Announcement

**Teppic** · Aug 10, 2006, 01:55 PM

Re: Firewall/Router setup

Depending on the type of vpn connection you are using you will need to allow differing protocols and/or ports to be forwarded by your firewall to your laptop.

As you mentioned windows I'll assume you are using PPTP with MPPE. This requires TCP port 1723 and protocol GRE (47) traffic to be allowed to forward and DNATed to your laptop.
If your laptop uses a staic ip on *your* system then you are fine, if not it's time to set up your dhcp server so it does, or use some kind of local DNS resolution for it.

These are the commands to run (if you have a working firewall) to forward the correct ports/protocols.

Code:

sudo iptables -t nat -A PREROUTING -i <internet interface(eth0 eth1 ppp0 etc)> -s works.ip.add.ress -p 47 -j DNAT --to-destination laptop.ip.add.ress
sudo iptables -t nat -A PREROUTING -i <internet interface(eth0 eth1 ppp0 etc)> -s works.ip.add.ress -p tcp -m tcp --dport 1723 -j DNAT --to-destination laptop.ip.add.ress
sudo iptables -A FORWARD -i <internet interface(eth0 eth1 ppp0 etc)> -s works.ip.add.ress -p 47 -j ACCEPT
sudo iptables -A FORWARD -i <internet interface(eth0 eth1 ppp0 etc)> -s works.ip.add.ress -p tcp -m tcp --dport 1723 -j ACCEPT

The FORWARD commands listed work for a default policy of DROP in the FORWARD table, if the default policy is ACCEPT, and you have your own DROP rule at the end of the chain then you have to insert the rule above the DROP rule with -I FORWARD # insted of -A FORWARD, where # is the number of the DROP rule.

This all sounds complicated to the uninitiated, but a good understanding of iptables is time well spent.
I have never got on with firewall builders, but if there is one you wish to use I'll look it up and duplicate the instructions for your chosen firewall interface.

A note on security: My personal preference for this kind of thing would be to setup the VPN client on the firewall machine, then you can more closely control the traffic coming onto your network via the VPN. With the client being on the laptop, it is your companies security and the security of your laptop that will determine how secure *your* network is, as you are creating a tunnel *through your* firewall.

**kwr2k** · Aug 10, 2006, 09:58 PM

Re: Firewall/Router setup

Hi Teppic,
Thanks for that reply.

My laptop uses dhcp to obtain its ip. The dhcp server is actually the kubuntu box. I have it this way so I don't have to change anything when I get to the office where it uses dhcp again. Will the iptables commands change if the ip is dynamic?

As for running the VPN client on the firewall machine, I don't know if that's possible since the authentication uses a smart card and I have searched in vain for a driver (its probably properietory). So, its unrecognizable under linux, as of now. So, i guess i'm stuck using the tunnelling route for now.

I am replying while at work. I will try this tonight (after reading up on iptables a bit). In the meanwhile, can you post iptables commands for dynamic ip of my laptop?

Thanks again.

**Teppic** · Aug 11, 2006, 01:10 PM

Re: Firewall/Router setup

You need to tell the dhcp server on your kubuntu box to issue the same ip to your laptop every time, here is the entry for one of my laptops, to maybe help you.

dhcpd.conf

Code:

<snip>#dell p3 high res
    host delllatitute800 {
        hardware ethernet 00:04:76:44:17:ed;
        fixed-address 192.168.1.30;
        }
</snip>

That basically tells the dhcp server to give the same ip address out when ever it sees that mac address.
You can give machine names to iptables, but it converts them to ip addresses according to the DNS information available at the time of the rule being entered (or at boot).

It would be more difficult to write a script to add/remove the rules as needed than to set-up the dhcp server.

Announcement

Firewall/Router setup

Firewall/Router setup

Comment

Comment

Comment