Changes to firewall broke my VPN?

If your problem doesn't fall into one of the other categories, report it here.

Moderator: Moderators

Post Reply
rickwookie
Posts: 9
Joined: Thu Mar 07, 2013 9:49 am

Changes to firewall broke my VPN?

Post by rickwookie »

Hi

I updated my Gargoyle firmware recently, and now I notice that I can no longer connect to my home PPTP VPN server.

Previously, I had entries in /etc/firewall.user to pass TCP port 1723 and all GRE packets to my VPN server at local address 192.168.11.3, so my /etc/firewall.user file looked thus:

Code: Select all

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
## PPTP: forward initiator 1723/tcp
iptables -t nat -A prerouting_wan -p tcp --dport 1723 -j DNAT --to 192.168.11.3
iptables -A forwarding_wan -p tcp --dport 1723 -d 192.168.11.3 -j ACCEPT

## PPTP: forward tunnel GRE traffic
iptables -t nat -A prerouting_wan -p gre -j DNAT --to 192.168.11.3
iptables -A forwarding_wan -p gre -d 192.168.11.3 -j ACCEPT
Well, the file is still the same, but I notice that now, any of those iptable commands results in an error:

Code: Select all

root@Gargoyle:~# iptables -t nat -A prerouting_wan -p tcp --dport 1723 -j DNAT --to 192.168.11.3
iptables: No chain/target/match by that name.
root@Gargoyle:~# iptables -A forwarding_wan -p tcp --dport 1723 -d 192.168.11.3 -j ACCEPT
iptables: No chain/target/match by that name.
root@Gargoyle:~# iptables -t nat -A prerouting_wan -p gre -j DNAT --to 192.168.11.3
iptables: No chain/target/match by that name.
root@Gargoyle:~# iptables -A forwarding_wan -p gre -d 192.168.11.3 -j ACCEPT
iptables: No chain/target/match by that name.
root@Gargoyle:~#
Anyone know what's changed and how do I fix it?
Top
rickwookie
Posts: 9
Joined: Thu Mar 07, 2013 9:49 am

Re: Changes to firewall broke my VPN?

Post by rickwookie »

Anyone?

Googling around, it seems that you need a degree in "iptables" to debug this stuff.
Top
rickwookie
Posts: 9
Joined: Thu Mar 07, 2013 9:49 am

Re: Changes to firewall broke my VPN?

Post by rickwookie »

Ok, well, fwiw I think I fixed it myself after doing some more research.

Doing

Code: Select all

root@Gargoyle:~# iptables -L
and

Code: Select all

root@Gargoyle:~# iptables -t nat -L
revealed that at some version change of Gargoyle, the iptables chains had the characters "_rule" appended, so my earlier working firewall.user script

Code: Select all

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
## PPTP: forward initiator 1723/tcp
iptables -t nat -A prerouting_wan -p tcp --dport 1723 -j DNAT --to 192.168.11.3
iptables -A forwarding_wan -p tcp --dport 1723 -d 192.168.11.3 -j ACCEPT

## PPTP: forward tunnel GRE traffic
iptables -t nat -A prerouting_wan -p gre -j DNAT --to 192.168.11.3
iptables -A forwarding_wan -p gre -d 192.168.11.3 -j ACCEPT
simply had to become

Code: Select all

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
## PPTP: forward initiator 1723/tcp
iptables -t nat -A prerouting_wan_rule -p tcp --dport 1723 -j DNAT --to 192.168.11.3
iptables -A forwarding_wan_rule -p tcp --dport 1723 -d 192.168.11.3 -j ACCEPT

## PPTP: forward tunnel GRE traffic
iptables -t nat -A prerouting_wan_rule -p gre -j DNAT --to 192.168.11.3
iptables -A forwarding_wan_rule -p gre -d 192.168.11.3 -j ACCEPT
So now I have to PPTP passthrough working again, I might try using a pptpd on the router itself.

:-)
Top
Post Reply

Return to “Other Issues”