Hi,

Ive been following this guide on setting up a VPN, which is nearly working.

[url]http://wiki.nikoforge.org/L2TP/IPSec_VPN_Setup_on_Centos_6_(64-bit)_for_use_with_Android_ICS_and_iOS_5_Clients#Firewall.2FRouter_Configuration
[/url]
The only issue im having is if i disable iptables, I can connect but any sites I request on my ipad dont get forwarded out to the internet.

If I turn on iptables, I cant connect at all. I havent setup any port forwarding, which I belive I need to be able to do.

Could someone provide me some points on what my iptables should look like?

The site above says I need to forward the following ports -

Port Protocol Description
500 UDP L2TP IKE
4500 UDP L2TP NAT-T
1701 UDP L2TP Traffic

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38 3582 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- any any anywhere loopback/8 reject-with icmp-port-unreachable
333 25029 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:isakmp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipsec-nat-t
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:l2tp
9 540 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
18 5422 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
400 74181 ACCEPT all -- any any anywhere anywhere

Thanks!

You'll want to allow UDP ports 500, 1701, and 4500 instead of the TCP ports.

The sole REJECT rule in the FORWARD chain is most likely going to be a problem, as well.

_________________

/* TODO: need to add signature to posts */

Thanks - I can now connect with iptables running, but still cant get out externally on my ipad.

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:isakmp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:l2tp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipsec-nat-t
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

This is what I see in /var/log/messages

Sep 2 16:43:57 server pppd[19239]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[500] used for NAT-T
Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[500] used as isakmp port (fd=21)
Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[4500] used for NAT-T
Sep 2 16:43:57 server racoon: INFO: 192.168.0.50[4500] used as isakmp port (fd=22)
Sep 2 16:43:57 server pppd[19239]: Cannot determine ethernet address for proxy ARP
Sep 2 16:43:57 server pppd[19239]: local IP address 192.168.0.50
Sep 2 16:43:57 server pppd[19239]: remote IP address 192.168.0.99