Bharath S. Narayan
2003-Jul-16 13:46 UTC
[Shorewall-users] Port Forwarding help on Shorewall 1.45 with RH9.0 Kernel 2.4.20-19.8
Hello, I am posting my question here again as I had not got any replies. Any takers to help me out. I am trying to allow external users use a VPN server behind the firewall. Thanks Here is the original Posting. Sincerely Bharath -----Original Message----- From: shorewall-users-bounces+bnarayan=raidworks.com@lists.shorewall.net [mailto:shorewall-users-bounces+bnarayan=raidworks.com@lists.shorewall.net] On Behalf Of Bharath Sankaranarayan Sent: Friday, July 11, 2003 11:02 AM To: Shorewall_list Hi, Firewall Configuration Red Hat 9 (Shrike) with Kernel 2.4.20-18.9 obtained after running up2date. Processesor P90 96 MB Ram I have installed Shorewall 1.4.5 with 2 interface sample and the installation was smooth with no problems. I am trying to configure a MS 2003 VPN that sits behind our firewall (Shorewall). I added the following rules to the /etc/shorewall/rules file. #Added by Bharath to allow Forwarding from Firewall. #DNAT net loc:172.25.1.10 tcp 1723 #DNAT net loc:172.25.1.10 47 - # End of Addition for VPN Server behind Firewall does not work as of 7/10/2003 I have intentionally commented this as it did not work. Will get into the specifics. As a check I had forwarded port 80 to the same ip and it works. I read thru the FAQ and thru the Questions and Answers section of the site and it was quite helpful to get me thus far. i.e I was able to confirm that the packets reached this internal server on port 1723 but I get errors on the VPN client ''800" which is not helpful. I am running Microsoft Remote Access and Routing Service on Windows 20003 server. I have tested it from inside to make sure it connects and authenticates. So the fact that the VPN server is not working correctly is ruled out. Should I add any other rules to the ''rules'' file ? Am I missing something ? Thanks Bharath _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep
2003-Jul-16 14:14 UTC
[Shorewall-users] Port Forwarding help on Shorewall 1.45 with RH9.0 Kernel 2.4.20-19.8
On Wed, 2003-07-16 at 13:46, Bharath S. Narayan wrote:> Hello, > I am posting my question here again as I had not got any replies. Any takers > to help me out. I am trying to allow external users use a VPN server behind > the firewall.a) The fact that the connection request is reaching the server indicates that the TCP port forwarding rule is correct and since the GRE rule is a near carbon copy, it too must be correct. b) Given that forwarding port 80 to the same internal server works, the basic configuration of the server is correct. The next course of action would seem to be to get a trace of what''s going on, either from your VPN server or using tcpdump/ethereal on your firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Bharath S. Narayan
2003-Jul-16 14:27 UTC
[Shorewall-users] Port Forwarding help on Shorewall 1.45 withRH9.0 Kernel 2.4.20-19.8
-----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, July 16, 2003 2:14 PM To: Bharath S. Narayan Cc: Shorewall-users@lists.shorewall.net On Wed, 2003-07-16 at 13:46, Bharath S. Narayan wrote:> Hello, > I am posting my question here again as I had not got any replies. Anytakers> to help me out. I am trying to allow external users use a VPN serverbehind> the firewall.a) The fact that the connection request is reaching the server indicates that the TCP port forwarding rule is correct and since the GRE rule is a near carbon copy, it too must be correct. Ok. b) Given that forwarding port 80 to the same internal server works, the basic configuration of the server is correct. The next course of action would seem to be to get a trace of what''s going on, either from your VPN server or using tcpdump/ethereal on your firewall. I am not an expert and have not done this one before. I will give it a shot and post my findings. Thanks Bharath -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net