It depends if the Poptop pptp server is running on your border firewall, or on a separate server behind it. If it's on the firewall, use these rules, which follow the conventions used in Chapter 3:
$ipt -A INPUT -p tcp -dport 1723 -j ACCEPT $ipt -A INPUT -p 47 -j ACCEPT
If you have a restrictive OUTPUT policy, add these rules to allow outgoing packets:
$ipt -A OUTPUT -p tcp -sport 1723 -j ACCEPT $ipt -A OUTPUT -p 47 -j ACCEPT
Use these rules on a NAT iptables firewall to forward traffic to a separate pptp server, substituting your own interface names and network addresses. In this example, 172.16.1.10 is the address of the pptp server, and 2.3.4.5 is the WAN address:
$ipt -t nat -A PREROUTING -i $WAN_IFACE -p tcp -d 2.3.4.5 --dport 1723 -j DNAT \ --to-destination 172.16.1.10 $ipt -t nat -A PREROUTING -i $WAN_IFACE -p gre -d 2.3.4.5 -j DNAT \ --to-destination 172.16.1.10 $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -p tcp --dport 1723 -d 172.16.1.10 -m \ state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -p gre -d 172.16.1.10 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT
If you have a restrictive FORWARD policy, these rules will let your
VPN packets out:
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -p tcp -s 172.16.1.10 --sport 1723 \ -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -p gre -s 172.16.1.10 -m state \ --state ESTABLISHED,RELATED -j ACCEPT
Refer to your /etc/protocols file for a short list of IP protocols. The Nmap package comes with a much longer list. gre and 47 are the same thing; all protocols also have a number designation.