Find the answer to your Linux question:
Results 1 to 3 of 3
Greetings, this is an issue I've been struggling with for quite a while now. Scheme : LAN----ROUTER----INTERNET I have a PPTP server that's on the LAN, and has a LAN ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2011
    Posts
    3

    Complex Port-Forwarding


    Greetings,
    this is an issue I've been struggling with for quite a while now.

    Scheme :

    LAN----ROUTER----INTERNET

    I have a PPTP server that's on the LAN, and has a LAN IP address. That server has GRE and TCP port 1723 forwarded to it by the router, that runs net-filter/IPtables .

    The same issue, which I'll describe pretty soon, Happens with a phone system ( Asterisk) , that I have on the LAN, which only has a LAN address, and has UDP port 5060 forwarded to it , by the same router.

    Here is the syntax that I used in order to forward the ports, I'll only note one of the cases, the same applies to all other three :

    iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 1723 -j DNAT –to-destination 10.12.35.8
    iptables -A FORWARD -p tcp -d 10.12.35.8 –dport 1723 -j ACCEPT

    the forwarding works great, and I have phones and other PC's PPTP'ing and registering phones to my LAN.

    BUT !!

    the problem is with my LAN hosts, that, ones the forwarding rules are applies, the are unable to use those services, for example, if I'll PPTP VPN with one of my LAN host to an outside address, it will actually VPN to my LAN PPTP server.
    This is understandable, due to the fact that the router will forward all traffic as it's commanded to .

    I have tried numerous “tricks”, used the WAN interface instead of just “eth0” is one example,the other one would be only forwarding “SYN” packets to the inside host, excluding the LAN source address with the “ ! “ directive. but I'm hitting a wall, it's either hosts from the world able to access the services on my LAN, or it's either my LAN hosts able to get to the world and use those service, cannot get both to work at the same time.
    If someone got this same feature to work on his router, their help would be greatly appreciated.

  2. #2
    Just Joined!
    Join Date
    Jul 2006
    Posts
    5
    This situation may require a DMZ zone off another NIC on the router. Placing the servers there would allow for a setup where WAN and LAN have equal access rules configured depending on where traffic comes from. Another option may be the PPTP server is handing out information (ie routes) making it the default. I know with openvpn clients I set the use only the resources option to not make it my default gateway.

  3. #3
    Just Joined!
    Join Date
    Mar 2011
    Posts
    3

    DMZ might be a valid option, your're right.

    Greetings, thank you for your reply.

    As for the routes of the PPTP, It does become a default gateway by my setup, it only grants valid LAN IP addresses to its clients.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •