iptables to allow PPTP connection from Windows client to remote server

Support for security such as Firewalls and securing linux
Post Reply
vtwin@cox.net
Posts: 38
Joined: 2017/02/16 16:41:29

iptables to allow PPTP connection from Windows client to remote server

Post by vtwin@cox.net » 2017/07/04 02:39:32

Hi... wondering if someone can give me the iptables entries which will allow a windows client at my house to establish a pptp connection to a remote server at work.

I have a linux system running centos 7 at home acting as my internet router, running iptables... but cannot seem to get iptables to allow pptp traffic from my windows computer to pass through correctly. I have to connect to my work pptp server from home. e.g.

windows computer <------> internet router <------> work pptp server
10.1.1.100 <------> 10.1.1.254(eth1) mypublicip(eth2) <------> serverip

I've googled around and have tried a half-dozen different things, none of which have worked.

everything else (web surfing, email ,etc.) is working fine.

vtwin@cox.net
Posts: 38
Joined: 2017/02/16 16:41:29

Re: iptables to allow PPTP connection from Windows client to remote server

Post by vtwin@cox.net » 2017/07/04 12:21:37

another 6 hours of googling and trying random things has yielded no fruit. Things sure seem a heck of a lot different now with IPTables than years ago when I set up my firewall at work with it. Unfortunately, it seems things have changed quite a bit with the more recent kernels and most of those posts showing up on google from yesteryear are simply not valid any longer.

After many iterations, I now have the following error message triggering when I attempt to establish a VPN connection:

kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons a
nd CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

My iptables

# Generated by iptables-save v1.4.21 on Tue Jul 4 06:21:17 2017
*nat
:PREROUTING ACCEPT [37021:3009255]
:INPUT ACCEPT [4111:537607]
:OUTPUT ACCEPT [2952:235874]
:POSTROUTING ACCEPT [1:104]
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
# Completed on Tue Jul 4 06:21:17 2017
# Generated by iptables-save v1.4.21 on Tue Jul 4 06:21:17 2017
*filter
:INPUT ACCEPT [15476:2183949]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [13352:2471904]
:LOG_REJECT - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT

# Forward out from DMZ (eth0) and LAN (eth1) to internet
-A FORWARD -i eth0 -o eth2 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -j ACCEPT

# Forward any related packets back
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IN DROP "
-A INPUT -m conntrack --ctstate INVALID -j DROP

-A FORWARD -j LOG
-A FORWARD -j DROP
COMMIT
# Completed on Tue Jul 4 06:21:17 2017
# Generated by iptables-save v1.6.0 on Thu Mar 30 19:14:06 2017
*raw
:PREROUTING ACCEPT [1966992:2478673000]
:OUTPUT ACCEPT [1800432:1415256718]
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
COMMIT


output PPTP is still not working. I get the abovementioned error message.

I read in one posting you also need to link the helper to the INPUT chain as well... however, if I attempt to add a similar line in *raw for the INPUT chain, iptables barfs and fails to start.

vtwin@cox.net
Posts: 38
Joined: 2017/02/16 16:41:29

Re: iptables to allow PPTP connection from Windows client to remote server

Post by vtwin@cox.net » 2017/07/05 00:02:59

temporary workaround is to add to sysctl.conf

net.netfilter.nf_conntrack_helper = 1

or, to make more "permanent"

echo "options nf_conntrack nf_conntrack_helper=1" >> /etc/modprobe.d/local.conf

this allows iptables to make the necessary helpers automatically from the rules.

Would appreciate feedback on what the actual rules "should" be though, I cannot find any decent documentation on helpers which illustrates what is needed with an explanation.

Post Reply