From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: pptp
Date: Fri, 15 Oct 2004 15:19:00 -0400 [thread overview]
Message-ID: <20041015191900.GA7776@bender.817west.com> (raw)
In-Reply-To: <20041015162541.GA23125@plain.ev1servers.net>
On Fri, Oct 15, 2004 at 11:25:41AM -0500, K. Shantanu wrote:
> * Jason Opperisano <opie@817west.com> [041015 11:15]:
> > yes--if your are performing SNAT/MASQ for your entire internal network
> > on your gateway, it won't work. there is a PPTP conntrack and nat module
> > in POM for this situation, but it will only compile against a 2.4 kernel.
>
> Yes, I am performing MASQ for entire network. Is there no way I can get
> it to work against 2.6 series? I will have a lot of troble downgrading
> the kernel. It is a live server.
i wasn't necessarily recommending that you downgrade to a 2.4
kernel--just pointing out that there's a "fancy" option available, but
it is 2.4-specific. i am unaware of any successful ports of the PPTP
modules from POM to the 2.6 kernel.
> > one option would be to give the PPTP client a dedicated public IP and
> > perform a one-to-one SNAT/DNAT for that client and allow TCP 1723 and
> > IP protocol 47 outbound from that client and IP protocol 47 inbound to
> > that client from the PPTP server.
>
> Can you please give an example of this to be on safe side? Is this something
> like,
> * I add eth0:1 on Linux box and give it an public IP.
> * redirect all traffic to that IP from ouside to the client having pptp
> client? Will something like below help,
> iptables -A PREROUTING -d <ext ip> -p tcp -m tcp --dport 47 -j DNAT --to-destination 192.168.10.99
i tried to point this out subtly in my first reply--but you are
confusing "IP Protocol Number 47" with TCP Port 47. GRE is IP protocol
number 47, analogous to TCP being IP protocol number 6 or UDP being IP
protocol 17...
iptables -A PREROUTING -d <ext ip> -p 47 \
-j DNAT --to-destination 192.168.10.99
> iptables -A PREROUTING -d <ext ip> -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.10.99
you don't need to forward TCP port 1723 to the client--but you do need
SNAT rules as well...or rule. i would do it like this:
# new public IP for one-to-one NAT for PPTP client
ip address add $PUBIP dev $OUTSIDE_IF
# DNAT for PPTP client
iptables -A PREROUTING -i $OUTSIDE_IF -d $PUBIP
-j DNAT --to-destination 192.168.10.99
# SNAT for PPTP client
iptables -A POSTROUTING -o $OUTSIDE_IF -s 192.168.10.99
-j SNAT --to-source $PUBIP
# outbound filter rules for PPTP client
iptables -A FORWARD -s 192.168.10.99 -d $PPTP_SERVER \
-p tcp --dport 1723 -j ACCEPT
iptables -A FORWARD -s 192.168.10.99 -d $PPTP_SERVER \
-p 47 -j ACCEPT
# inbound filter rules for PPTP client
iptables -A FORWARD -s $PPTP_SERVER -d 192.168.10.99 \
-p 47 -j ACCEPT
and that should about cover it...unless i've some sort of heinous
mistake that someone else would be so kind as to point out...
-j
--
Jason Opperisano <opie@817west.com>
next prev parent reply other threads:[~2004-10-15 19:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20041015063914.GA23147@plain.ev1servers.net>
2004-10-15 14:10 ` pptp Jason Opperisano
[not found] ` <20041015162541.GA23125@plain.ev1servers.net>
2004-10-15 19:19 ` Jason Opperisano [this message]
2007-08-11 7:59 pptp Ammad Shah
2007-08-12 21:41 ` pptp Rodrigo Montoro (Sp0oKeR)
2007-08-12 22:58 ` pptp Pascal Hambourg
-- strict thread matches above, loose matches on Subject: below --
2003-10-28 17:00 PPTP Daniel Chemko
2003-10-28 17:08 ` PPTP Ralf Braga
2003-10-28 16:36 PPTP Ralf Braga
[not found] <000901c2fd21$3475f910$0205a8c0@maxima>
2003-04-07 21:08 ` PPTP Harald Welte
2002-10-11 17:23 PPTP Sneppe Filip
2002-10-10 21:20 PPTP Sneppe Filip
2002-10-11 9:27 ` PPTP Rickard Eriksson
2002-10-09 18:51 PPTP Sneppe Filip
2002-10-09 20:25 ` PPTP Rickard Eriksson
2002-10-10 16:20 ` PPTP Rickard Eriksson
2002-10-09 15:04 PPTP Sneppe Filip
2002-10-09 15:31 ` PPTP Rickard Eriksson
2002-10-09 11:57 PPTP Rickard Eriksson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041015191900.GA7776@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.