Login | Register For Free | Help	Search this list this category for: (Advanced)

Mailing List Archive: iptables: User Re: NAT rules for VPN only allowing one user?   Index | Next | Previous | View Flat

gcarter at aesgi May 30, 2007, 5:24 PM Views: 753 Permalink Re: NAT rules for VPN only allowing one user? [In reply to] That is correct. Please use the latest in stream kernel for your distro, or build the latest one from kernel.org. -gc Martijn Lievaart wrote: > Neil Aggarwal wrote: > >> Hello: >> >> I have a Linux machine acting as a firewall for my >> network. I have a couple of remote users that need >> access to the internal network, so I put a Linksys >> RV042 VPN Router on my internal switch. >> >> On the Linux box, I set these iptables rules (Line breaks >> added for readability): >> >> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $ETH0_IP >> --sport 1024: --dport 1723 -j DNAT --to $LINKSYS_VPN_IP:1723 >> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p >> tcp --sport 1024: --dport 1723 -m state --state >> NEW,ESTABLISHED -j ACCEPT >> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP >> -p tcp --dport 1723 -j SNAT --to-source $ETH1_IP >> /sbin/iptables -t nat -A PREROUTING -p gre -i eth0 -j DNAT --to >> $LINKSYS_VPN_IP >> /sbin/iptables -A FORWARD -i eth0 -o eth1 -d $LINKSYS_VPN_IP -p >> gre -j ACCEPT >> /sbin/iptables -t nat -A POSTROUTING -o eth1 -d $LINKSYS_VPN_IP >> -p gre -j SNAT --to-source $ETH1_IP >> /sbin/iptables -t nat -A PREROUTING -s $LINKSYS_VPN_IP -d >> $ETH1_IP -p gre -j ACCEPT >> /sbin/iptables -A FORWARD -i eth1 -o eth0 -s $LINKSYS_VPN_IP -p >> gre -j ACCEPT >> >> Either one of my remote users can connect to the VPN using >> the Windows XP VPN client. But, if one of them is connected >> and the other tries to connect, the second person gets to >> the verifying username and password screen and then >> gets an Error 619 that they are not able to connect. >> >> I think somehow the existing connection is mis-routing >> the login for the second connection. >> > > > IIRC, for this to work a helper must be loaded to fixup the GRE > stream. And older implementations only allowed one connection. I might > be totally of on this one, but maybe a newer kernel will fix your > problem. > > You might ask in the netfilter-devel list where there is more > expertise on this. > > HTH, > M4 >

Subject User Time NAT rules for VPN only allowing one user? neil at JAMMConsulting May 29, 2007, 10:31 AM     Re: NAT rules for VPN only allowing one user? jengelh at linux01 May 29, 2007, 11:12 AM         RE: NAT rules for VPN only allowing one user? neil at JAMMConsulting May 29, 2007, 10:17 PM             Re: NAT rules for VPN only allowing one user? michael.gale at pason May 30, 2007, 7:37 AM                 RE: NAT rules for VPN only allowing one user? mmckeay at stillsecure May 30, 2007, 8:16 AM     RE: NAT rules for VPN only allowing one user? neil at JAMMConsulting May 30, 2007, 8:28 AM     RE: NAT rules for VPN only allowing one user? mmckeay at stillsecure May 30, 2007, 9:12 AM     Re: NAT rules for VPN only allowing one user? m at rtij May 30, 2007, 2:06 PM         Re: NAT rules for VPN only allowing one user? gcarter at aesgi May 30, 2007, 5:24 PM             RE: NAT rules for VPN only allowing one user? neil at JAMMConsulting May 30, 2007, 6:07 PM

Index | Next | Previous | View Flat   iptables     Announce     User     Devel

Interested in having your list archived? Contact Gossamer Threads
 

Web Applications & Managed Hosting Powered by Gossamer Threads Inc.