From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matt Domsch Subject: Re: ip_nat_pptp ICMP rejected failures Date: Wed, 5 Oct 2005 22:54:22 -0500 Message-ID: <20051006035422.GA8836@domsch.com> References: <20051005151309.GA28129@domsch.com> <20051005154453.GC4184@rama> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Return-path: Content-Disposition: inline In-Reply-To: <20051005154453.GC4184@rama> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org To: Harald Welte , netfilter@lists.netfilter.org --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 05, 2005 at 05:44:53PM +0200, Harald Welte wrote: > On Wed, Oct 05, 2005 at 10:13:09AM -0500, Matt Domsch wrote: > there have been patches for lots of 2.4 and 2.6 releases, though. Indeed, I've been lazy in this respect, no disrespect intended. =20 > thanks for the detailed bugreport, I'll try to analyze the problem once > I'm back from http://workshop.netfilter.org/ Enjoy the workshop! =20 > Please try to explicitly add a drop rule for the ICMP packets and see > whether it works then. Sounds strange, but I have my reasons for asking > ;) Progress. To the raw table I added: -A OUTPUT -p icmp --icmp-type protocol-unreachable --destination PPTP_SERVE= R -j DROP Now what happens is that the LCP Configuration Requests and LCP Configuration Acks generated by the PPTP_SERVER aren't getting NAT'd by the firewall coming back to my client, so LCP is never established. Removing ip_nat_pptp resolves this of course. No. Time Source Destination Protocol In= fo 47 1.029527 CLIENT_IP PPTP_SERVER TCP 4668 >= 1723 [SYN] Seq=3D0 Ack=3D0 Win=3D64512 Len=3D0 MSS=3D1460 48 1.029729 FW_PUBLIC_IP PPTP_SERVER TCP 4668 >= 1723 [SYN] Seq=3D0 Ack=3D0 Win=3D64512 Len=3D0 MSS=3D1460 49 1.056471 PPTP_SERVER FW_PUBLIC_IP TCP 1723 >= 4668 [SYN, ACK] Seq=3D0 Ack=3D1 Win=3D16384 Len=3D0 MSS=3D1460 50 1.056586 PPTP_SERVER CLIENT_IP TCP 1723 >= 4668 [SYN, ACK] Seq=3D0 Ack=3D1 Win=3D16384 Len=3D0 MSS=3D1460 51 1.071807 CLIENT_IP PPTP_SERVER PPTP Start-= Control-Connection-Request 52 1.071899 FW_PUBLIC_IP PPTP_SERVER PPTP Start-= Control-Connection-Request 53 1.096896 PPTP_SERVER FW_PUBLIC_IP PPTP Start-= Control-Connection-Reply 54 1.096993 PPTP_SERVER CLIENT_IP PPTP Start-= Control-Connection-Reply 55 1.108357 CLIENT_IP PPTP_SERVER PPTP Outgoi= ng-Call-Request 56 1.108461 FW_PUBLIC_IP PPTP_SERVER PPTP Outgoi= ng-Call-Request 57 1.133729 PPTP_SERVER FW_PUBLIC_IP PPTP Outgoi= ng-Call-Reply 58 1.133875 PPTP_SERVER CLIENT_IP PPTP Outgoi= ng-Call-Reply 59 1.137014 CLIENT_IP PPTP_SERVER PPTP Set-Li= nk-Info 60 1.137101 FW_PUBLIC_IP PPTP_SERVER PPTP Set-Li= nk-Info 61 1.149890 CLIENT_IP PPTP_SERVER PPP LCP Config= uration Request 62 1.150004 FW_PUBLIC_IP PPTP_SERVER PPP LCP Config= uration Request 63 1.174587 PPTP_SERVER FW_PUBLIC_IP PPP LCP Config= uration Request =3D=3D=3D=3D=3D=3D The previous packet should be NAT'd here, but it's not. 64 1.174765 PPTP_SERVER FW_PUBLIC_IP PPP LCP Config= uration Ack =3D=3D=3D=3D=3D=3D The previous packet should be NAT'd here, but it's not. 71 1.335423 PPTP_SERVER FW_PUBLIC_IP TCP 1723 >= 4668 [ACK] Seq=3D189 Ack=3D349 Win=3D17172 Len=3D0 72 1.335582 PPTP_SERVER CLIENT_IP TCP 1723 >= 4668 [ACK] Seq=3D189 Ack=3D349 Win=3D17172 Len=3D0 96 2.319976 PPTP_SERVER FW_PUBLIC_IP PPP LCP Config= uration Request =3D=3D=3D=3D=3D=3D The previous packet should be NAT'd here, but it's not. 125 3.136456 CLIENT_IP PPTP_SERVER PPP LCP Config= uration Request 126 3.136592 FW_PUBLIC_IP PPTP_SERVER PPP LCP Config= uration Request 127 3.160169 PPTP_SERVER FW_PUBLIC_IP PPP LCP Config= uration Ack =3D=3D=3D=3D=3D=3D The previous packet should be NAT'd here, but it's not. 181 5.319708 PPTP_SERVER FW_PUBLIC_IP PPP LCP Config= uration Request =3D=3D=3D=3D=3D=3D The previous packet should be NAT'd here, but it's not. 213 6.133984 CLIENT_IP PPTP_SERVER PPP LCP Config= uration Request 214 6.134116 FW_PUBLIC_IP PPTP_SERVER PPP LCP Config= uration Request 215 6.159191 PPTP_SERVER FW_PUBLIC_IP PPP LCP Config= uration Ack =3D=3D=3D=3D=3D=3D The previous packet should be NAT'd here, but it's not. 308 9.319669 PPTP_SERVER FW_PUBLIC_IP PPP LCP Config= uration Request =3D=3D=3D=3D=3D=3D The previous packet should be NAT'd here, but it's not. 340 10.144477 CLIENT_IP PPTP_SERVER PPP LCP Config= uration Request 341 10.144617 FW_PUBLIC_IP PPTP_SERVER PPP LCP Config= uration Request 342 10.167478 PPTP_SERVER FW_PUBLIC_IP PPP LCP Config= uration Ack 427 13.061012 CLIENT_IP PPTP_SERVER PPTP Set-Li= nk-Info 428 13.061137 FW_PUBLIC_IP PPTP_SERVER PPTP Set-Li= nk-Info 429 13.071593 CLIENT_IP PPTP_SERVER PPP LCP Termin= ation Request 430 13.071680 FW_PUBLIC_IP PPTP_SERVER PPP LCP Termin= ation Request 431 13.095415 PPTP_SERVER FW_PUBLIC_IP PPP LCP Termin= ation Ack 435 13.258806 PPTP_SERVER FW_PUBLIC_IP TCP 1723 >= 4668 [ACK] Seq=3D189 Ack=3D373 Win=3D17148 Len=3D0 436 13.258922 PPTP_SERVER CLIENT_IP TCP 1723 >= 4668 [ACK] Seq=3D189 Ack=3D373 Win=3D17148 Len=3D0 There's no apparent difference between the packets that are NATd without ip_nat_pptp and the packets that aren't when using ip_nat_pptp. Thanks, Matt --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDRJ/uIavu95Lw/AkRAvl6AKCYUdeWDzvx+cHXAz1emAL+X8CTTwCfajGh NqB3qIED9HNEG+UG+cO+v3Y= =OHiU -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA--