I have this configuration

W2k VPN server ----- Iptables ------ Road Warrior

I have hte Raod warrior, VPNing in no problems, 1723 and protocol 47 are forwarded as necessary. This works great, I have also loaded the gre_ip module.

now, if I am on the network that houses the VPN server, I can no longer VPN to any other vpn servers (through that firewall and onto the net, through someone elses firewall and vpn server). The packets from the internal network for some reasons are getting forwarded back to the W2k VPN server.

#PPTP Forwarding in w2k
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1723 -j allowed
$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE --dport 1723 -j DNAT --to $WVPN_SRV:1723
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 1723 -j DNAT --to $WVPN_SRV:1723
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -d $WVPN_SRV --dport 1723 -j accept_log1

$IPTABLES -A INPUT -p 47 -s 0/0 -j allowed
$IPTABLES -t nat -A PREROUTING -p 47 -i $INET_IFACE -j DNAT --to $WVPN_SRV
#$IPTABLES -t nat -A PREROUTING -p 47 -j DNAT --to $WVPN_SRV
$IPTABLES -A FORWARD -p 47 -i $INET_IFACE -d $WVPN_SRV -j accept_log1

I then added the -i $INET_IFACE to the routing chain's, but now I get NO response and do not know at all what is happpening to the packets... anyone got any questions or ideas?

In the end I need to be able to forward the VPN from the inet to that win2k server and then be able to connect to others, in other locations and for some reason.. this ain't happening.

How many different clients are on the private lan need to connect to an external vpn server? How many external vpn servers are involved?
The problem is your blanket gre forwarding, you'll need to identify the external servers and dnat the gre to the client machine. Listing the client's DNAT for gre using the servers address as the source before the general vpn server's rule should straighten out the traffic flows. Remember the first match wins.

$IPTABLES -A INPUT -p 47 -s 0/0 -j allowed
$IPTABLES -t nat -A PREROUTING -p 47 -i $INET_IFACE -s $VPNSERV1 -j DNAT --to $VPNCLIENT1
$IPTABLES -t nat -A PREROUTING -p 47 -i $INET_IFACE -s $VPNSERV2 -j DNAT --to $VPNCLIENT2
$IPTABLES -t nat -A PREROUTING -p 47 -i $INET_IFACE -j DNAT --to $WVPN_SRV
#$IPTABLES -t nat -A PREROUTING -p 47 -j DNAT --to $WVPN_SRV
$IPTABLES -A FORWARD -p 47 -i $INET_IFACE -d $WVPN_SRV -j accept_log1
$IPTABLES -A FORWARD -p 47 -i $INET_IFACE -d $VPNCLIENT1 -j accept_log1
$IPTABLES -A FORWARD -p 47 -i $INET_IFACE -d $VPNCLIENT2 -j accept_log1

I have the same issue with IPSEC clients connecting to remote servers.

I then added the -i $INET_IFACE to the routing chain's, but now I get NO response and do not know at all what is happpening to the packets... anyone got any questions or ideas?

Where are you testing from? the LAN? or the internet? That will not work from the lan with the "in interface" (-i ) stated. tcpdump is your friend....

yeah, I get you... that's a good point.

i'll try all that out... but, I "seem" to have it working with out that.. but, looks can be deciving for now. :) thanks

You don't have 2 clients going to the same server, do you? That requires a patch if I recall....

This is a problem:
$IPTABLES -A FORWARD -p 47 -i $INET_IFACE -d $WVPN_SRV -j accept_log1
$IPTABLES -A FORWARD -p 47 -i $INET_IFACE -d $VPNCLIENT1 -j accept_log1
$IPTABLES -A FORWARD -p 47 -i $INET_IFACE -d $VPNCLIENT2 -j accept_log1

That allows traffic in the external interface only, that is not the "in interface" for the LAN's clients.. Opps my mistake (got to stop doing this at work)

That should of been:
$IPTABLES -A FORWARD -p 47 -i $INET_IFACE -d $WVPN_SRV -j accept_log1
$IPTABLES -A FORWARD -p 47 -i $LAN_IFACE -s $VPNCLIENT1 -j accept_log1

repeat for each allow client...
or just use a blanket statement for the lan:
$IPTABLES -A FORWARD -p 47 -i $LAN_IFACE -s $LAN -j accept_log1

um, in the end we would like multpiple connections to the vpn server, what patch do you refer to so I can do that?

http://sourceforge.net/tracker/index.php?func=detail&aid=654010&group_id=44827&atid=441005

That is for multi-clients from the lan to the same remote server.
Your on your own... patch-o-matic time...
Next time I have to do it, I might make some notes ;)

You could have the firewall make the connection to the remote server...
http://pptpclient.sourceforge.net/

Have fun...

$IPTABLES -t nat -A PREROUTING -p 47 -i $INET_IFACE -s $VPNSERV1 -j DNAT --to $VPNCLIENT1
I really have to stop rushing, at work, to post. After some more thought, these might be BS to, the replies to the clients oubound request would be handled by the masq code, as long as they are different servers.
With the -i in place in the forward rules traffic couldn't pass from the internal interface.

check for these modules, you may have to load,
ip_conntrack_pptp
ip_nat_pptp
ip_conntrack_proto_gre
or patch/recompile to get them.

Time for sleep.

I know, I have looked at the modules I have..... none of those are present.. they must be a result of the patching.. I am as busy as ever right now, so this work has been put on the shelf till next week. :)

i'll will play and get back to it. :) SO MUCH TO DO!!

I thank you deeply for your assistance. :)