I'm doing something very similar to what you want. Here are the rules I use:
192.168.1.2 is the address of the Microsoft vpn server $IPTABLES points to the iptables binary $EXTERNALIF is the external interface # vpn $IPTABLES -A INPUT -p 47 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p 47 -i $EXTERNALIF -j DNAT --to 192.168.1.2 $IPTABLES -A FORWARD -i $EXTERNALIF -p 47 -d 192.168.1.2 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTERNALIF --dport 1723 -j DNAT --to 192.168.1.2:1723 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.1.2 --dport 1723 -j ACCEPT Steve On Wed, 2004-04-21 at 04:28, Bernhard Lukas wrote: > Hello, > > we have a company firewall (iptables, Debian 3.0/Woody, 2.4.20 Kernel) > and a VPN server (Microsoft VPN Server, Windows 2003 Server) behind the > firewall. > > The firewall is called "spiderman" and the VPN server "batman". > Clients (using Windows) should be able to use VPN from their homes. > The Microsoft VPN Server is configured to use PPTP. > > This is the scenario I want to achieve: > > Windows Client ----> (( INTERNET )) ----> [spiderman] ----> [batman] > 192.168.0.1 192.168.0.3 > (firewall) (vpn server) > > Windows Client ===================== VPN Connection ======> [batman] > > > It is possible to connect from our internal network (192.168.0.x) to VPN > servers outside our company network, so SNAT & forwarding of GRE traffic > seems to work properly.
