Re: PPTP NAT module - Joshua Jackson

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joshua Jackson <iptables@vortech.net>
To: Oleg Savostyanov <savostyanov@internetplustravel.ru>,
	netfilter@lists.netfilter.org
Subject: Re: PPTP NAT module
Date: Thu, 11 Dec 2003 11:49:45 -0500	[thread overview]
Message-ID: <200312111149.45143.iptables@vortech.net> (raw)
In-Reply-To: <9115313499.20031211185755@internetplustravel.ru>

Thanks. I will build a kernel from your config and give it a go.

Josh

On Thursday 11 December 2003 10:57, Oleg Savostyanov wrote:
> Hello Joshua,
> I successfully installed on a 2.4.23 kernel with ip_nat_pptp module
> I tested 3 vpn NATed connections to the SAME! server in the outside world
> see below my kernel's .config
>
> #
> # Networking options
> #
> CONFIG_PACKET=y
> CONFIG_PACKET_MMAP=y
> # CONFIG_NETLINK_DEV is not set
> CONFIG_NETFILTER=y
> CONFIG_NETFILTER_DEBUG=y
> CONFIG_FILTER=y
> CONFIG_UNIX=y
> CONFIG_INET=y
> CONFIG_IP_MULTICAST=y
> CONFIG_IP_ADVANCED_ROUTER=y
> CONFIG_IP_MULTIPLE_TABLES=y
> CONFIG_IP_ROUTE_FWMARK=y
> CONFIG_IP_ROUTE_NAT=y
> CONFIG_IP_ROUTE_MULTIPATH=y
> CONFIG_IP_ROUTE_TOS=y
> CONFIG_IP_ROUTE_VERBOSE=y
> CONFIG_IP_PNP=y
> # CONFIG_IP_PNP_DHCP is not set
> # CONFIG_IP_PNP_BOOTP is not set
> CONFIG_NET_IPIP=y
> CONFIG_NET_IPGRE=y
> CONFIG_NET_IPGRE_BROADCAST=y
> CONFIG_IP_MROUTE=y
> CONFIG_IP_PIMSM_V1=y
> CONFIG_IP_PIMSM_V2=y
> CONFIG_ARPD=y
> CONFIG_INET_ECN=y
> # CONFIG_SYN_COOKIES is not set
>
> #
> #   IP: Netfilter Configuration
> #
> CONFIG_IP_NF_CONNTRACK=y
> CONFIG_IP_NF_FTP=y
> # CONFIG_IP_NF_AMANDA is not set
> CONFIG_IP_NF_TFTP=y
> CONFIG_IP_NF_IRC=y
> CONFIG_IP_NF_CT_PROTO_GRE=y
> CONFIG_IP_NF_PPTP=y
> CONFIG_IP_NF_QUEUE=y
> CONFIG_IP_NF_IPTABLES=y
> CONFIG_IP_NF_MATCH_LIMIT=y
> CONFIG_IP_NF_MATCH_MAC=y
> # CONFIG_IP_NF_MATCH_PKTTYPE is not set
> CONFIG_IP_NF_MATCH_MARK=y
> CONFIG_IP_NF_MATCH_MULTIPORT=y
> CONFIG_IP_NF_MATCH_TOS=y
> # CONFIG_IP_NF_MATCH_RECENT is not set
> # CONFIG_IP_NF_MATCH_ECN is not set
> # CONFIG_IP_NF_MATCH_DSCP is not set
> CONFIG_IP_NF_MATCH_AH_ESP=y
> CONFIG_IP_NF_MATCH_LENGTH=y
> CONFIG_IP_NF_MATCH_TTL=y
> CONFIG_IP_NF_MATCH_TCPMSS=y
> CONFIG_IP_NF_MATCH_HELPER=y
> CONFIG_IP_NF_MATCH_STATE=y
> CONFIG_IP_NF_MATCH_CONNTRACK=y
> CONFIG_IP_NF_MATCH_UNCLEAN=y
> CONFIG_IP_NF_MATCH_OWNER=y
> CONFIG_IP_NF_FILTER=y
> CONFIG_IP_NF_TARGET_REJECT=y
> CONFIG_IP_NF_TARGET_MIRROR=y
> CONFIG_IP_NF_NAT=y
> CONFIG_IP_NF_NAT_NEEDED=y
> CONFIG_IP_NF_TARGET_MASQUERADE=y
> CONFIG_IP_NF_TARGET_REDIRECT=y
> CONFIG_IP_NF_NAT_PPTP=y
> CONFIG_IP_NF_NAT_PROTO_GRE=y
> # CONFIG_IP_NF_NAT_LOCAL is not set
> CONFIG_IP_NF_NAT_SNMP_BASIC=y
> CONFIG_IP_NF_NAT_IRC=y
> CONFIG_IP_NF_NAT_FTP=y
> CONFIG_IP_NF_NAT_TFTP=y
> CONFIG_IP_NF_MANGLE=y
> CONFIG_IP_NF_TARGET_TOS=y
> # CONFIG_IP_NF_TARGET_ECN is not set
> # CONFIG_IP_NF_TARGET_DSCP is not set
> CONFIG_IP_NF_TARGET_MARK=y
> CONFIG_IP_NF_TARGET_LOG=y
> CONFIG_IP_NF_TARGET_ULOG=y
> CONFIG_IP_NF_TARGET_TCPMSS=y
> CONFIG_IP_NF_ARPTABLES=y
> CONFIG_IP_NF_ARPFILTER=y
> CONFIG_IP_NF_ARP_MANGLE=y
>
>
>
>
> Wednesday, December 10, 2003, 2:03:55 AM, you wrote:
>
> JJ> I know there have been a pile of questions about this module in the
> past, but JJ> I can't seem to find any responses about the behaviour I am
> seeing.
>
> JJ> I am currently running a 2.4.23 kernel with the lastest officially
> released JJ> POM patches applied to it. The network being protected by the
> firewall is JJ> providing NAT for the hosts behind it. If the ip_nat_pptp
> module is loaded, JJ> none of the protected clients can establish an
> outbound PPTP session. If the JJ> conntrack modules are removed, a single
> session can be established (as would JJ> be expected).
>
> JJ> The remote PPTP server log shows the initial TCP connection, but never
> sees JJ> any GRE traffic from the connecting host.
>
> JJ> I have seen posts about the local NAT kernel option, I have tried it
> both ways JJ> with the same results. If there are any kernel settings in
> particular that I JJ> may be missing, please let me know.
>
> JJ> My iptables firewall rules include a default policy of DROP for INPUT
> and JJ> FORWARD, ACCEPT for OUTPUT. The first line in the rules includes an
> ACCEPT JJ> for the INPUT chain for established and related connection.
> There is also a JJ> rule allowing any traffic for all protocols to any host
> which originates from JJ> the protected network on the internal interface.

next prev parent reply	other threads:[~2003-12-11 16:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-12-09 23:03 PPTP NAT module Joshua Jackson
2003-12-11 15:57 ` Oleg Savostyanov
2003-12-11 16:49   ` Joshua Jackson [this message]
2003-12-20  4:14   ` Joshua Jackson
  -- strict thread matches above, loose matches on Subject: below --
2003-12-10  2:39 PPTP Nat Module Joshua Jackson
2003-12-10  3:24 ` Philip Craig
2003-12-10 18:17   ` Joshua Jackson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200312111149.45143.iptables@vortech.net \
    --to=iptables@vortech.net \
    --cc=netfilter@lists.netfilter.org \
    --cc=savostyanov@internetplustravel.ru \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.