Area de-PHPizzata  —  This area is free from PHP crapware

13 maggio 2009

PPTP VPN through a Linux router/firewall/NAT

Also known as: how-to allow a LAN client to pass-thru Linux router in order to join an external VPN based upon PPTP


Suppose we have a 192.168.x.0/24 LAN - this vale needs to be adjusted in the following examples.

Easiest scenario: Firestarter firewall facility is installed, up and running, then we're going to add Firestarter rules by simply editing file /etc/firestarter/user-post :
$MPB ip_conntrack_pptp 2>/dev/null
$IPT -N pptp
$IPT -A pptp -p tcp --destination-port 1723 --dst 192.168.x.0/24 -j ACCEPT
$IPT -A pptp -p 47 --dst 192.168.x.0/24 -j ACCEPT
$IPT -I FORWARD -j pptp
$IPT -t nat -N pptp
$IPT -t nat -A pptp -i $IF -p tcp --dport 1723 -j DNAT --to 192.168.x.0-192.168.x.255:1723
$IPT -t nat -A pptp -i $IF -p 47 -j DNAT --to 192.168.x.0-192.168.x.255
$IPT -t nat -A PREROUTING -j pptp

Ok, that's over.

In case the firewall was user-defined by some shell script, the we'll add to such script:
/sbin/modprobe ip_conntrack_pptp 2>/dev/null
/sbin/iptables -N pptp
/sbin/iptables -A pptp -p tcp --destination-port 1723 --dst 192.168.x.0/24 -j ACCEPT
/sbin/iptables -A pptp -p 47 --dst 192.168.x.0/24 -j ACCEPT
/sbin/iptables -I FORWARD -j pptp
/sbin/iptables -t nat -N pptp
/sbin/iptables -t nat -A pptp -i ppp0 -p tcp --dport 1723 -j DNAT --to 192.168.x.0-192.168.x.255:1723
/sbin/iptables -t nat -A pptp -i ppp0 -p 47 -j DNAT --to 192.168.x.0-192.168.x.255
/sbin/iptables -t nat -A PREROUTING -j pptp

Please note: in this case we have to change both the 192.168.x.0/24 LAN value and the actual external interface (ppp0, in our example).

Etichette: ,

That’s All Folks!