At my place of work, my first job is that of a programmer and my second
is that of a network engineer. In order to work securely and still have
[limited] internet access, I set up a split-screened subnet with all of
the development projects done on the intranet and all the serving done
on the extranet, as follows.

http://www.binswitch.net/net-diagram.gif

On our development server which is running Windows 2000 Server,
installed RRAS so that one other person and I can connect to it from
home and still be relatively secure while working on the software.

The Linux router is simply a headless thin client running FC4 with
iptables for all the routing. The regular router appliance between the
extranet and the intranet is a Dynex DX-E401 router that I had laying
around. I have the ports open and forwarding for PPTP, L2TP, and IPSec,
as well as GRE and IPSec NAT Traversal. However, I am still unable to
forward VPN traffic to the internal Windows 2000 server.

I wrote a shell script on the Linux router to forward all the necessary
services:

--------------------
#!/bin/bash

# forward - a simple bash script for port forwarding using iptables
# written by Jonathan

# The defined network interfaces to be used
WAN=eth2
LAN=eth1

# eth0 isn't really a DMZ, but that's what I'm calling it since it's
# just a dedicated trunk for the web server. This variable will
# probably never be used, but at least it's defined in case it is
# at some point in the future.
DMZ=eth0

# Actual code follows.
if test -z $1
then
echo "Please enter the TCP/IP protocol you wish to use
(tcp/udp/icmp/etc...): "
read NET_PROTOCOL
echo "Please enter the port number you want to forward: "
read PORT_NUM
echo "Please enter the LAN destination address you want to
forward port ${PORT_NUM} to: "
read LOCAL_DEST
else
NET_PROTOCOL=$1
PORT_NUM=$2
LOCAL_DEST=$3
fi

echo Forwarding ${NET_PROTOCOL} port ${PORT_NUM} to ${LOCAL_DEST} on
${LAN}...
iptables -A FORWARD -p ${NET_PROTOCOL} --sport ${PORT_NUM} --dport
${PORT_NUM} -i ${WAN} -o ${LAN} -j ACCEPT
iptables -A FORWARD -p ${NET_PROTOCOL} --sport ${PORT_NUM} --dport
${PORT_NUM} -i ${LAN} -o ${WAN} -j ACCEPT
iptables -t nat -A PREROUTING -i ${WAN} -p ${NET_PROTOCOL} --dport
${PORT_NUM} -j DNAT --to ${LOCAL_DEST}
echo Done.
--------------------

Then, if I wanted to forward, say, POP3 to 10.0.0.9, I'd simply type:
../forward tcp 110 10.0.0.9

This has worked for all the servers on the extranet. I have also
forwarded TCP 1723, UDP 1701, UDP 500, and UDP 4500 to the intranet
router appliance. (To forward GRE, I had to type in the iptables
command manually.) I also configured these ports to go directly to the
VPN server from my intranet router. However, I am still unable to
connect to the Windows 2000 RRAS. During the connection attempt, it
simply won't even acknowledge that any kind of connection or
communication is being made.

Does anybody have any idea what is going on?

~Jonathan

I'm a fish out of water when it comes to IPTABLES but I do notice that you
seem to be forwarding port 1723, which is good, but don't seem to have any
provision for protocol 47, unless I've missed it.

http://support.microsoft.com/?kbid=241251

Well, I installed pptpproxy and that seemed to take care of the
situation. However, it still bothers me that it didn't work BEFORE I
installed this.

I had GRE being forwarded (as far as I know... tcpdump didn't seem to
think so, but then again, I'm still not entirely sure how to use it)

iptables -t nat -A PREROUTING -i ${WAN} -p 47 -j DNAT --to
${LOCAL_DEST}
iptables -A FORWARD -p 47b-i ${WAN} -o ${LAN} -j ACCEPT

Oh well. As long as it works and is fairly secure, I'm happy.