New Version (1.13) of PPTP conntrack/nat helper

New Version (1.13) of PPTP conntrack/nat helper

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1031 bytes --]

Hi!

I've just released the long-awaited new version of the PPTP
conntrack/NAT helper.  It can be found in the current patch-o-matic CVS,
or in the CVS snapshot that is going to be created tonight
(patch-o-matic-20030922).

It has been working in my test network with four PPTP clients, in mixed
DNAT, SNAT and local (i.e. terminated on a PPTPD on the NAT gw itself)
connection setup - both with and without CONFIG_IP_NF_NAT_LOCAL.

Please feel free to test this new patch and report any bugs/errors back
to me.

Thanks to everybody who has contibuted to the PPTP helper in the past,
and thanks for your patience in waiting for this release.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: New Version (1.13) of PPTP conntrack/nat helper

[Wim Ceulemans]

[-- Attachment #1: Type: text/plain, Size: 3796 bytes --]

Hi Harald

Thanks for the patch.

I tried patch-o-matic-20030922 with kernel 2.4.22 and connection to the 
PPTP server seems to work reliable now. Before this patch, connecting 
from a winxp machine did  succeed one out of 2 times, now it always 
succeeds.

However, I also tried forwarding port 1723 and gre to a pptp server 
(win2000) behind the firewall. And there seems to be a problem with 
forwarding of the gre protocol. The connection to port 1723 behind the 
firewall succeeeds, but I don't see gre packets pass the firewall. I 
added these rules:

iptables -t nat -A  PREROUTING -p TCP -d <wanip> --dport 1723 -j DNAT 
--to <winip>:1723
iptables -t nat -A  PREROUTING -p GRE -d <wanip> -j DNAT --to <winip>
iptables -A FORWARD -p TCP -d <winip> --dport 1723 -j ACCEPT
iptables -A FORWARD -p GRE -d <winip> -j ACCEPT

The following modules are loaded:

ppp_mppe               20152   0  (autoclean)
ppp_async               6368   0  (autoclean)
ip_nat_proto_gre        1284   0  (unused)
ip_nat_pptp             1836   0  (unused)
ip_nat_irc              2384   0  (unused)
ip_nat_h323             2604   0  (unused)
ip_nat_ftp              3024   0  (unused)
ipsec_aes              31880   0  (unused)
ipsec                 252608   2  [ipsec_aes]
ipt_REDIRECT             824   1  (autoclean)
ipt_MASQUERADE          1240   1  (autoclean)
ipt_TCPMSS              2424   1  (autoclean)
ipt_unclean             6776   2  (autoclean)
ipt_limit                952   2  (autoclean)
ipt_LOG                 3224   5  (autoclean)
ipt_state                600   8  (autoclean)
ipt_multiport            632  11  (autoclean)
ip_conntrack_pptp       2320   1
ip_conntrack_proto_gre    2004   0  [ip_nat_pptp ip_conntrack_pptp]
ip_conntrack_irc        3120   1
ip_conntrack_h323       2320   1
ip_conntrack_ftp        3824   1
iptable_mangle          2192   1
iptable_nat            14424   6  [ip_nat_proto_gre ip_nat_pptp 
ip_nat_irc ip_nat_h323 ip_nat_ftp ipt_REDIRECT ipt_MASQUERADE]
ip_conntrack           16352   7  [ip_nat_pptp ip_nat_irc ip_nat_h323 
ip_nat_ftp ipt_REDIRECT ipt_MASQUERADE ipt_state ip_conntrack_pptp 
ip_conntrack_proto_gre ip_conntrack_irc ip_conntrack_h323 
ip_conntrack_ftp iptable_nat]
iptable_filter          1700   1
ip_tables              10968  13  [ipt_REDIRECT ipt_MASQUERADE 
ipt_TCPMSS ipt_unclean ipt_limit ipt_LOG ipt_state ipt_multiport 
iptable_mangle iptable_nat iptable_filter]
ppp_deflate             2936   0
zlib_inflate           18308   0  [ppp_deflate]
zlib_deflate           17624   0  [ppp_deflate]
bsd_comp                4024   0
ppp_generic            19168   0  [ppp_mppe ppp_async ppp_deflate bsd_comp]
slhc                    4480   0  [ppp_generic]
8139too                13448   3
mii                     2224   0  [8139too]


Regards
Wim

Harald Welte wrote:

>Hi!
>
>I've just released the long-awaited new version of the PPTP
>conntrack/NAT helper.  It can be found in the current patch-o-matic CVS,
>or in the CVS snapshot that is going to be created tonight
>(patch-o-matic-20030922).
>
>It has been working in my test network with four PPTP clients, in mixed
>DNAT, SNAT and local (i.e. terminated on a PPTPD on the NAT gw itself)
>connection setup - both with and without CONFIG_IP_NF_NAT_LOCAL.
>
>Please feel free to test this new patch and report any bugs/errors back
>to me.
>
>Thanks to everybody who has contibuted to the PPTP helper in the past,
>and thanks for your patience in waiting for this release.
>
>  
>


-- 
Wim Ceulemans
R&D Engineer

Secure Internet Communication with aXs Guard

Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be



--
Security check on this e-mail has been done by aXs GUARD
(http://www.axsguard.com)

Re: New Version (1.13) of PPTP conntrack/nat helper

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 2013 bytes --]

On Tue, Sep 23, 2003 at 03:38:15PM +0200, Wim Ceulemans wrote:
> Hi Harald
> 
> Thanks for the patch.
> 
> I tried patch-o-matic-20030922 with kernel 2.4.22 and connection to the 
> PPTP server seems to work reliable now. Before this patch, connecting 
> from a winxp machine did  succeed one out of 2 times, now it always 
> succeeds.
> 
> However, I also tried forwarding port 1723 and gre to a pptp server 
> (win2000) behind the firewall. And there seems to be a problem with 
> forwarding of the gre protocol. The connection to port 1723 behind the 
> firewall succeeeds, but I don't see gre packets pass the firewall. I 
> added these rules:
> 
> iptables -t nat -A  PREROUTING -p TCP -d <wanip> --dport 1723 -j DNAT 
> --to <winip>:1723
> iptables -t nat -A  PREROUTING -p GRE -d <wanip> -j DNAT --to <winip>

This is _not_ how it works.  Please just DNAT the 1723/tcp connection.
The gre connection is DNAT'ed accordingly (just like with any other nat
helper).  so please skip the second rule

> iptables -A FORWARD -p TCP -d <winip> --dport 1723 -j ACCEPT
> iptables -A FORWARD -p GRE -d <winip> -j ACCEPT

Those are not stateful rules.  You should make sure that you only accept 
ESTABLISHED and RELATED gre.  Otherwise weird problems might occur.

If it still doesn't work, please check if you have enabled
CONFIG_IP_NF_NAT_LOCAL or not.  (try it with and without).

If it still doesn't work, please enable debugging (set the '#if 0' to
'#if 1' in ip_conntrack_pptp.c and ip_nat_pptp.c, ignore the compiler
warnings and send me the syslog excerpt of _one_ failing session.

> Regards
> Wim

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: New Version (1.13) of PPTP conntrack/nat helper

[Wim Ceulemans]

[-- Attachment #1: Type: text/plain, Size: 2387 bytes --]

Harald

I now just dnatted the 1723/tcp connection.

If I switch CONFIG_IP_NF_NAT_LOCAL off, the forwarding to a pptp server 
behind the firewall works.
If switch it on, I don't see any gre packet behind the firewall, so it 
does not work.

However, with CONFIG_IP_NF_NAT_LOCAL on I have had two freezes (firewall 
completely stuck and I had to switch it on and off).

Regards
Wim

Harald Welte wrote:

>On Tue, Sep 23, 2003 at 03:38:15PM +0200, Wim Ceulemans wrote:
>  
>
>>Hi Harald
>>
>>Thanks for the patch.
>>
>>I tried patch-o-matic-20030922 with kernel 2.4.22 and connection to the 
>>PPTP server seems to work reliable now. Before this patch, connecting 
>>from a winxp machine did  succeed one out of 2 times, now it always 
>>succeeds.
>>
>>However, I also tried forwarding port 1723 and gre to a pptp server 
>>(win2000) behind the firewall. And there seems to be a problem with 
>>forwarding of the gre protocol. The connection to port 1723 behind the 
>>firewall succeeeds, but I don't see gre packets pass the firewall. I 
>>added these rules:
>>
>>iptables -t nat -A  PREROUTING -p TCP -d <wanip> --dport 1723 -j DNAT 
>>--to <winip>:1723
>>iptables -t nat -A  PREROUTING -p GRE -d <wanip> -j DNAT --to <winip>
>>    
>>
>
>This is _not_ how it works.  Please just DNAT the 1723/tcp connection.
>The gre connection is DNAT'ed accordingly (just like with any other nat
>helper).  so please skip the second rule
>
>  
>
>>iptables -A FORWARD -p TCP -d <winip> --dport 1723 -j ACCEPT
>>iptables -A FORWARD -p GRE -d <winip> -j ACCEPT
>>    
>>
>
>Those are not stateful rules.  You should make sure that you only accept 
>ESTABLISHED and RELATED gre.  Otherwise weird problems might occur.
>
>If it still doesn't work, please check if you have enabled
>CONFIG_IP_NF_NAT_LOCAL or not.  (try it with and without).
>
>If it still doesn't work, please enable debugging (set the '#if 0' to
>'#if 1' in ip_conntrack_pptp.c and ip_nat_pptp.c, ignore the compiler
>warnings and send me the syslog excerpt of _one_ failing session.
>
>  
>
>>Regards
>>Wim
>>    
>>
>
>  
>


-- 
Wim Ceulemans
R&D Engineer

Secure Internet Communication with aXs Guard

Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be



--
Security check on this e-mail has been done by aXs GUARD
(http://www.axsguard.com)

Re: New Version (1.13) of PPTP conntrack/nat helper

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1098 bytes --]

On Tue, Sep 23, 2003 at 06:25:40PM +0200, Wim Ceulemans wrote:
 
> If I switch CONFIG_IP_NF_NAT_LOCAL off, the forwarding to a pptp server 
> behind the firewall works.
> If switch it on, I don't see any gre packet behind the firewall, so it 
> does not work.
> 
> However, with CONFIG_IP_NF_NAT_LOCAL on I have had two freezes (firewall 
> completely stuck and I had to switch it on and off).

So to summarize:  It works perfectly of it is OFF, but you have problems
with DNAT and crashes, if it is ON.  That is surprising - it seems like
the problems have just been reverting :(

Did you do anything in particular when the firewall hang happened? (like
unloading/loading a module, ...)?

> Regards
> Wim

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: New Version (1.13) of PPTP conntrack/nat helper

[Wim Ceulemans]

[-- Attachment #1: Type: text/plain, Size: 1294 bytes --]

Harald

Sorry, my mistake, the crashes occur with CONFIG_IP_NF_NAT_LOCAL is 
switched off.
I'll produce a debug log when CONFIG_IP_NF_NAT_LOCAL is on of one PPTP 
session through the firewall.

Regards
Wim

Harald Welte wrote:

>On Tue, Sep 23, 2003 at 06:25:40PM +0200, Wim Ceulemans wrote:
> 
>  
>
>>If I switch CONFIG_IP_NF_NAT_LOCAL off, the forwarding to a pptp server 
>>behind the firewall works.
>>If switch it on, I don't see any gre packet behind the firewall, so it 
>>does not work.
>>
>>However, with CONFIG_IP_NF_NAT_LOCAL on I have had two freezes (firewall 
>>completely stuck and I had to switch it on and off).
>>    
>>
>
>So to summarize:  It works perfectly of it is OFF, but you have problems
>with DNAT and crashes, if it is ON.  That is surprising - it seems like
>the problems have just been reverting :(
>
>Did you do anything in particular when the firewall hang happened? (like
>unloading/loading a module, ...)?
>
>  
>
>>Regards
>>Wim
>>    
>>
>
>  
>


-- 
Wim Ceulemans
R&D Engineer

Secure Internet Communication with aXs Guard

Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be



--
Security check on this e-mail has been done by aXs GUARD
(http://www.axsguard.com)

Re: New Version (1.13) of PPTP conntrack/nat helper

[Wim Ceulemans]

[-- Attachment #1: Type: text/plain, Size: 2611 bytes --]

Hi Harald

This is the debug log, with CONFIG_IP_NF_NAT_LOCAL switched on and one 
session trying pptp through the firewall to an internal windows2000 server.

18:26:06 kernel: ip_tables: (C) 2000-2002 Netfilter core team
18:26:06 kernel: ip_conntrack version 2.1 (2048 buckets, 16384 max) - 
324 bytes per conntrack
18:26:06 kernel: ip_conntrack_pptp.c:init: ip_conntrack_pptp.c: 
registering helper
18:26:06 kernel: ip_conntrack_pptp version 1.9 loaded
18:26:32 kernel: ip_nat_pptp.c:init: ip_nat_pptp.c: registering NAT helper
18:26:32 kernel: ip_nat_pptp version 1.5 loaded
18:26:58 kernel: ip_conntrack_pptp.c:conntrack_pptp_help: ctinfo = 2, 
skipping
18:26:58 kernel: ip_nat_pptp.c:tcp_help: entering
18:26:58 kernel: ip_nat_pptp.c:tcp_help: Not touching dir ORIG at hook 
PREROUTING
18:27:01 kernel: ip_conntrack_pptp.c:conntrack_pptp_help: ctinfo = 2, 
skipping
18:27:01 kernel: ip_nat_pptp.c:tcp_help: entering
18:27:01 kernel: ip_nat_pptp.c:tcp_help: Not touching dir ORIG at hook 
PREROUTING
18:27:07 kernel: ip_conntrack_pptp.c:conntrack_pptp_help: ctinfo = 2, 
skipping
18:27:07 kernel: ip_nat_pptp.c:tcp_help: entering
18:27:07 kernel: ip_nat_pptp.c:tcp_help: Not touching dir ORIG at hook 
PREROUTING

Regards
Wim


Wim Ceulemans wrote:

> Harald
>
> Sorry, my mistake, the crashes occur with CONFIG_IP_NF_NAT_LOCAL is 
> switched off.
> I'll produce a debug log when CONFIG_IP_NF_NAT_LOCAL is on of one PPTP 
> session through the firewall.
>
> Regards
> Wim
>
> Harald Welte wrote:
>
>> On Tue, Sep 23, 2003 at 06:25:40PM +0200, Wim Ceulemans wrote:
>>
>>  
>>
>>> If I switch CONFIG_IP_NF_NAT_LOCAL off, the forwarding to a pptp 
>>> server behind the firewall works.
>>> If switch it on, I don't see any gre packet behind the firewall, so 
>>> it does not work.
>>>
>>> However, with CONFIG_IP_NF_NAT_LOCAL on I have had two freezes 
>>> (firewall completely stuck and I had to switch it on and off).
>>>   
>>
>>
>> So to summarize:  It works perfectly of it is OFF, but you have problems
>> with DNAT and crashes, if it is ON.  That is surprising - it seems like
>> the problems have just been reverting :(
>>
>> Did you do anything in particular when the firewall hang happened? (like
>> unloading/loading a module, ...)?
>>
>>  
>>
>>> Regards
>>> Wim
>>>   
>>
>>
>>  
>>
>
>


-- 
Wim Ceulemans
R&D Engineer

Secure Internet Communication with aXs Guard

Able NV
Leuvensesteenweg 282 - B-3190 Boortmeerbeek - Belgium
Phone: + 32 15 50.44.00 - Fax: + 32 15 50.44.09
E-mail: wim.ceulemans@able.be



--
Security check on this e-mail has been done by aXs GUARD
(http://www.axsguard.com)