iptables allowing PPTP / GRE

Support for security such as Firewalls and securing linux
Post Reply
dre2004
Posts: 3
Joined: 2006/08/09 00:45:12

iptables allowing PPTP / GRE

Post by dre2004 » 2007/01/03 11:46:43

Hi,

I seem to be having some issues with Centos 4.4 (2.6.9-22.EL) & iptables. I have a VPN server behind my firewall (running centos 4.4) which I want to allow PPTP & GRE to.

I've tried to do so using the following rules

iptables -I FORWARD -p tcp -d $VPN_SERVER_IPADDRESS --dport 1723 -j ACCEPT
iptables -I FORWARD -p 47 -d $VPN_SERVER_IPADDRESS -j ACCEPT

The rules add with no problems and the tcp rule seems to work fine but I don't believe that the GRE packets are being forwarded. Looking at the byte counters I get the following

# iptables -L -nv
Chain FORWARD (policy DROP 3 packets, 292 bytes)
pkts bytes target prot opt in out source destination
10 1112 ACCEPT tcp -- * * 0.0.0.0/0 $VPN_SERVER_IPADDRESS tcp dpt:1723
0 0 ACCEPT 47 -- * * 0.0.0.0/0 $VPN_SERVER_IPADDRESS


So it looks like no GRE packets are getting through. On the VPN server I am getting the following which leads me to belive that its due to the GRE packets not being sent forwarded through by the firewall that the PPTP connection is failing.


Jan 3 22:20:56 pppd[440]: pppd 2.3.8 started by (unknown), uid 0
Jan 3 22:20:56 pppd[440]: Using interface ppp0
Jan 3 22:20:56 pppd[440]: pppd create pidfile /var/run/ppp0.pid
Jan 3 22:20:56 pppd[440]: Connect: ppp0 /dev/pts/0
Jan 3 22:20:56 pppd[440]: Will not do PAP for user PoPToP
Jan 3 22:20:56 pppd[440]: Will not do CHAP for user PoPToP
Jan 3 22:21:26 pppd[440]: LCP: timeout sending Config-Requests
Jan 3 22:21:26 pppd[440]: Connection terminated.
Jan 3 22:21:26 pppd[440]: Exit.
Jan 3 22:21:26 pptpd[439]: GRE: read(fd=6,buffer=14538,len=4096) from PTY failed: status = -1 error = Error 5
Jan 3 22:21:26 pptpd[439]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Jan 3 22:21:26 pptpd[439]: CTRL: Client $client_ipaddress control connection finished
Jan 3 22:21:26 pptpd[439]: CTRL: Couldn't write packet to client.
Jan 3 22:34:24 last message repeated 1 time(s)

I have done some googling and have manually loaded the gre module in the kernel

# modprobe ip_gre
# lsmod | grep ip
ip_gre 12513 0
ipv6 234881 14
ip_nat_ftp 4913 0
ipt_LOG 6465 20
ipt_limit 2881 8
ipt_length 1729 3
ipt_multiport 1985 10
ipt_state 1857 21
iptable_mangle 2752 1
iptable_nat 23037 2 ip_nat_ftp
iptable_filter 2753 1
ip_conntrack_ftp 72689 1 ip_nat_ftp
ip_conntrack 40565 4 ip_nat_ftp,ipt_state,iptable_nat,ip_conntrack_ftp
ip_tables 16705 8 ipt_LOG,ipt_limit,ipt_length,ipt_multiport,ipt_state,iptable_mangle,iptable_nat,iptable_filter

Still no luck though. Does anyone have any suggestions?

gracic
Posts: 39
Joined: 2007/01/24 18:21:28

Re: iptables allowing PPTP / GRE

Post by gracic » 2007/04/03 22:59:14

Your rule doesn't realy look complete to me.

This is how I would do it ...

EXT -firewall external interface
LAN - firewall internal (lan) interface

----
# Forwardind incoming PPTP calls to your VPN Server
iptables -t nat -A PREROUTING -i $EXT -p tcp -d $EXT_IP --dport 1723 -j DNAT --to-destination $VPN_SERVER
iptables -t nat -A PREROUTING -i $EXT -p gre -d $EXT_IP -j DNAT --to-destination $VPN_SERVER

# PPTP RULES
iptables -A FORWARD -i $EXT -o $LAN -p tcp --dport 1723 -d $VPN_SERVER -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN -o $EXT -p tcp -s $VPN_SERVER --sport 1723 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $EXT -o $LAN -p gre -d $VPN_SERVER -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN -o $EXT -p gre -s $VPN_SERVER -m state --state ESTABLISHED,RELATED -j ACCEPT

-----


You can refine state though I didn't really look into that


Good luck and let us know how it works

Post Reply

Return to “CentOS 4 - Security Support”