Re: iptables and masquerading: how to allow vpnc from lan

Wed, 18 May 2005 15:51:08 -0700

On 18/05/05 15:23 H. S. wrote: 
Hi,

I am running an old computer as a router using Debian Sarge and kernel
2.6.10 kernel and iptables 1.2.11-10. Here is my setup:

                        CompR
                     ,-----------.
(INTERNET) -->ppp0--->eth1    eth0 ---->SWITCH--->192.168.0.0/24
                     `-----------'

CompR(which contains eth0 and eth1) is the router computer (doing NAT or
IP masquerading) running iptables and doing masquerading. ppp0, the ADSL
modem, has my external internet address given by my ISP. eth1 is
192.168.2.10 and eth0 is 192.168.0.1. My LAN is 192.168.0.0/16.

Before I set up this computer I had a D-Link router in its place with
the option of VPN enabled. At that time, a Windows machine in my LAN was
able to connect to an external VPN server(at my university) using a VPN
client (Cisco's) and was able to sustain the connection.

After I set up my router computer(and removed D-Link router), the
Windows client can connect to the external VPN server but cannot sustain
the connection. The connection seems to be breaking multiple times every
hour. I have been trying various rules (searched from google) and have
this stanza relating to this in CompR's iptables rules set:
        # --- IN ---
        for VPNS in $VPN_SERVERS; do
            $IPTABLES -A INPUT -p udp -s $VPNS \
                -i $EXTIF --dport 500 -j ACCEPT
        done
        # --- OUT ---
        for VPNS in $VPN_SERVERS; do
            $IPTABLES -A OUTPUT -p udp -d $VPNS \
                -o $EXTIF --dport 500 -j ACCEPT
        done
        $IPTABLES -A FORWARD -i ${EXTIF} -p tcp --dport 500 -j ACCEPT
        $IPTABLES -A FORWARD -i ${EXTIF} -p udp --dport 500 -j ACCEPT
        $IPTABLES -t nat -A PREROUTING -p udp -i ${EXTIF} \
           --dport 500 -j DNAT --to-destination 192.168.0.15:500


After the Windows client (192.168.0.15) connects, I do not see any
traffic any 500 port when I use "iptables -nvL" command to see what is
going on in CompR. Looks like none of the above rules is accepting any
packets at all.

Dunno much about iptables even though I run it in the same setup as yourself. But you can find out what is happening to your awol packets on the output of that command by seeing which chain is dropping them all.

Also check out your nat chains with iptables -t nat -nvL

Adam


--
Linux 2.6.11 Debian


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to