i've got some trouble with IPTABLES as i think , because in my LAN everything works fine.

ISP modem -> GENTOO ROUTER, PPTPD, DHCPD (eth1 WAN, eth0 lan ) -> LAN CLIENTS 

iptables script:

 *Quote:*   

> 
> 
> #!/bin/bash
> 
> IPTABLES="/sbin/iptables"
> ...

 

pptpd.conf

 *Quote:*   

> 
> 
> option /etc/ppp/options.pptpd
> 
> #noipparam
> ...

 

i can't get my VPN connection from outside, need your help PPL. thanks in advance

----------

## hooliz

anyone   :Confused: 

----------

## Hu

 *hooliz wrote:*   

> i can't get my VPN connection from outside

 Please elaborate.  Do you mean that external clients send traffic to you, which you see arrive, but no response is sent to them?

----------

## hooliz

yes if i enable iptables log i can see lots of stuff in kernel.log but still can't connect to VPN server.

----------

## chiefbag

1: Do you have a static WAN ip address?

2: Is your router in bridged mode?

----------

## hooliz

Yes my wan has a static IP address, no it is not in bridged mode,

as i said i have 2 network cards, eth1 is WAN interface, eth0 is lan inteface.

dhcpd works on eth0 and gives local IP addresses to my LAN.

----------

## chiefbag

I think you will need to put the router in bridge mode so that your eth1 card will have your public ip address otherwise you are just getting a private ip address assigned from your router on the eth1 card which will be no good to you if you wish to setup a vpn.

Do you see your public ip address when you do ifconfig eth1?

----------

## hooliz

In fact i don't think that i should change the routing mode, because routing won't work for my LAN clients, now it works fine, the only problem is that i cannot connect to VPN server from external nets, and i think that main problem lays in iptables configuration, not the network configs... 

anyway attahing ifconfig .... 

 *Quote:*   

> 
> 
> eth0      Link encap:Ethernet  HWaddr 00:50:04:35:43:f9
> 
>           inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
> ...

 

----------

## chiefbag

Looks like your public ip is locked on to your eth1 alright. 

Just make sure that there is no firewall enabled on your router. 

Have a look at this gentoo forum post as there is good examples for the iptables rules you will need. 

https://forums.gentoo.org/viewtopic-t-470858-start-0.html

----------

## Hu

 *hooliz wrote:*   

> yes if i enable iptables log i can see lots of stuff in kernel.log but still can't connect to VPN server.

 Please show a sample of the traffic which you believe should be allowed.

 *hooliz wrote:*   

> 
> 
> ```
> iptables -t nat -A PREROUTING -p gre  -i ${EXT_NIC} -j DNAT --to 192.168.2.1
> 
> ...

 Why are these here?  If you want the system to accept the traffic locally, you should not DNAT it.  Additionally, using DNAT to send it to your own internal address is rarely necessary.

 *hooliz wrote:*   

> 
> 
> ```
> localip 192.168.2.1
> 
> ...

 Why have you told the pptpd to listen on the internal IP address if you want to accept connections on the external IP address?

----------

## hooliz

The main problem could lay in here 

that my PPTPD listens on internal interface ant not external. should i change my config of pptpd.conf like that 

 *Quote:*   

> 
> 
> localip external IP???
> 
> remoteip 192.168.2.20-29 
> ...

 

that is why i'm trying to redirect all traffic to NAT. 

setting up external IP in localip setting, doesn;t work either.

----------

## Hu

Yes, you should listen on the interface on which traffic actually arrives.  This is much simpler than using rewrites in the NAT code.

You say it still does not work.  Could you clarify in what way it fails?

----------

## Simba7

I use OpenVPN for this.. and it functions quite well. I have 3 remote systems/routers connected and all the clients can talk to each other.

----------

## hooliz

i think i'll have to give it a try, if i wont find a solution..

snippet from my kernel.log 

 *Quote:*   

> 
> 
> Nov 14 19:07:48 [kernel] IN=eth1 OUT= MAC=00:11:11:9c:36:a3:00:d0:b7:53:7b:d6:08:00 SRC=7XX.1XX.2XX.5XX DST=EXTERNAL IP LEN=92 TOS=0x00 PREC=0x00 TTL=120 ID=11327 DF PROTO=TCP SPT=64362 DPT=22 WINDOW=4164 RES=0x00 ACK PSH URGP=0
> 
> 

 

----------

## Hu

 *hooliz wrote:*   

> snippet from my kernel.log  *Quote:*   
> 
> Nov 14 19:07:48 [kernel] IN=eth1 OUT= MAC=00:11:11:9c:36:a3:00:d0:b7:53:7b:d6:08:00 SRC=7XX.1XX.2XX.5XX DST=EXTERNAL IP LEN=92 TOS=0x00 PREC=0x00 TTL=120 ID=11327 DF PROTO=TCP SPT=64362 DPT=22 WINDOW=4164 RES=0x00 ACK PSH URGP=0
> 
>  

 Your posted iptables script is inconsistent with the rules you are actually using.  The script as shown should have allowed this.  Also, the script you showed does not have any logging capability, so this snippet could not be generated by it.  Please post the output of iptables-save -c so we can see the rules you are actually using.

----------

## hooliz

well actually you're right about logging because i don't use it normally, i just enabled logging for a couple of minutes and then disabled it just to show whats going on in my kernel.log, and also i've cut other parts of firewall script just to show the ports needed for PPTPD, but i wont cut them from file posted below.

posting iptables -save -c as it spits me loads of stuff, i'll just paste in in file ... 

http://p.defau.lt/?YSKJNvZhCo3rKMFfBOKwXw

and i suspect that it generates much more stuff than i expect, anyway waiting for your answer

----------

## hooliz

Hu or anyone,   :Question: 

----------

## Simba7

 *hooliz wrote:*   

> well actually you're right about logging because i don't use it normally, i just enabled logging for a couple of minutes and then disabled it just to show whats going on in my kernel.log, and also i've cut other parts of firewall script just to show the ports needed for PPTPD, but i wont cut them from file posted below.
> 
> posting iptables -save -c as it spits me loads of stuff, i'll just paste in in file ... 
> 
> http://p.defau.lt/?YSKJNvZhCo3rKMFfBOKwXw
> ...

 

All I can say is "Holy Crap!"

My iptables config is not EVEN that large. At most it's 1 page. What the heck did you use to configure it?

----------

## hooliz

upper script  :Smile: 

----------

