VPN?

VPN?

[Payal Rathod]

Hi,
I want to pass pptp traffic through my firewall. For that I added,
iptables -A FORWARD -s 192.168.0.0/255.255.0.0 --protocol 47 -j
ACCEPT
in my firewall list plus,
iptables -A FORWARD -s 192.168.0.0/255.255.0.0 -p udp -m udp --dport 1723 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 1723 -j ACCEPT
But my clients cannot connect to it. It gives connection timed out.
What must be the error?
My old firewall (before I made changes given above is at),
http://payal.staticky.com/tables.txt

With warm regards,
-Payal

RE: VPN?

[Jason Opperisano]

> I want to pass pptp traffic through my firewall. For that I added,
> iptables -A FORWARD -s 192.168.0.0/255.255.0.0 --protocol 47 -j
> ACCEPT
> in my firewall list plus,
> iptables -A FORWARD -s 192.168.0.0/255.255.0.0 -p udp -m udp --dport 1723 -j A
CCEPT
> iptables -A FORWARD -s 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 1723 -j A
CCEPT
> But my clients cannot connect to it. It gives connection timed out.
> What must be the error?
> My old firewall (before I made changes given above is at),
> http://payal.staticky.com/tables.txt

are you NAT-ing the connections from 192.168.0.0/24 to the PPTP server?  according to "-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE" in your posted rules, you are.

you need the pptp-conntrack-nat from POM for this to work.

-j

Re: VPN?

[Payal Rathod]

On Fri, Aug 13, 2004 at 11:16:58AM -0400, Jason Opperisano wrote:
> 
> are you NAT-ing the connections from 192.168.0.0/24 to the PPTP server?  according to "-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE" in your posted rules, you are.

Yes I am.

> you need the pptp-conntrack-nat from POM for this to work.

# modprobe pptp-conntrack-nat
FATAL: Module pptp-conntrack-nat not found.

Do I need to recompile the kernel for that?
I use mandrake 10.0, 2.6.3-7mdksmp.

With warm regards,
-Payal

RE: VPN?

[Jason Opperisano]

> On Fri, Aug 13, 2004 at 11:16:58AM -0400, Jason Opperisano wrote:
> >
> > are you NAT-ing the connections from 192.168.0.0/24 to the PPTP server?  according to "-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE" in your posted rules, you are.
>
> Yes I am.
>
> > you need the pptp-conntrack-nat from POM for this to work.
>
> # modprobe pptp-conntrack-nat
> FATAL: Module pptp-conntrack-nat not found.

well--to be strict about the syntax--it would be:

        # modprobe ip_conntrack_pptp
        # modprobe ip_nat_pptp

> Do I need to recompile the kernel for that?
> I use mandrake 10.0, 2.6.3-7mdksmp.

heh heh--well the pptp-conntrack-nat patch doesn't actually officially support the 2.6 kernel:

$ cat /usr/local/src/patch-o-matic-ng-20040621/pptp-conntrack-nat/info
Title: PPTP connection tracking and NAT helper
Author: Harald Welte <laforge@netfilter.org>
Status: Testing
Requires: linux < 2.6.0
Repository: extra

as far as i can tell--the stock mandrake 10 kernel (2.6.3.7mdk-1-1mdk) doesn't include these modules...however--the current cooker kernel (kernel-2.6.8.0.rc1.2mdk-1-1mdk) does...  depending on how important this is to you--it might be worth investigating...

-j

Re: VPN?

[Payal Rathod]

On Fri, Aug 13, 2004 at 12:30:28PM -0400, Jason Opperisano wrote:
>         # modprobe ip_conntrack_pptp

FATAL: Module ip_conntrack_pptp not found.

>         # modprobe ip_nat_pptp

FATAL: Module ip_nat_pptp not found.

> heh heh--well the pptp-conntrack-nat patch doesn't actually officially support the 2.6 kernel:

Now what do you suggest? Do I have to download anything?

With warm regards,
-Payal

RE: VPN?

[Jason Opperisano]

> On Fri, Aug 13, 2004 at 12:30:28PM -0400, Jason Opperisano wrote:
> >         # modprobe ip_conntrack_pptp
>
> FATAL: Module ip_conntrack_pptp not found.
>
> >         # modprobe ip_nat_pptp
>
> FATAL: Module ip_nat_pptp not found.
>
> > heh heh--well the pptp-conntrack-nat patch doesn't actually officially suppo
rt the 2.6 kernel:
>
> Now what do you suggest? Do I have to download anything?

i suggest you decide how much you're willing to do to get PPTP connections to work.  options as i see them:

- downgrade to a 2.4 kernel and apply pptp-conntrack-nat patch from POM

- try using the 2.6.8.0.rc1.2 kernel from the mandrake cooker repository that has the pptp modules pre-compiled in

- stick with the setup you have and accept that PPTP won't work through your firewall

i'm not recommending any one of the above over another--the choice is up to you.  i'm just trying to help you understand your options.

if anyone else is aware of some other avenue of getting the pptp modules to patch/compile against 2.6, please chime in.  it at least appears to be possible, as the mandrake cooker guys pulled it off.

-j