0

I have a PPTP VPN server. There are 5 users. I want to give each user one specific Public IP address. I have been trying to do this with iptables.

IP information

Range: 50.250.█.81 to 50.250.█.85
CIDR Block: 50.250.█.80/29
Gateway IP Address: 50.250.█.86

iptables -t nat -A POSTROUTING -s 192.168.123.102 -o eth0 -j SNAT --to-source 50.250.█.82

I am using above iptables rule. My problem is, PPTP users can connect to the VPN server but can't use the internet. My current iptables rules are -

iptables -t nat -L -v -n

 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 1931 packets, 121K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 38 packets, 19511 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       0.0.0.0/0            192.168.123.102      to:50.250.█.82

Chain OUTPUT (policy ACCEPT 7 packets, 482 bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables-save

# Generated by xtables-save v1.8.2 on Mon Oct 25 12:28:21 2021
*filter
:INPUT ACCEPT [749:298243]
:FORWARD ACCEPT [816:328055]
:OUTPUT ACCEPT [421:118874]
COMMIT
# Completed on Mon Oct 25 12:28:21 2021
# Generated by xtables-save v1.8.2 on Mon Oct 25 12:28:21 2021
*nat
:PREROUTING ACCEPT [42:11756]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [42:11756]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.123.102/32 -o eth0 -j SNAT --to-source 50.250.█.82
COMMIT
# Completed on Mon Oct 25 12:28:21 2021

ip route ls

default via 50.250.█.86 dev eth0 src 50.250.█.81 metric 202
default via 10.1.10.1 dev wlan0 proto dhcp src 10.1.10.203 metric 303
10.1.10.0/24 dev wlan0 proto dhcp scope link src 10.1.10.203 metric 303
50.250.█.80/29 dev eth0 proto dhcp scope link src 50.250.█.81 metric 202
192.168.123.101 dev ppp0 proto kernel scope link src 192.168.123.1
192.168.123.102 dev ppp1 proto kernel scope link src 192.168.123.1

cat /etc/ppp/chap-secrets

user1 pptpd password 192.168.123.101
user2 pptpd password 192.168.123.102
user3 pptpd password 192.168.123.103
user4 pptpd password 192.168.123.104
user5 pptpd password 192.168.123.105

What could be the reason? Thanks in advance.

Sakib Mahmud
  • 1
  • 1
  • "it's not working" — and what's going on instead? What do you see? Also, it could help to flush the connection table (use `conntrack-tools`). Also, a side note: please, never do `iptables -L`. It hides important details. Always use `iptables-save`. I've encountered many cases when something did not work but appeared correct with `iptables -L`, and when we looked into `iptables-save`, it showed some additional match or option so the source of the problem became obvious. – Nikita Kipriyanov Oct 25 '21 at 11:20
  • Thanks, I updated the post. I flushed the connection table using ```conntrack -F``` but still user's can't access internet. – Sakib Mahmud Oct 25 '21 at 11:38
  • "Can't access Internet" is very vague symptom. You have to elaborate it, to find out exactly how they can't access. And, you want them not only access the Internet, but also have a particular IP. Did they really being NATed into this IP? I think traffic capture is best debug tool here, so try `tcpdump` and check which packets ingres from your VPN client and what are they being translated into. – Nikita Kipriyanov Oct 25 '21 at 11:42

0 Answers0