Hi... wondering if someone can give me the iptables entries which will allow a windows client at my house to establish a pptp connection to a remote server at work.
I have a linux system running centos 7 at home acting as my internet router, running iptables... but cannot seem to get iptables to allow pptp traffic from my windows computer to pass through correctly. I have to connect to my work pptp server from home. e.g.
windows computer <------> internet router <------> work pptp server
10.1.1.100 <------> 10.1.1.254(eth1) mypublicip(eth2) <------> serverip
I've googled around and have tried a half-dozen different things, none of which have worked.
everything else (web surfing, email ,etc.) is working fine.
iptables to allow PPTP connection from Windows client to remote server
-
- Posts: 38
- Joined: 2017/02/16 16:41:29
-
- Posts: 38
- Joined: 2017/02/16 16:41:29
Re: iptables to allow PPTP connection from Windows client to remote server
another 6 hours of googling and trying random things has yielded no fruit. Things sure seem a heck of a lot different now with IPTables than years ago when I set up my firewall at work with it. Unfortunately, it seems things have changed quite a bit with the more recent kernels and most of those posts showing up on google from yesteryear are simply not valid any longer.
After many iterations, I now have the following error message triggering when I attempt to establish a VPN connection:
kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons a
nd CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
My iptables
# Generated by iptables-save v1.4.21 on Tue Jul 4 06:21:17 2017
*nat
:PREROUTING ACCEPT [37021:3009255]
:INPUT ACCEPT [4111:537607]
:OUTPUT ACCEPT [2952:235874]
:POSTROUTING ACCEPT [1:104]
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
# Completed on Tue Jul 4 06:21:17 2017
# Generated by iptables-save v1.4.21 on Tue Jul 4 06:21:17 2017
*filter
:INPUT ACCEPT [15476:2183949]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [13352:2471904]
:LOG_REJECT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
# Forward out from DMZ (eth0) and LAN (eth1) to internet
-A FORWARD -i eth0 -o eth2 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -j ACCEPT
# Forward any related packets back
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IN DROP "
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j LOG
-A FORWARD -j DROP
COMMIT
# Completed on Tue Jul 4 06:21:17 2017
# Generated by iptables-save v1.6.0 on Thu Mar 30 19:14:06 2017
*raw
:PREROUTING ACCEPT [1966992:2478673000]
:OUTPUT ACCEPT [1800432:1415256718]
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
COMMIT
output PPTP is still not working. I get the abovementioned error message.
I read in one posting you also need to link the helper to the INPUT chain as well... however, if I attempt to add a similar line in *raw for the INPUT chain, iptables barfs and fails to start.
After many iterations, I now have the following error message triggering when I attempt to establish a VPN connection:
kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons a
nd CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
My iptables
# Generated by iptables-save v1.4.21 on Tue Jul 4 06:21:17 2017
*nat
:PREROUTING ACCEPT [37021:3009255]
:INPUT ACCEPT [4111:537607]
:OUTPUT ACCEPT [2952:235874]
:POSTROUTING ACCEPT [1:104]
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
# Completed on Tue Jul 4 06:21:17 2017
# Generated by iptables-save v1.4.21 on Tue Jul 4 06:21:17 2017
*filter
:INPUT ACCEPT [15476:2183949]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [13352:2471904]
:LOG_REJECT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
# Forward out from DMZ (eth0) and LAN (eth1) to internet
-A FORWARD -i eth0 -o eth2 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -j ACCEPT
# Forward any related packets back
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "IN DROP "
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j LOG
-A FORWARD -j DROP
COMMIT
# Completed on Tue Jul 4 06:21:17 2017
# Generated by iptables-save v1.6.0 on Thu Mar 30 19:14:06 2017
*raw
:PREROUTING ACCEPT [1966992:2478673000]
:OUTPUT ACCEPT [1800432:1415256718]
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
COMMIT
output PPTP is still not working. I get the abovementioned error message.
I read in one posting you also need to link the helper to the INPUT chain as well... however, if I attempt to add a similar line in *raw for the INPUT chain, iptables barfs and fails to start.
-
- Posts: 38
- Joined: 2017/02/16 16:41:29
Re: iptables to allow PPTP connection from Windows client to remote server
temporary workaround is to add to sysctl.conf
net.netfilter.nf_conntrack_helper = 1
or, to make more "permanent"
echo "options nf_conntrack nf_conntrack_helper=1" >> /etc/modprobe.d/local.conf
this allows iptables to make the necessary helpers automatically from the rules.
Would appreciate feedback on what the actual rules "should" be though, I cannot find any decent documentation on helpers which illustrates what is needed with an explanation.
net.netfilter.nf_conntrack_helper = 1
or, to make more "permanent"
echo "options nf_conntrack nf_conntrack_helper=1" >> /etc/modprobe.d/local.conf
this allows iptables to make the necessary helpers automatically from the rules.
Would appreciate feedback on what the actual rules "should" be though, I cannot find any decent documentation on helpers which illustrates what is needed with an explanation.