IP tables blocking remote vpn access

Discussion in 'Server Operation' started by dalitso, Jan 4, 2010.

  1. dalitso

    dalitso New Member

    I have reason to believe that my iptables configuration is blocking me from accessing a remote vpn server.

    I am using ubuntu server 8.04 setup as a gateway and this problem was not there when I used to use shorewall firewall. I do most of my configurations using webmin and a few commands here and there.

    I recently changed to iptables (linux firewall on webmin) so that I can setup a transparent proxy. The transparent proxy works fine.

    here is my iptables rules


    Code:
      GNU nano 2.0.7                         File: /etc/iptables.up.rules                                              Modified
    
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    # Completed on Sat Dec 26 12:17:04 2009
    # Generated by iptables-save v1.3.8 on Sat Dec 26 12:17:04 2009
    *nat
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j DNAT --to-destination 192.168.1.20:3128
    COMMIT
    # Completed on Sat Dec 26 12:17:04 2009
    # Generated by iptables-save v1.3.8 on Sat Dec 26 12:17:04 2009
    *raw
    :PREROUTING ACCEPT [152:16506]
    :OUTPUT ACCEPT [135:60036]
    COMMIT
    # Completed on Sat Dec 26 12:17:04 2009
    


    I get Error 619: A connection to the remote computer could not be established, so the port for this connection was closed.
    In windows xp when I try to access a remote vpn server.


    Any help sorting this problem using the same iptables or shorewall will be appreciated.

    By the way, I never manage to transparent proxy with shorewall
     
  2. topdog

    topdog HowtoForge Supporter

    your firewall is not blocking any thing. all the your chains have a policy of accept
     
  3. dalitso

    dalitso New Member

    Thank you for replying. Glad to know the firewall is not responsible. So what may the problem be?
     
  4. topdog

    topdog HowtoForge Supporter

    You need to check on the remote side.
     
  5. dalitso

    dalitso New Member

    I am going to do that. It's only that when I either use shorewall on my ubuntu server box and not iptables, I can access the remote server or when I connect my xp pc straight to my adsl router, I can also access it.
     
  6. topdog

    topdog HowtoForge Supporter

    That could be because shorewall turns on ip forwarding for you automatically what is the output of

    Code:
    cat /proc/sys/net/ipv4/ip_forward
    if it is a zero run

    Code:
    echo "1" >> /proc/sys/net/ipv4/ip_forward
    Then test.
     
  7. dalitso

    dalitso New Member

    Code:
    cat /proc/sys/net/ipv4/ip_forward
    outputs "1"
     
  8. topdog

    topdog HowtoForge Supporter

    whats the output of
    Code:
     iptables -vnL
     
  9. dalitso

    dalitso New Member

    Code:
    root@wani:~# iptables -vnL
    Chain INPUT (policy ACCEPT 6721K packets, 6352M bytes)
     pkts bytes target     prot opt in     out     source               destination                                              
    
    Chain FORWARD (policy ACCEPT 27866 packets, 3919K bytes)
     pkts bytes target     prot opt in     out     source               destination                                              
    
    Chain OUTPUT (policy ACCEPT 6782K packets, 6590M bytes)
     pkts bytes target     prot opt in     out     source               destination   
     
  10. topdog

    topdog HowtoForge Supporter

    sorry, use this to see the nat table

    Code:
    iptables -t nat -vnL
     
  11. dalitso

    dalitso New Member

    Code:
    root@wani:~# iptables -t nat -vnL
    Chain PREROUTING (policy ACCEPT 4442 packets, 488K bytes)
     pkts bytes target     prot opt in     out     source               destination                                              
      602 29568 DNAT       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0                                                        tcp dpt:80 to:192.168.1.20:3128
    
    Chain POSTROUTING (policy ACCEPT 3255 packets, 226K bytes)
     pkts bytes target     prot opt in     out     source               destination                                              
     7094  611K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0                                               
    
    Chain OUTPUT (policy ACCEPT 6359 packets, 434K bytes)
     pkts bytes target     prot opt in     out     source               destination    
     
  12. topdog

    topdog HowtoForge Supporter

    all seems well.
     
  13. topdog

    topdog HowtoForge Supporter

    Try loading the connection tracking modules

    Code:
    modprobe nf_conntrack_pptp
    modprobe nf_conntrack_proto_gre
     
  14. dalitso

    dalitso New Member

    Still the same. Or do I need to restart the server after loading the modules?
     
  15. dalitso

    dalitso New Member

    Some latest development. Apparently a pc running ubuntu/linux can connect it's the ones running windows xp that can't.
     

Share This Page