PPTP VPN iptables firewall issues csf

Question

I am having a problem with iptables and a PPTP VPN, I have read related topics both on hear and online but still can't get it to work! I am trying to set up PPTP on an ubuntu server on our local network, to force clients to have to log in through the VPN to gain internet access. The ubuntu server is connected directly to the internet.

In my rc.local I have the following to forward and accept gre

# PPTP IP forwarding
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A INPUT -p gre -j ACCEPT
sudo iptables -A OUTPUT -p gre -j ACCEPT

This shows up in my iptables on list so I know it is there.

I use CSF on the server as my firewall, if this is disabled I can connect to the VPN and browse the internet through it, if CSF is enabled I either get "disconnected by the communication device" or I can connect but have no internet access through the VPN.

This also has the weird problem that every now and then it does seem to work through the firewall!

I have the following ports open:

TCP_IN = ...47,53,80,92,110,143,443,465,587,993,995,1723,7777..
TCP_OUT = ...47,53,80,92,110,113,443,1723,25565,7777...
UDP_IN = 20,21,47,53,1723,27015,27025
UDP_OUT = 20,21,47,53,113,123,1723,27015, 27025

Do you have any recommendations for how to fix this problem? Do you require any further information?

Many thanks for your time,

Extra Info as Requested:

iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7377  749K LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
 5631  786K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  !lo    *       130.88.13.7          0.0.0.0/0           udp spts:1024:65535 dpt:53 
    0     0 ACCEPT     tcp  --  !lo    *       130.88.13.7          0.0.0.0/0           tcp spts:1024:65535 dpt:53 
    3   626 ACCEPT     udp  --  !lo    *       130.88.13.7          0.0.0.0/0           udp spt:53 dpts:1024:65535 
    0     0 ACCEPT     tcp  --  !lo    *       130.88.13.7          0.0.0.0/0           tcp spt:53 dpts:1024:65535 
    0     0 ACCEPT     udp  --  !lo    *       130.88.13.7          0.0.0.0/0           udp spt:53 dpt:53 
    0     0 ACCEPT     udp  --  !lo    *       130.88.149.93        0.0.0.0/0           udp spts:1024:65535 dpt:53 
    0     0 ACCEPT     tcp  --  !lo    *       130.88.149.93        0.0.0.0/0           tcp spts:1024:65535 dpt:53 
  431 71632 ACCEPT     udp  --  !lo    *       130.88.149.93        0.0.0.0/0           udp spt:53 dpts:1024:65535 
    0     0 ACCEPT     tcp  --  !lo    *       130.88.149.93        0.0.0.0/0           tcp spt:53 dpts:1024:65535 
    0     0 ACCEPT     udp  --  !lo    *       130.88.149.93        0.0.0.0/0           udp spt:53 dpt:53 
 5021  561K INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
 4255  519K ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    1    64 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:47 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
   61  3648 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
    1    64 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:92 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:389 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995 
    3   192 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1723 
    2   128 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:7777 
   89  5340 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 
   84  5040 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:27015 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21433 
  103  6180 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25566 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:23456 
    0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6667 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:47 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1723 
  435 19275 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27015 
  389 16837 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27025 
    0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:6667 
    2   122 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 
    0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 0 limit: avg 1/sec burst 5 
    0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 11 
    0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 3 
 1127 73207 LOGDROPIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 8150  710K LOCALOUTPUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      lo      0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner GID match 8 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 owner UID match 0 
  123  7380 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
 5631  786K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
  436 32454 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           tcp spt:53 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           udp spt:53 
 6572  649K INVALID    tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           
 6852  636K ACCEPT     all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:47 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
  148  8880 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:92 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:113 
    2   120 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:389 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1723 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25565 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:7777 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:27015 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21433 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:23456 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306 
   30  1800 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2082 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:92 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25555 
    0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6667 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:47 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:113 
   52  3952 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1723 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27015 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:27025 
    0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:6667 
    0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 0 
    0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 11 
    0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 3 
    3   183 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0                    

Chain INVALID (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   19   844 INVDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08 
    0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x30/0x20 
    9   360 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW 

Chain INVDROP (10 references)
 pkts bytes target     prot opt in     out     source               destination         
   28  1204 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  !lo    *       10.1.2.0/24          0.0.0.0/0           
  461 31652 ACCEPT     all  --  !lo    *       78.129.132.155       0.0.0.0/0           
 6901  714K DSHIELD    all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           
 6831  695K SPAMHAUS   all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           

Chain LOCALOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      !lo     0.0.0.0/0            10.1.2.0/24         
  600 32952 ACCEPT     all  --  *      !lo     0.0.0.0/0            78.129.132.155      

Chain LOGDROPIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:67 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:68 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:68 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:111 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:113 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:135:139 
   76 18810 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:135:139 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:500 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:500 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:513 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:513 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:520 
  979 50908 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520 
   26  1056 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' 
   41  2173 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* ' 
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* ' 
   72  3489 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOGDROPOUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* ' 
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* ' 
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* ' 
    3   183 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

iptables -nvL -t nat

pez@brave:~$ sudo iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 42112 packets, 3106K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 716 packets, 43090 bytes)
 pkts bytes target     prot opt in     out     source               destination          
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
    0     0 MASQUERADE  all  --  *      venet0  10.10.0.0/24         0.0.0.0/0           
31176 2345K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Solution summarised, created new file csfpre in /etc/csf/ added following contents:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -p gre -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT
iptables -A FORWARD -i ppp+ -o eth0 -p ALL -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -p ALL -j ACCEPT

Please clarify where exactly you've got those iptables rules, where you've got CSF, and if the client and server have direct access to the internet (a link in some interface) or via a gateway. Also note you don't seem to be forwarding anything there - just allowing input and output traffic. If the MASQUERADE rule is actually needed you probably also need a FORWARD rule. — Eduardo Ivanec, Jun 04 '11 at 14:37
The server is directly on the internet via eth0. The client is connected to the local network only. All of this configuration is on the server, the client is a laptop. — Pez Cuckow, Jun 04 '11 at 14:54
Please post your full `iptables -nvL` and `iptables -nvL -t nat`. — Eduardo Ivanec, Jun 04 '11 at 14:59

score 5 · Accepted Answer · answered Jun 04 '11 at 15:20

5

You don't really seem to have the GRE protocol enabled, from what I can see. You have port 47 TCP allowed, but that's not the same. Your rc.local rules regarding GRE seem fine but are probably being overwritten, so add those rules in your firewall system proper.

You also have a DROP policy for forwarding packets - add this rule as a mininum:

iptables -A FORWARD -i ppp+ -j ACCEPT

This enables forwarding for all interfaces beginning with ppp, which should be enough for a PPTP-based VPN.

Also, you probably did this already but check you've enabled packet forwarding using sysctl net.ipv4.ip_forward - it should be 1.

Note your packet count (first column) for TCP 1723 is 0. Try connecting and check it goes up. But enable GRE first or it won't work, of course.

answered Jun 04 '11 at 15:20

Eduardo Ivanec

14,531
1
35
42

Hi thanks for your time. sysctl net.ipv4.ip_forward is of course 1, I have added the forward packets rule on -i ppp -0 eth0 and vise versa. I have moved my rc.local commands to csfpre.sh (which csf apparently runs after it is set up). However I am still getting stuck at "you were disconnected by the communication device" when the firewall is enabled. – Pez Cuckow Jun 04 '11 at 15:41
After adding iptables -A INPUT -p gre -j ACCEPT iptables -A OUTPUT -p gre -j ACCEPT I think everything is now working! Awesome. Thanks for your help, very much appreciated! – Pez Cuckow Jun 04 '11 at 15:44
1

I would like to add that as of linux 4.7, it is necessary to add do `sysctl net.netfilter.nf_conntrack_helper=1` for pptp connections pass through. See https://bugzilla.kernel.org/show_bug.cgi?id=152101#c7 for a more 'permanent' fix. – Stunts Sep 01 '16 at 08:03

PPTP VPN iptables firewall issues csf

1 Answers1

Linked