1

I have set up a windows VPN server behind Linux - Ubuntu box that is working as firewall and proxy server. Now I want people from outside to be able to connect to the VPN server, but the connection is not being established and I get on the client an error 619. I have checked the problem on the internet and it seems a firewall issue.

what should I do to make the connection established through the firewall?

here is below the information about my setup

Firewall-External-IF-IP: 172.16.1.100

Firewall-LAN-IF-IP: 192.168.1.1

VPN-Server-IP: 192.168.1.10

and below is my iptables file content:

    #Generated by iptables-save v1.4.12 on Thu May 29 12:40:18 2014
*filter
:INPUT ACCEPT [162000:140437619]
:FORWARD ACCEPT [23282:27196133]
:OUTPUT ACCEPT [185778:143961739]
:LOGGING - [0:0]
-A INPUT -p gre -j ACCEPT
-A INPUT -s 192.168.1.10/32 -p tcp -m tcp --sport 1723 -j ACCEPT
-A INPUT -s 192.168.1.10/32 -p udp -m udp --sport 1723 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -o EXT_IF -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -i EXT_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.10/32 -i EXT_IF -o INT_IF -p tcp -m tcp --dport 1723 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.10/32 -i INT_IF -o EXT_IF -p tcp -m tcp --sport 1723 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.10/32 -i EXT_IF -o INT_IF -p gre -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.10/32 -i INT_IF -o EXT_IF -p gre -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -d 192.168.1.10/32 -p tcp -m tcp --dport 1723 -j ACCEPT
-A OUTPUT -d 192.168.1.10/32 -p udp -m udp --dport 1723 -j ACCEPT
COMMIT
# Completed on Thu May 29 12:40:18 2014
# Generated by iptables-save v1.4.12 on Thu May 29 12:40:18 2014
*nat
:PREROUTING ACCEPT [17865:1053739]
:INPUT ACCEPT [5490:357281]
:OUTPUT ACCEPT [3723:223677]
:POSTROUTING ACCEPT [3726:223870]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -d 172.16.1.100/32 -i EXT_IF -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d 172.16.1.100/32 -i EXT_IF -p gre -j DNAT --to-destination 192.168.1.10
-A PREROUTING -i -h
-A POSTROUTING -s 192.168.1.0/24 -o EXT_IF -j MASQUERADE
COMMIT
# Completed on Thu May 29 12:40:18 2014
# Generated by iptables-save v1.4.12 on Thu May 29 12:40:18 2014
*mangle
:PREROUTING ACCEPT [22695965:17811993005]
:INPUT ACCEPT [13818180:11522330171]
:PREROUTING ACCEPT [17865:1053739]
:INPUT ACCEPT [5490:357281]
:OUTPUT ACCEPT [3723:223677]
:POSTROUTING ACCEPT [3726:223870]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -d 172.16.1.100/32 -i EXT_IF -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.1.10
-A PREROUTING -d 172.16.1.100/32 -i EXT_IF -p gre -j DNAT --to-destination 192.168.1.10
-A PREROUTING -i -h
-A POSTROUTING -s 192.168.1.0/24 -o EXT_IF -j MASQUERADE
COMMIT
# Completed on Thu May 29 12:40:18 2014
# Generated by iptables-save v1.4.12 on Thu May 29 12:40:18 2014
*mangle
:PREROUTING ACCEPT [22695965:17811993005]
:INPUT ACCEPT [13818180:11522330171]
:FORWARD ACCEPT [8527694:6271564562]
:OUTPUT ACCEPT [14748508:11899678536]
:POSTROUTING ACCEPT [23271280:18170828012]
COMMIT
# Completed on Thu May 29 12:40:18 2014

hope that I find the solution here ....!! :(

user221844
  • 11
  • 1
  • 3
  • 1
    There are some suggestions here that might help. Can you verify the three issues described in this answer are correct in your system? It looks like you already have some of the entries right shown here: http://serverfault.com/questions/276518/pptp-vpn-iptables-firewall-issues-csf?rq=1 – Byron C. May 30 '14 at 20:40
  • I have run 'sysctl net.ipv4.ip_forward' and the value is one, also all other rules is set as you saw in the file. I have squid installed also , could it be the problem ? – user221844 May 30 '14 at 21:07

0 Answers0