VPN pptp connection Unable to pass through linux iptables
- by user221844
I have set up a windows VPN server behind Linux - Ubuntu box that is working as firewall and proxy server. Now I want people from outside to be able to connect to the VPN server, but the connection is not being established and I get on the client an error 619. I have checked the problem on the internet and it seems a firewall issue.
what should I do to make the connection established through the firewall?
here is below the information about my setup
Firewall-External-IF-IP: 172.16.1.100
Firewall-LAN-IF-IP: 192.168.1.1
VPN-Server-IP: 192.168.1.10
and below is my iptables file content:
#Generated by iptables-save v1.4.12 on Thu May 29 12:40:18 2014
*filter
:INPUT ACCEPT [162000:140437619]
:FORWARD ACCEPT [23282:27196133]
:OUTPUT ACCEPT [185778:143961739]
:LOGGING - [0:0]
-A INPUT -p gre -j ACCEPT
-A INPUT -s 192.168.1.10/32 -p tcp -m tcp --sport 1723 -j ACCEPT
-A INPUT -s 192.168.1.10/32 -p udp -m udp --sport 1723 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -o EXT_IF -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -i EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.10/32 -i EXT_IF -o INT_IF -p tcp -m tcp --dport 1723 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.10/32 -i INT_IF -o EXT_IF -p tcp -m tcp --sport 1723 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.10/32 -i EXT_IF -o INT_IF -p gre -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.10/32 -i INT_IF -o EXT_IF -p gre -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -d 192.168.1.10/32 -p tcp -m tcp --dport 1723 -j ACCEPT
-A OUTPUT -d 192.168.1.10/32 -p udp -m udp --dport 1723 -j ACCEPT
COMMIT
# Completed on Thu May 29 12:40:18 2014
# Generated by iptables-save v1.4.12 on Thu May 29 12:40:18 2014
*nat
:PREROUTING ACCEPT [17865:1053739]
:INPUT ACCEPT [5490:357281]
:OUTPUT ACCEPT [3723:223677]
:POSTROUTING ACCEPT [3726:223870]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -d 172.16.1.100/32 -i EXT_IF -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d 172.16.1.100/32 -i EXT_IF -p gre -j DNAT --to-destination 192.168.1.10
-A PREROUTING -i -h
-A POSTROUTING -s 192.168.1.0/24 -o EXT_IF -j MASQUERADE
COMMIT
# Completed on Thu May 29 12:40:18 2014
# Generated by iptables-save v1.4.12 on Thu May 29 12:40:18 2014
*mangle
:PREROUTING ACCEPT [22695965:17811993005]
:INPUT ACCEPT [13818180:11522330171]
:PREROUTING ACCEPT [17865:1053739]
:INPUT ACCEPT [5490:357281]
:OUTPUT ACCEPT [3723:223677]
:POSTROUTING ACCEPT [3726:223870]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -d 172.16.1.100/32 -i EXT_IF -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d 172.16.1.100/32 -i EXT_IF -p gre -j DNAT --to-destination 192.168.1.10
-A PREROUTING -i -h
-A POSTROUTING -s 192.168.1.0/24 -o EXT_IF -j MASQUERADE
COMMIT
# Completed on Thu May 29 12:40:18 2014
# Generated by iptables-save v1.4.12 on Thu May 29 12:40:18 2014
*mangle
:PREROUTING ACCEPT [22695965:17811993005]
:INPUT ACCEPT [13818180:11522330171]
:FORWARD ACCEPT [8527694:6271564562]
:OUTPUT ACCEPT [14748508:11899678536]
:POSTROUTING ACCEPT [23271280:18170828012]
COMMIT
# Completed on Thu May 29 12:40:18 2014
hope that I find the solution here ....!! :(
