Is it possible to pass PPTP packets through 2 firewalls before
they hit the remote access server?
I installed a Netgear ProSafe VPN firewall as the first line of
defense in my network. I have since set up a Fedora Core 2 server
running Shorewall 2.1.3 and Squid in
non-transparent mode, between the Netgear unit and my network.
So, the Netgear faces the Internet with a public, static, IP address.
It forwards port 1723 to the ''net'' side of the FC2 server. The
FC2
DNAT''s port 1723 to a W2K server on the local side of the FC2 server.
The Netgear LAN address is 192.168.40.100. This is connected to the
FC2 net address at 192.168.40.115. The FC2 local address is
192.168.50.215, the W2K server is at 192.168.50.201.
Here is the entry from /etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
RATE USER/
# PORT
PORT(S) DEST LIMIT GROUP
DNAT:info net loc:192.168.10.201 tcp 1723 -
192.168.20.115
Here''s the entry from /etc/shorewall/rules:
#ZONE INTERFACE BROADCAST OPTIONS
#
loc eth0 -
net eth2
Here''s the log entry from a VPN attempt:
Jan 19 22:02:52 ARCProxy2 kernel: Shorewall:net_dnat:DNAT:IN=eth2 OUT=
MAC=00:e0:4c:bb:91:35:00:09:5b:82:09:96:08:00 SRC=63.18.215.195
DST=192.168.20.115
LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=16523 DF PROTO=TCP SPT=1708 DPT=1723
WINDOW=32768 RES=0x00 SYN URGP=0
Obviously I haven''t been able to get this setup to work.
I know I''m missing something very basic here. I''ve looked at
the FAQ''s and
the documentation, plus have looked at the mail list archives.
I''m using Webmin 1.170 to administer the FC2 server (ARCProxy2), but
have
gotten into the configuration files directly as a last resort.
Thanks in advance,
Mark
--
Mark L. Cooper
Junction City, Ohio USA