Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Complex Port-Forwarding

    this is an issue I've been struggling with for quite a while now.

    Scheme :


    I have a PPTP server that's on the LAN, and has a LAN IP address. That server has GRE and TCP port 1723 forwarded to it by the router, that runs net-filter/IPtables .

    The same issue, which I'll describe pretty soon, Happens with a phone system ( Asterisk) , that I have on the LAN, which only has a LAN address, and has UDP port 5060 forwarded to it , by the same router.

    Here is the syntax that I used in order to forward the ports, I'll only note one of the cases, the same applies to all other three :

    iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 1723 -j DNAT –to-destination
    iptables -A FORWARD -p tcp -d –dport 1723 -j ACCEPT

    the forwarding works great, and I have phones and other PC's PPTP'ing and registering phones to my LAN.

    BUT !!

    the problem is with my LAN hosts, that, ones the forwarding rules are applies, the are unable to use those services, for example, if I'll PPTP VPN with one of my LAN host to an outside address, it will actually VPN to my LAN PPTP server.
    This is understandable, due to the fact that the router will forward all traffic as it's commanded to .

    I have tried numerous “tricks”, used the WAN interface instead of just “eth0” is one example,the other one would be only forwarding “SYN” packets to the inside host, excluding the LAN source address with the “ ! “ directive. but I'm hitting a wall, it's either hosts from the world able to access the services on my LAN, or it's either my LAN hosts able to get to the world and use those service, cannot get both to work at the same time.
    If someone got this same feature to work on his router, their help would be greatly appreciated.

  2. #2
    This situation may require a DMZ zone off another NIC on the router. Placing the servers there would allow for a setup where WAN and LAN have equal access rules configured depending on where traffic comes from. Another option may be the PPTP server is handing out information (ie routes) making it the default. I know with openvpn clients I set the use only the resources option to not make it my default gateway.

  3. #3

    DMZ might be a valid option, your're right.

    Greetings, thank you for your reply.

    As for the routes of the PPTP, It does become a default gateway by my setup, it only grants valid LAN IP addresses to its clients.

  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts