ipv6 and state matching

ipv6 and state matching

[Trever L. Adams]

I am unable to find any questions about this.  I really love state
matching in ipv4.  I find that w/ RedHat 8.0 and Phoebe (8.1.99 or
something like that), that I cannot do this.  This does indeed seem to
be an accurate state.

Are there plans on doing state support?  Is it all that much more
difficult?

Thank you,
Trever Adams

P.S. Please, cc me in any answers, I am not currently on the list.
--
"We want a few mad people now. See where the sane ones have landed us!"
-- George Bernard Shaw (1856-1950)

Re: ipv6 and state matching

[Jozsef Kadlecsik]

On 24 Mar 2003, Trever L. Adams wrote:

> I am unable to find any questions about this.  I really love state
> matching in ipv4.  I find that w/ RedHat 8.0 and Phoebe (8.1.99 or
> something like that), that I cannot do this.  This does indeed seem to
> be an accurate state.

Brad Chapman had an attempt to port IPv4 conntrack to IPv6 but his code
was never accepted.

Last year I worked on the prototype of an unified conntrack code, but it
was never released. Unfortunately just conntrack doesn't seem to be enough
- one is tempted to implement NAPT etc. as well.

> Are there plans on doing state support?  Is it all that much more
> difficult?

A straight porting is not so difficult, but that direction cannot be
followed because it would result in a severe code-duplication.
Unification takes a lot of time.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Microsoft PPTP VPN server behind FIREWALL

[Remus]

Hi folks,

I have running the Microsoft PPTP VPN server behind my Firewall with MASQ.

I tried to use this command to make a forward to itenal IP address:
iptables -t nat -A PREROUTING -d $EXTERNALIP -p tcp --dport 1723 -j
DNAT --to 192.168.1.150:1723
But it doesn't work, I mean I cannot connect to my VPN server from outside.

Any ideas or issues?

Thank you in advance for the help. :-)

Remus

Re: Microsoft PPTP VPN server behind FIREWALL

[Ilguiz Latypov]

On Tue, 25 Mar 2003, Remus wrote:

> I tried to use this command to make a forward to itenal IP address:
> iptables -t nat -A PREROUTING -d $EXTERNALIP -p tcp --dport 1723 -j
> DNAT --to 192.168.1.150:1723
> But it doesn't work, I mean I cannot connect to my VPN server from outside.


The FAQ on PPTP NAT suggests to forward all IP packets of protocol 47
(GRE) in addition to the TCP port 1723 packets.

--
Ilguiz Latypov
Net Integration Technologies, Inc

tel. +1 (514) 281 9191 x 117

Re: ipv6 and state matching

[Trever L. Adams]

On Tue, 2003-03-25 at 03:33, Jozsef Kadlecsik wrote:
> On 24 Mar 2003, Trever L. Adams wrote:
> 
> > I am unable to find any questions about this.  I really love state
> > matching in ipv4.  I find that w/ RedHat 8.0 and Phoebe (8.1.99 or
> > something like that), that I cannot do this.  This does indeed seem to
> > be an accurate state.
> 
> Brad Chapman had an attempt to port IPv4 conntrack to IPv6 but his code
> was never accepted.
> 
> Last year I worked on the prototype of an unified conntrack code, but it
> was never released. Unfortunately just conntrack doesn't seem to be enough
> - one is tempted to implement NAPT etc. as well.
> 

What is NAPT? Do you mean NAT?  Why was yours never released?

> > Are there plans on doing state support?  Is it all that much more
> > difficult?
> 
> A straight porting is not so difficult, but that direction cannot be
> followed because it would result in a severe code-duplication.
> Unification takes a lot of time.
> 
> Best regards,
> Jozsef

Hmm, what is the desired route right now?  Are they wanting to just
share code base (lots of ifdefs all over) or are they wanting to
actually have the two code bases use the same binary object?

If one object is desired, can you just use ipv6 structs (whatever ones
are involved) in all cases, or should there be a flag and use pointers
so that each connection uses the appropriate structres?

I am willing to give this a go, I think.  However, this would be my
first "major" work in the kernel (I have only helped a bit with cipe
before).  I am not sure how great it would be.

Trever Adams
--
"There's no such things as guaranteed return on anything these days." --
John S. Demott

RE: Microsoft PPTP VPN server behind FIREWALL

[Daniel Chemko]

PPTP also uses ip protocol 47, so use something like:

iptables -t nat -A PREROUTING -d $EXTERNALIP -p 47 -j DNAT --to
192.168.1.150

I know there was a conntrack module, and I am not sure if that was only
for SNAT or if it did DNAT as well.

-----Original Message-----
From: Remus [mailto:rmocius@auste.elnet.lt] 
Sent: Tuesday, March 25, 2003 5:09 AM
To: netfilter@lists.netfilter.org
Subject: Microsoft PPTP VPN server behind FIREWALL

Hi folks,

I have running the Microsoft PPTP VPN server behind my Firewall with
MASQ.

I tried to use this command to make a forward to itenal IP address:
iptables -t nat -A PREROUTING -d $EXTERNALIP -p tcp --dport 1723 -j
DNAT --to 192.168.1.150:1723
But it doesn't work, I mean I cannot connect to my VPN server from
outside.

Any ideas or issues?

Thank you in advance for the help. :-)

Remus

RE: Microsoft PPTP VPN server behind FIREWALL

[Rowan Reid]

> 
> I tried to use this command to make a forward to itenal IP 
> address: iptables -t nat -A PREROUTING -d $EXTERNALIP -p tcp 
> --dport 1723 -j DNAT --to 192.168.1.150:1723 But it doesn't 
> work, I mean I cannot connect to my VPN server from outside.
> 
> Any ideas or issues?


FYI iptables does not support pptp filtering. In order to support it you
need to apply the pptp patch from patchomatic. In my experience it's not
worth it. I ended up using FreeSwan installed on myfirewall gateway as
my VPN solution.

Re: Microsoft PPTP VPN server behind FIREWALL

[bill davidsen]

In article <001501c2f2f5$2b662920$1001a8c0@s3ac> you write:
| 
| > 
| > I tried to use this command to make a forward to itenal IP 
| > address: iptables -t nat -A PREROUTING -d $EXTERNALIP -p tcp 
| > --dport 1723 -j DNAT --to 192.168.1.150:1723 But it doesn't 
| > work, I mean I cannot connect to my VPN server from outside.
| > 
| > Any ideas or issues?
| 
| 
| FYI iptables does not support pptp filtering. In order to support it you
| need to apply the pptp patch from patchomatic. In my experience it's not
| worth it. I ended up using FreeSwan installed on myfirewall gateway as
| my VPN solution.

I believe there is a userspace IPsec package, reasonably high overhead
but runable where a patched kernel is politacally incorrect. Does that
ring a bell with anyone?
-- 
bill davidsen <davidsen@tmr.com>
  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.

Re: ipv6 and state matching

[Jozsef Kadlecsik]

On 25 Mar 2003, Trever L. Adams wrote:

> > Last year I worked on the prototype of an unified conntrack code, but it
> > was never released. Unfortunately just conntrack doesn't seem to be enough
> > - one is tempted to implement NAPT etc. as well.
>
> What is NAPT? Do you mean NAT?  Why was yours never released?

Sorry, I meant NAT-PT.

I did not release the code because it was never finished. That was just a
prototype, alone for conntrack.

> > > Are there plans on doing state support?  Is it all that much more
> > > difficult?
> >
> > A straight porting is not so difficult, but that direction cannot be
> > followed because it would result in a severe code-duplication.
> > Unification takes a lot of time.
>
> Hmm, what is the desired route right now?  Are they wanting to just
> share code base (lots of ifdefs all over) or are they wanting to
> actually have the two code bases use the same binary object?

ifdefs would be simply unmanageable. Kisza tried to use macros, but
the required macro levels were too deep.

Same binary objects are preferred...

> If one object is desired, can you just use ipv6 structs (whatever ones
> are involved) in all cases, or should there be a flag and use pointers
> so that each connection uses the appropriate structres?

...but without a blind union of the data structures: it'd mean a horrid
waste of the memory.

> I am willing to give this a go, I think.  However, this would be my
> first "major" work in the kernel (I have only helped a bit with cipe
> before).  I am not sure how great it would be.

It's a big challenge.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Microsoft PPTP VPN server behind FIREWALL

[Steve M Bibayoff]

Hello,

davidsen@tmr.com (bill davidsen) wrote:

> I believe there is a userspace IPsec package,
reasonably high overhead
> but runable where a patched kernel is politacally
incorrect. Does that
> ring a bell with anyone?

I believe your thinking of Cipe.

hth

Steve

ps. please don't Bcc the ml.