ip_nat_pptp ICMP rejected failures

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Matt Domsch <matt@domsch.com>
To: Harald Welte <laforge@netfilter.org>
Cc: netfilter@lists.netfilter.org
Subject: ip_nat_pptp ICMP rejected failures
Date: Wed, 5 Oct 2005 10:13:09 -0500	[thread overview]
Message-ID: <20051005151309.GA28129@domsch.com> (raw)

Harald, thanks much for your efforts on the ip_nat_pptp helper.  I've
been using a 2.2 kernel on my firewall for years simply because it had
this functionality.

I have this problem with 2.6.14-rc3.  With ip_nat_pptp loaded,
through a NAT, I get this behavior:

No.     Time        Source                Destination           Protocol Info
      1 0.000000    NAT-CLIENT          PPTP-SERVER         TCP      3347 > 1723 [SYN] Seq=0 Ack=0 Win=64512 Len=0 MSS=1460
      2 0.000237    FW-PUBLIC-IP        PPTP-SERVER         TCP      3347 > 1723 [SYN] Seq=0 Ack=0 Win=64512 Len=0 MSS=1460
      3 0.026441    PPTP-SERVER         FW-PUBLIC-IP        TCP      1723 > 3347 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
      4 0.026574    PPTP-SERVER         NAT-CLIENT           TCP      1723 > 3347 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
      5 0.027555    NAT-CLIENT          PPTP-SERVER         PPTP     Start-Control-Connection-Request
      6 0.027652    FW-PUBLIC-IP        PPTP-SERVER         PPTP     Start-Control-Connection-Request
      7 0.051931    PPTP-SERVER         FW-PUBLIC-IP        PPTP     Start-Control-Connection-Reply
      8 0.052072    PPTP-SERVER         NAT-CLIENT          PPTP     Start-Control-Connection-Reply
      9 0.063546    NAT-CLIENT          PPTP-SERVER         PPTP     Outgoing-Call-Request
     10 0.063654    FW-PUBLIC-IP        PPTP-SERVER         PPTP     Outgoing-Call-Request
     11 0.090422    PPTP-SERVER         FW-PUBLIC-IP        PPTP     Outgoing-Call-Reply
     12 0.090565    PPTP-SERVER         NAT-CLIENT          PPTP     Outgoing-Call-Reply
     13 0.096314    NAT-CLIENT          PPTP-SERVER         PPTP     Set-Link-Info
     14 0.096397    FW-PUBLIC-IP        PPTP-SERVER         PPTP     Set-Link-Info
     15 0.096428    NAT-CLIENT          PPTP-SERVER         PPP LCP  Configuration Request
     16 0.096527    FW-PUBLIC-IP        PPTP-SERVER         PPP LCP  Configuration Request
     17 0.126681    PPTP-SERVER         FW-PUBLIC-IP        PPP LCP  Configuration Request
     18 0.127033    FW-PUBLIC-IP        PPTP-SERVER         ICMP     Destination unreachable (Protocol unreachable)
     19 0.127074    PPTP-SERVER         FW-PUBLIC-IP        PPP LCP  Configuration Ack
     20 0.127177    FW-PUBLIC-IP        PPTP-SERVER         ICMP     Destination unreachable (Protocol unreachable)
     21 0.312610    PPTP-SERVER         FW-PUBLIC-IP        TCP      1723 > 3347 [ACK] Seq=189 Ack=349 Win=17172 Len=0
     22 0.312723    PPTP-SERVER         NAT-CLIENT          TCP      1723 > 3347 [ACK] Seq=189 Ack=349 Win=17172 Len=0
     23 1.937329    PPTP-SERVER         FW-PUBLIC-IP        PPP LCP  Configuration Request
     24 1.937557    FW-PUBLIC-IP        PPTP-SERVER         ICMP     Destination unreachable (Protocol unreachable)
     25 2.098675    NAT-CLIENT          PPTP-SERVER         PPP LCP  Configuration Request
     26 2.098788    FW-PUBLIC-IP        PPTP-SERVER         PPP LCP  Configuration Request
     27 2.122375    PPTP-SERVER         FW-PUBLIC-IP        PPP LCP  Configuration Ack
     28 2.122580    FW-PUBLIC-IP        PPTP-SERVER         ICMP     Destination unreachable (Protocol unreachable)
     29 4.937426    PPTP-SERVER         FW-PUBLIC-IP        PPP LCP  Configuration Request
     30 4.937632    FW-PUBLIC-IP        PPTP-SERVER         ICMP     Destination unreachable (Protocol unreachable)
     31 5.108775    NAT-CLIENT          PPTP-SERVER         PPP LCP  Configuration Request
     32 5.108878    FW-PUBLIC-IP        PPTP-SERVER         PPP LCP  Configuration Request
     33 5.133111    PPTP-SERVER         FW-PUBLIC-IP        PPP LCP  Configuration Ack
     34 5.133317    FW-PUBLIC-IP        PPTP-SERVER         ICMP     Destination unreachable (Protocol unreachable)
     35 7.549272    NAT-CLIENT          PPTP-SERVER         PPTP     Set-Link-Info
     36 7.549405    FW-PUBLIC-IP        PPTP-SERVER         PPTP     Set-Link-Info
     37 7.549444    NAT-CLIENT          PPTP-SERVER         PPP LCP  Termination Request
     38 7.549510    FW-PUBLIC-IP        PPTP-SERVER         PPP LCP  Termination Request
     39 7.572922    PPTP-SERVER         FW-PUBLIC-IP        PPP LCP  Termination Ack
     40 7.573142    FW-PUBLIC-IP        PPTP-SERVER         ICMP     Destination unreachable (Protocol unreachable)
     41 7.748978    PPTP-SERVER         FW-PUBLIC-IP        TCP      1723 > 3347 [ACK] Seq=189 Ack=373 Win=17148 Len=0
     42 7.749092    PPTP-SERVER         NAT-CLIENT          TCP      1723 > 3347 [ACK] Seq=189 Ack=373 Win=17148 Len=0


and no PPP authentication ever succeeds.

If I don't have ip_nat_pptp and ip_conntrack_pptp loaded, I don't get
the ICMP messages, and authentication succeeds, though I can only have
on PPTP session between any of my clients and the server.

My iptables firewall rules, generated by a Fedora Core 4 system, look like:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT --protocol gre  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -j MARK --set-mark 0x9
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT


though I've tried both with and without the REJECT rule.

I'd appreciate any advice you can provide.

Thanks,
Matt

next             reply	other threads:[~2005-10-05 15:13 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-10-05 15:13 Matt Domsch [this message]
2005-10-05 15:44 ` ip_nat_pptp ICMP rejected failures Harald Welte
2005-10-06  3:54   ` Matt Domsch
2005-10-08  5:05     ` Matt Domsch

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20051005151309.GA28129@domsch.com \
    --to=matt@domsch.com \
    --cc=laforge@netfilter.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.