PPTP through masquerading gateway

PPTP through masquerading gateway

[Marc Riddle]

[-- Attachment #1: Type: text/plain, Size: 1177 bytes --]

I have read everything I can find on the subject and can't seem to find a working solution anywhere. I have an NT 4.0 server running a PPTP server inside a private network that is connected to the internet via a linux 2.4 box running ip masquerading using iptables. the masquerading works fine for clients to get out, but I'm trying to enable external connections in to the PPTP server. currently I have the following rules set up, as far as I can tell they should work, but I am unable to establish a connection. The PPTP server is running on 10.1.1.15, and I am able to connect to it from inside the router so I know that it is running fine. I've been banging my head against a desk for about a week now and nothing I've tried seems to work. Any advice would be greatly appreciated. Thanks in advance. Oh yeah, currently the rules below are the only rules set up for testing, so no incoming packets are being filtered that I know of.

Thanks again,

Marc Riddle
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1723 -j DNAT --to 10.1.1.15
iptables -t nat -A PREROUTING -i ppp0 -p 47 -j DNAT --to 10.1.1.15



[-- Attachment #2: Type: text/html, Size: 1730 bytes --]

RE: PPTP through masquerading gateway

[Aldo S. Lagana]

[-- Attachment #1: Type: text/plain, Size: 1624 bytes --]

Are you using the POM ip_conntrack_pptp module (or compiled into
kernel)?
 
I am fairly sure that NAT of any type 'breaks' PPTP connections, and the
above module is needed for you to NAT the PPTP connections...

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Marc Riddle
Sent: Monday, July 08, 2002 2:17 PM
To: netfilter@lists.samba.org
Subject: PPTP through masquerading gateway


I have read everything I can find on the subject and can't seem to find
a working solution anywhere. I have an NT 4.0 server running a PPTP
server inside a private network that is connected to the internet via a
linux 2.4 box running ip masquerading using iptables. the masquerading
works fine for clients to get out, but I'm trying to enable external
connections in to the PPTP server. currently I have the following rules
set up, as far as I can tell they should work, but I am unable to
establish a connection. The PPTP server is running on 10.1.1.15, and I
am able to connect to it from inside the router so I know that it is
running fine. I've been banging my head against a desk for about a week
now and nothing I've tried seems to work. Any advice would be greatly
appreciated. Thanks in advance. Oh yeah, currently the rules below are
the only rules set up for testing, so no incoming packets are being
filtered that I know of.
 
Thanks again,
 
Marc Riddle
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1723 -j DNAT --to
10.1.1.15

iptables -t nat -A PREROUTING -i ppp0 -p 47 -j DNAT --to 10.1.1.15


[-- Attachment #2: Type: text/html, Size: 2872 bytes --]

RE: PPTP through masquerading gateway

[Rowan Reid]

[-- Attachment #1: Type: text/plain, Size: 1071 bytes --]

 
 
I've been trying to get this to work. with no luck. I've used the POM
module which fails everytime I try to patch my kernel 2.4.4 and up
no luck even on a freshly downloaded kernel. other patches work but pptp
does not. I tried another patch which patched my 2.4.18 kernel
but all my connections fail to make it to my server.  I woudl love to
talk to at least one person who HAS gotten this to work.
 



Are you using the POM ip_conntrack_pptp module (or compiled into
kernel)?
 
I am fairly sure that NAT of any type 'breaks' PPTP connections, and the
above module is needed for you to NAT the PPTP connections...

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Marc Riddle
Sent: Monday, July 08, 2002 2:17 PM
To: netfilter@lists.samba.org
Subject: PPTP through masquerading gateway


iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1723 -j DNAT --to
10.1.1.15

iptables -t nat -A PREROUTING -i ppp0 -p 47 -j DNAT --to 10.1.1.15

  


[-- Attachment #2: Type: text/html, Size: 2820 bytes --]

RE: PPTP through masquerading gateway

[Aldo S. Lagana]

[-- Attachment #1: Type: text/plain, Size: 1642 bytes --]

I am in the process of using that module to allow 'outgoing' from behind
a Linux firewall - which is a little different than your situation.  
 
I have gotten the POM module to patch cleanly against 2.4.16 with
iptables 1.2.5,  now I just need to get that test box out on the wire to
give it a go...
 
I'l let you know if my scenario works out...

-----Original Message-----
From: Rowan Reid [mailto:rreid@studio3arc.com] 
Sent: Monday, July 08, 2002 4:54 PM
To: 'Aldo S. Lagana'; 'Marc Riddle'; netfilter@lists.samba.org
Subject: RE: PPTP through masquerading gateway


 
 
I've been trying to get this to work. with no luck. I've used the POM
module which fails everytime I try to patch my kernel 2.4.4 and up
no luck even on a freshly downloaded kernel. other patches work but pptp
does not. I tried another patch which patched my 2.4.18 kernel
but all my connections fail to make it to my server.  I woudl love to
talk to at least one person who HAS gotten this to work.
 



Are you using the POM ip_conntrack_pptp module (or compiled into
kernel)?
 
I am fairly sure that NAT of any type 'breaks' PPTP connections, and the
above module is needed for you to NAT the PPTP connections...

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Marc Riddle
Sent: Monday, July 08, 2002 2:17 PM
To: netfilter@lists.samba.org
Subject: PPTP through masquerading gateway


iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1723 -j DNAT --to
10.1.1.15

iptables -t nat -A PREROUTING -i ppp0 -p 47 -j DNAT --to 10.1.1.15

  


[-- Attachment #2: Type: text/html, Size: 4285 bytes --]

RE: PPTP through masquerading gateway

[Rowan Reid]

[-- Attachment #1: Type: text/plain, Size: 489 bytes --]

 
I'm using a 2.4.18 Kernel I'm curious if that smy problem.  my quagmire
is I need at least a 2.4.18 Kernel to support my reserfs.
 

 

I am in the process of using that module to allow 'outgoing' from behind
a Linux firewall - which is a little different than your situation.  
 
I have gotten the POM module to patch cleanly against 2.4.16 with
iptables 1.2.5,  now I just need to get that test box out on the wire to
give it a go...
 
I'l let you know if my scenario works out..  
 


[-- Attachment #2: Type: text/html, Size: 2058 bytes --]

RE: PPTP through masquerading gateway

[R. Sterenborg]

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On
> Behalf Of Rowan Reid
> Subject: RE: PPTP through masquerading gateway
>
> I've been trying to get this to work. with no luck. I've used the POM
module which
> fails everytime I try to patch my kernel 2.4.4 and up
> no luck even on a freshly downloaded kernel. other patches work but pptp
does not. I
> tried another patch which patched my 2.4.18 kernel
> but all my connections fail to make it to my server.  I woudl love to talk
to
> at least one person who HAS gotten this to work.

Ok.. I did it this way.
I'm going through it step by step, so don't flame me for describing steps
that seem obvious.

I used :
- kernel 2.4.17 (Because the patch is for *that* kernel. I'm no hacker so
I'm not going to try it on another kernel...).
- the PPTP kernel patch from
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html.
- iptables-1.2.6a.
- the default gcc from RH-7.3 (2.96, I know, I know...)

Untar the kernel source to /usr/src/linux.
Untar the patch to /usr/src.
Untar iptables to /usr/src/iptables-1.2.6a

cd /usr/src
patch –p0 < netfilter-pptp-2.4.17-rev2.patch

cd /usr/src/iptables-1.2.6a
make pending-patches KERNEL_DIR=/usr/src/linux

If all went well go ahead and configure your kernel.
cd /usr/src/linux
make xconfig (or whatever you like to use)

Check all (networking) options that apply.
There are two new options in the kernel config :
- Networking options -> IP: Netfilter Configuration -> PPTP protocol support
- Networking options -> IP: Netfilter Configuration -> PPTP verbose debug
Make sure you check the first.
If you want ***LOT'S*** of logging in syslog, also check the second.
(You could try that, see what it's all about when you got it to work and
after that recompile the kernel without it ;o] You don't need it for normal
operation.)

make dep clean
make bzImage (or some other ?)
make modules modules_install

Copy the ./arch/i386/boot/bzImage file to /boot
Copy ./System.map to /boot
Change your lilo.conf or grub.conf to let the new kernel show up in the
bootmanager. (Lilo needs you to run "lilo" to reflect the changes.)

cd /usr/src/iptables-1.2.6a
make KERNEL_DIR=/usr/src/linux
make install KERNEL_DIR=/usr/src/linux

Reboot and make sure to boot the new kernel.

Now for the forwarding rules.
I'm taking values from this post. Since it's not mentioned, I take eth0 as
the LAN NIC.
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.
html#TRAVERSINGOFTABLES
Table 3-1. We are forwarding packets -> our packets will be going through
the PREROUTING chain and the FORWARD chain, so we'll need rules for both of
them.

iptables -A FORWARD -p tcp -i ppp0 -o eth0 -d 10.1.1.15 --dport 1723 -j
ACCEPT
iptables -A FORWARD -p 47 -i ppp0 -o eth0 -d 10.1.1.15 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i ppp0 -d <external-ip> --dport
1723 -j DNAT --to 10.1.1.15:1723
iptables -t nat -A PREROUTING -p 47 -i ppp0 -d <external-ip> -j DNAT --to
10.1.1.15

Of course you need to set additional rules for your firewall to work.

Well, this should do it. It does for me.
Hope I was of help and wasn't talking too much rubbish.

Rob

RE: PPTP through masquerading gateway

[Rowan Reid]

> I used :
> - kernel 2.4.17 (Because the patch is for *that* kernel. I'm 
> no hacker so I'm not going to try it on another kernel...).
> - the PPTP kernel patch from 
> http://www.impsec.org/linux/masquerade/ip_masq_vpn.html.
> - iptables-1.2.6a.
> - the default gcc from RH-7.3 (2.96, I know, I know...)

I'm using 2.4.18 I know not designed for the patch, My FS only 
Works with 2.4.18. Someone told me the 2.4.17rev2 Patch works
With 2.4.18 it doesn't unless you use

patch –p1 < netfilter-pptp-2.4.17-rev2.patch


> 
> Untar the kernel source to /usr/src/linux.
> Untar the patch to /usr/src.
> Untar iptables to /usr/src/iptables-1.2.6a
> 
> cd /usr/src
> patch –p0 < netfilter-pptp-2.4.17-rev2.patch
> 
> cd /usr/src/iptables-1.2.6a
> make pending-patches KERNEL_DIR=/usr/src/linux

Correct me if I'm wrong doesn't the INSTALL file say you 
Need a 2.4.4 kernel in order for it to work.

> 
> If all went well go ahead and configure your kernel.
> cd /usr/src/linux
> make xconfig (or whatever you like to use)
> 
> Check all (networking) options that apply.
> There are two new options in the kernel config :
> - Networking options -> IP: Netfilter Configuration -> PPTP 
> protocol support
> - Networking options -> IP: Netfilter Configuration -> PPTP 
> verbose debug Make sure you check the first. If you want 

When I patched or seudo patched it I the pptp option did show up.


> cd /usr/src/iptables-1.2.6a
> make KERNEL_DIR=/usr/src/linux
> make install KERNEL_DIR=/usr/src/linux

Interesting you did this after compiling the kernel.


> 
> Reboot and make sure to boot the new kernel.
> 
> Now for the forwarding rules.
> I'm taking values from this post. Since it's not mentioned, I 
> take eth0 as the LAN NIC. 
> http://www.netfilter.org/documentation/tutorials/blueflux/ipta
bles-tutorial.



>iptables -A FORWARD -p tcp -i ppp0 -o eth0 -d 10.1.1.15 --dport 1723 -j
ACCEPT iptables -A FORWARD -p 47 -i ppp0 -o eth0 -d 10.1.1.15 -j ACCEPT

>iptables -t nat -A PREROUTING -p tcp -i ppp0 -d <external-ip> --dport
1723 -j DNAT --to 10.1.1.15:1723 iptables -t nat -A PREROUTING -p 47 -i
ppp0 -d >>><external-ip> -j DNAT --to 10.1.1.15

I used the same commands to test it. I will try the order you used.
Thanks for taking the time though.
What I'm trying most desperatly not to do is have to revert back to ext2
and a 2.4.17 kernel.

Re: PPTP through masquerading gateway

[R. Sterenborg]

----- Original Message -----
From: "Rowan Reid" <rreid@studio3arc.com>
Subject: RE: PPTP through masquerading gateway

> I'm using 2.4.18 I know not designed for the patch, My FS only
> Works with 2.4.18. Someone told me the 2.4.17rev2 Patch works
> With 2.4.18 it doesn't unless you use
>
> patch -p1 < netfilter-pptp-2.4.17-rev2.patch
>
Uhm. well, I don't use ReiserFS, I use ext3.
I can't help you with that.
A patch that's working voor 2.4.17 could also be working for 2.4.18, but I
don't know.
At work I have a test setup and I'll try it there.

> Correct me if I'm wrong doesn't the INSTALL file say you
> Need a 2.4.4 kernel in order for it to work.
>
No, it says :
PROBLEMS YOU MAY ENCOUNTER:

1) This package requires a 2.4.4 kernel, *or above*.

> > cd /usr/src/iptables-1.2.6a
> > make KERNEL_DIR=/usr/src/linux
> > make install KERNEL_DIR=/usr/src/linux
>
> Interesting you did this after compiling the kernel.
>
Hmm, I've thought about doing it before compiling the kernel, but the
iptables compilation process might be using things from the kernel (you have
to mention a KERNEL_DIR yourself or use the default one in Makefile).
Mind you again ; I'm not a C programmer so I can't read all that and that
means I might have it all wrong.
Anyway, I thought it couldn't hurt to compile the kernel first ; it's
patched already so that shouldn't be the problem.
And I have a working setup :o)

> bles-tutorial.
>
Heheh, yeah. Wasn't sure myself so I looked it up before posting ;o]

> I used the same commands to test it. I will try the order you used.
> Thanks for taking the time though.
> What I'm trying most desperatly not to do is have to revert back to ext2
> and a 2.4.17 kernel.
>
I'll try kernel 2.4.18 for you and let you know if it works for me.
Besides, if 2.4.18 failes, maybe you could switch to ext3 which is also
journalling ? (I don't know the cons and pros between the 2 so I'm not going
to talk about that. Just wanted to mention it.)

Good luck !

Rob

RE: PPTP through masquerading gateway

[Rowan Reid]

> the pptp patch in the CVS won't apply. I've just submitted a 
> patch to the -devel list. You can download the latest CVS 
> tree and apply the following patch : 
> http://fabnetwork.ifrance.com/fabnetwork/patches/conntrack_ppt
p_patch_rediff.patch
After that, running patch-o-matic, the pptp patch should now apply
properly.


Thanks really needed that... I'm not a avid cvs user. How does one do
this ..

RE: PPTP through masquerading gateway

[Rowan Reid]

First off thanks for taking the time.


> Anyway, PPTP forwarding with kernel 2.4.18 works, so you 
> should be able to do it too (and use ReiserFS) :o)


ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html

I'm assuming you used the above patch with the

zcat patchfile.gz | patch -l -p1 

Patch this is the only way I got it to work.



> If you portscan port tcp/1723 to your external gateway IP 
> from *another external IP*, what is the state of the port  ? 
> Don't portscan to the external IP from the machine itself or 
> from any host behind iptables being NATted on that gateway. 
> The results will be meaningless, it's like if there's no 
> iptables running at all.

My test situation is basically two networks 192.168.2.0/24
And 192.168.1.0/24 with my Firewall playing router. I test
From a single machine on 192.168.1.0/24. knowing that you got this
To work I'll put some more time into trouble shooting it.


> Hope this helps,
> 

It’s a great start

Re: PPTP through masquerading gateway

[R. Sterenborg]

----- Original Message ----- 
From: "Rowan Reid" <rreid@studio3arc.com>
Subject: RE: PPTP through masquerading gateway


> First off thanks for taking the time.
> 
No problem. Now I know that we can upgrade to a newer kernel.
I didn't take the time to test it before this.

> ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
> 
> I'm assuming you used the above patch with the
> 
I used another link, but yes : it's the same file.

> zcat patchfile.gz | patch -l -p1 
> 
> Patch this is the only way I got it to work.
> 
Also correct.

> My test situation is basically two networks 192.168.2.0/24
> And 192.168.1.0/24 with my Firewall playing router. I test
> From a single machine on 192.168.1.0/24. knowing that you got this
> To work I'll put some more time into trouble shooting it.
> 
Success !

Rob