J
jvstech
At my place of work, my first job is that of a programmer and my second
is that of a network engineer. In order to work securely and still have
[limited] internet access, I set up a split-screened subnet with all of
the development projects done on the intranet and all the serving done
on the extranet, as follows.
http://www.binswitch.net/net-diagram.gif
On our development server which is running Windows 2000 Server,
installed RRAS so that one other person and I can connect to it from
home and still be relatively secure while working on the software.
The Linux router is simply a headless thin client running FC4 with
iptables for all the routing. The regular router appliance between the
extranet and the intranet is a Dynex DX-E401 router that I had laying
around. I have the ports open and forwarding for PPTP, L2TP, and IPSec,
as well as GRE and IPSec NAT Traversal. However, I am still unable to
forward VPN traffic to the internal Windows 2000 server.
I wrote a shell script on the Linux router to forward all the necessary
services:
--------------------
#!/bin/bash
# forward - a simple bash script for port forwarding using iptables
# written by Jonathan
# The defined network interfaces to be used
WAN=eth2
LAN=eth1
# eth0 isn't really a DMZ, but that's what I'm calling it since it's
# just a dedicated trunk for the web server. This variable will
# probably never be used, but at least it's defined in case it is
# at some point in the future.
DMZ=eth0
# Actual code follows.
if test -z $1
then
echo "Please enter the TCP/IP protocol you wish to use
(tcp/udp/icmp/etc...): "
read NET_PROTOCOL
echo "Please enter the port number you want to forward: "
read PORT_NUM
echo "Please enter the LAN destination address you want to
forward port ${PORT_NUM} to: "
read LOCAL_DEST
else
NET_PROTOCOL=$1
PORT_NUM=$2
LOCAL_DEST=$3
fi
echo Forwarding ${NET_PROTOCOL} port ${PORT_NUM} to ${LOCAL_DEST} on
${LAN}...
iptables -A FORWARD -p ${NET_PROTOCOL} --sport ${PORT_NUM} --dport
${PORT_NUM} -i ${WAN} -o ${LAN} -j ACCEPT
iptables -A FORWARD -p ${NET_PROTOCOL} --sport ${PORT_NUM} --dport
${PORT_NUM} -i ${LAN} -o ${WAN} -j ACCEPT
iptables -t nat -A PREROUTING -i ${WAN} -p ${NET_PROTOCOL} --dport
${PORT_NUM} -j DNAT --to ${LOCAL_DEST}
echo Done.
--------------------
Then, if I wanted to forward, say, POP3 to 10.0.0.9, I'd simply type:
../forward tcp 110 10.0.0.9
This has worked for all the servers on the extranet. I have also
forwarded TCP 1723, UDP 1701, UDP 500, and UDP 4500 to the intranet
router appliance. (To forward GRE, I had to type in the iptables
command manually.) I also configured these ports to go directly to the
VPN server from my intranet router. However, I am still unable to
connect to the Windows 2000 RRAS. During the connection attempt, it
simply won't even acknowledge that any kind of connection or
communication is being made.
Does anybody have any idea what is going on?
~Jonathan
is that of a network engineer. In order to work securely and still have
[limited] internet access, I set up a split-screened subnet with all of
the development projects done on the intranet and all the serving done
on the extranet, as follows.
http://www.binswitch.net/net-diagram.gif
On our development server which is running Windows 2000 Server,
installed RRAS so that one other person and I can connect to it from
home and still be relatively secure while working on the software.
The Linux router is simply a headless thin client running FC4 with
iptables for all the routing. The regular router appliance between the
extranet and the intranet is a Dynex DX-E401 router that I had laying
around. I have the ports open and forwarding for PPTP, L2TP, and IPSec,
as well as GRE and IPSec NAT Traversal. However, I am still unable to
forward VPN traffic to the internal Windows 2000 server.
I wrote a shell script on the Linux router to forward all the necessary
services:
--------------------
#!/bin/bash
# forward - a simple bash script for port forwarding using iptables
# written by Jonathan
# The defined network interfaces to be used
WAN=eth2
LAN=eth1
# eth0 isn't really a DMZ, but that's what I'm calling it since it's
# just a dedicated trunk for the web server. This variable will
# probably never be used, but at least it's defined in case it is
# at some point in the future.
DMZ=eth0
# Actual code follows.
if test -z $1
then
echo "Please enter the TCP/IP protocol you wish to use
(tcp/udp/icmp/etc...): "
read NET_PROTOCOL
echo "Please enter the port number you want to forward: "
read PORT_NUM
echo "Please enter the LAN destination address you want to
forward port ${PORT_NUM} to: "
read LOCAL_DEST
else
NET_PROTOCOL=$1
PORT_NUM=$2
LOCAL_DEST=$3
fi
echo Forwarding ${NET_PROTOCOL} port ${PORT_NUM} to ${LOCAL_DEST} on
${LAN}...
iptables -A FORWARD -p ${NET_PROTOCOL} --sport ${PORT_NUM} --dport
${PORT_NUM} -i ${WAN} -o ${LAN} -j ACCEPT
iptables -A FORWARD -p ${NET_PROTOCOL} --sport ${PORT_NUM} --dport
${PORT_NUM} -i ${LAN} -o ${WAN} -j ACCEPT
iptables -t nat -A PREROUTING -i ${WAN} -p ${NET_PROTOCOL} --dport
${PORT_NUM} -j DNAT --to ${LOCAL_DEST}
echo Done.
--------------------
Then, if I wanted to forward, say, POP3 to 10.0.0.9, I'd simply type:
../forward tcp 110 10.0.0.9
This has worked for all the servers on the extranet. I have also
forwarded TCP 1723, UDP 1701, UDP 500, and UDP 4500 to the intranet
router appliance. (To forward GRE, I had to type in the iptables
command manually.) I also configured these ports to go directly to the
VPN server from my intranet router. However, I am still unable to
connect to the Windows 2000 RRAS. During the connection attempt, it
simply won't even acknowledge that any kind of connection or
communication is being made.
Does anybody have any idea what is going on?
~Jonathan