OpenWRT: iptables-based Firewall Rules for PPTP and IPsec

calendar Jan 17, 2010  · Updated: November 2, 2025 · 1 min read  ·
Share on: linkedin bluesky copy

Just a handy little reference for myself.

Internal PPTP Server

 1vpnserver="172.16.1.10"
 2
 3iptables -N pptp
 4iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT
 5iptables -A pptp -p gre --dst $vpnserver -j ACCEPT
 6iptables -I FORWARD -j pptp
 7
 8iptables -t nat -N pptp
 9iptables -t nat -A pptp -i $WAN -p tcp --dport 1723 -j DNAT --to $vpnserver
10iptables -t nat -A pptp -i $WAN -p 47 -j DNAT --to $vpnserver
11iptables -t nat -A PREROUTING -j pptp

Gateway Router-based IPsec VPN

 1# allow IPsec
 2iptables -A input_rule -p esp -j ACCEPT
 3
 4# allow ISAKMP
 5iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
 6
 7# allow NAT-T
 8iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT
 9
10# disable NAT for communications with remote LAN
11iptables -t nat -A postrouting_rule -d 172.16.0.0/24 -j ACCEPT
12
13# Allow any traffic between tunnel LANs
14iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
15iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT