0

First things first, there might be a few English errors, considering it's not my native language. I'm having a problem with VPN(GRE protocol) passing through Iptables. I've done this at least a dozen times, but this time it's simply not working. I have a VPN server on my local network and my firewall is a Centos 6.6.
I have this rules on my FW:
$IPTABLES -A PREROUTING -t nat -p 47 -d $IP_EXT_CLT -j DNAT --to $IP_CLT_TS1
$IPTABLES -A PREROUTING -t nat -p tcp -m multiport -d $IP_EXT_CLT --dports 1723 -j DNAT --to\ $IP_CLT_TS1

The 'port 1723' rule it's working perfectly, but GRE rule(proto 47) it's not. I monitored my interfaces, and it's not routing...for example I have tried to make a prerouting of 'everything' to my server (IP_CLT_TS1), monitored my external interface and the packets are coming. But when I watch my internal interface (with tcpdump) all protocols are passing by, except GRE.

Anyone already had this sort of problem?

Dave M
  • 4,494
  • 21
  • 30
  • 30
Carlos Parisotto
  • 33
  • 1
  • 5
  • Are any packets *matching* the GRE rule? Do you have a rule in the `FORWARD` chain that permits forwarding GRE packets? – larsks Aug 12 '15 at 21:04
  • Yes, forward is enabled (default = accept and nothing blocking). – Carlos Parisotto Aug 12 '15 at 21:08
  • Detail: I have logs, both on my chain INPUT and in my FORWARD. And those packets are logged as "INPUT", which means, is not routing, is entering on my FW like an INPUT packet. – Carlos Parisotto Aug 12 '15 at 21:09
  • Are the packet counts on the `PREROUTING` rule going up? And of course, in your logs, does the destination address of the GRE traffic match $IP_EXT_CLT (or $IP_CLT_TS1)? – larsks Aug 12 '15 at 21:11
  • Yes, the IPs match (the other rule use the same IPs and it's working). About the PREROUTING, I'll se the packet count, but I tried putting before the rule another rule on PREROUTING, but instead of using DNAT, I used LOG, and the packet was showing correctly in my logs. – Carlos Parisotto Aug 13 '15 at 11:39

1 Answers1

0

It's working now. Packets ppp e pptp were missing. I just installed them with yum and it worked. Sh*, where do I mark it as resolved?!!

Carlos Parisotto
  • 33
  • 1
  • 5