Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Iptables and Forwarding port 1723

135 views
Skip to first unread message

Jamie Carl

unread,
Feb 19, 2002, 12:29:10 AM2/19/02
to
Hi all.. Got an interesting problem I need help with and it's just buggin
me.

I'm trying to forward port 1723 on my firewall using iptables for a VPN
connection but for some reason it doesn't want to work. Ignoring that this
is a VPN connection and just thinking it's plain old packet forwarding using
DNAT, it should work. If I run tcpdump on the external interface I can see
the packets coming in, and the destination address is getting translated
correctly. If I run tcpdump on the internal interface I see nadda. Now
using the EXACT same rule except changing the port number to something else,
it works, just not on 1723, as well as a few other port numbers. I havn't
been able to establish a pattern.

Is there some limitation I'm not aware of? A security thing. Possibly that
I can't forward packets over port 1024? Anyone know whats going on here?

TIA.

Jamie Carl
jamie...@salientnetworks.com.au

Jamie Carl

unread,
Feb 19, 2002, 12:47:55 AM2/19/02
to
Hehe.. My bad.. My blocking rule was dropping packets on 1723 when it
shouldn't have been.
All fixed now, I hope.

Jamie Carl
jamie...@salientnetworks.com.au


"Jamie Carl" <jamie...@salientnetworks.com.au> wrote in message
news:3c71e2da$1...@news.iprimus.com.au...

Cedric Blancher

unread,
Feb 19, 2002, 3:25:33 AM2/19/02
to
Dans sa prose, Jamie Carl (jamie...@salientnetworks.com.au) nous ecrivait :

> I'm trying to forward port 1723 on my firewall using iptables for a VPN
> connection but for some reason it doesn't want to work. Ignoring that this
> is a VPN connection and just thinking it's plain old packet forwarding using
> DNAT, it should work. If I run tcpdump on the external interface I can see
> the packets coming in, and the destination address is getting translated
> correctly. If I run tcpdump on the internal interface I see nadda. Now
> using the EXACT same rule except changing the port number to something else,
> it works, just not on 1723, as well as a few other port numbers. I havn't
> been able to establish a pattern.

Forwarding TCP/1723 is not sufficient to forward a PPTP connection. PPTP
is PPP over a GRE tunnel, associated to a TCP control channel (port
1723).
That means you have to redirect both TCP/1723 and GRE.

iptables -t nat -A PREROUTING -p tcp --dport 1723 -j DNAT --to 1.2.3.4
iptables -t nat -A PREROUTING -p 47 -j DNAT 1.2.3.4

should do the trick.

Maybe you should have a look a Linux VPN masquerade project and get PPTP
helper for Linux 2.4, depending on which way you want to redirect.

--
FG> Quelle rapport entre vendre/acheter des livres et
FG> etre bibliophile?
On n'a pas toujours l'opportunité de les voler.
-+- FF in Guide du Neuneu d'Usenet - À l'insu de son plein gré -+-

0 new messages