[lug] iptables/PPTP VPN question...

John Hernandez John.Hernandez at noaa.gov
Tue Mar 12 10:01:10 MST 2002

The following experpt is taken from 


Masquerading a single [PPTP] VPN client using IPtables is fairly simple 
to set up, and requires no special patches. The following is thanks to 
Joshua Eichorn <jeichorn at JoshuaEichorn.com>. I haven't tried it myself.

# Load the NAT module (this pulls in all the others).
/sbin/modprobe iptable_nat

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

# CBQ setup
/usr/local/sbin/iptables -I PREROUTING -t mangle -p tcp -d 
JoshuaEichorn.com -j MARK --set-mark 1

/sbin/tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw 
classid 1:1

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
/usr/local/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


Also, this matrix for ip_nat modules for 2.4 kernels & netfilter has 
some info about a PPTP MASQ module written by Brian Kuschak.

If you only have one PPTP client behind NAT, maybe the first solution 
will work for you.  Good luck and let us know if you get it working.


Rob Peacock wrote:

> Have a question for you all. Here's my situation. I have an XP laptop
> sitting on a private IP lan, going through an iptables NAT firewall,
> through the Internet to a VPN server with a public IP. 
> XP Laptop  -->  Cisco 4000   -->   Firewall -->   Internet --> VPN Server
>    eth1		xx.xx.xx.xx
>	      eth0 xx.xx.xx.xx
> The XP laptop is using M$'s built-in PPTP client. I have no choice in this,
> it's my wife's employer that insists on it, and they are willing to do zip
> to help support anyone not using a real IP directly on the 'net.
> The Cisco 4000 is doing nothing but straight routing of a /24 and 3 /30
> networks.
> The firewall is RH 7.2 with a custom 2.4.7-10 kernel, all networking
> support is compiled in, so no modules.
> iptables is v 1.2.3
> I am only using the firewall for NAT right now, there are no other rules on
> it and I can't get the GRE packets to traverse through the NAT.
> I have tried to find HOW-TO's and FAQ's for this but most suggest
> recompiling the kernel with a dozen patches, and a half-dozen patches
> applied to ipchains. I would prefer to go with iptables as it has already
> been announced that ipchains will no longer be supported in kernel 2.6 and
> above. (The way things move, that'll probably mean next year.)
> I can provide more info, including tcpdump traces, if needed.
> Thanks all,
> --->Rob
> ---
> Linux RedHat: The Ultimate NT Service Pack
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


   - John Hernandez - Network Engineer - 303-497-6392 -
  |  National Oceanic and Atmospheric Administration   |
  |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |

More information about the LUG mailing list