RE: PPTP

From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rickard Eriksson Subject: PPTP Date: Wed, 09 Oct 2002 13:57:12 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3DA41998.10704@home.se> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org When i try to install the pptp-conntrack module i get this error: Testing patch extra/pptp-conntrack-nat.patch... Placed new Config.in line Placed new Configure.help entry Placed new Makefile line Placed new Makefile line Placed new ip_conntrack.h line Placed new ip_conntrack.h line Could not find place to slot in ip_conntrack.h line Could not find place to slot in ip_conntrack.h line Could not find place to slot in ip_conntrack.h line Could not find place to slot in ip_conntrack.h line Could not find place to slot in ip_conntrack.h line Could not find place to slot in ip_conntrack.h line TEST FAILED: patch NOT applied. anyone know whats wrong? From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Sneppe Filip" Subject: RE: PPTP Date: Wed, 9 Oct 2002 17:04:26 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C26FA5.2893AF2A" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Rickard Eriksson , netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C26FA5.2893AF2A Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Rickard, >When i try to install the pptp-conntrack module i get this error: > >Testing patch extra/pptp-conntrack-nat.patch... > Placed new Config.in line > Placed new Configure.help entry > Placed new Makefile line > Placed new Makefile line > Placed new ip_conntrack.h line > Placed new ip_conntrack.h line >Could not find place to slot in ip_conntrack.h line >Could not find place to slot in ip_conntrack.h line >Could not find place to slot in ip_conntrack.h line >Could not find place to slot in ip_conntrack.h line >Could not find place to slot in ip_conntrack.h line >Could not find place to slot in ip_conntrack.h line >TEST FAILED: patch NOT applied. > > >anyone know whats wrong? You *are* applying this to a kernel with newnat support, aren't you ? Regards, Filip ------_=_NextPart_001_01C26FA5.2893AF2A Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable RE: PPTP

Rickard,

>When i try to install the pptp-conntrack module i get this = error:
>
>Testing patch extra/pptp-conntrack-nat.patch...
>    Placed new Config.in line
>    Placed new Configure.help entry
>    Placed new Makefile line
>    Placed new Makefile line
>    Placed new ip_conntrack.h line
>    Placed new ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>TEST FAILED: patch NOT applied.
>
>
>anyone know whats wrong?

You *are* applying this to a kernel with newnat support, aren't you = ?

Regards,
Filip

------_=_NextPart_001_01C26FA5.2893AF2A-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rickard Eriksson Subject: Re: PPTP Date: Wed, 09 Oct 2002 17:31:27 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3DA44BCF.5020900@home.se> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Sneppe Filip , netfilter@lists.netfilter.org Sneppe Filip wrote: > Rickard, > > >When i try to install the pptp-conntrack module i get this error: > > > >Testing patch extra/pptp-conntrack-nat.patch... > > Placed new Config.in line > > Placed new Configure.help entry > > Placed new Makefile line > > Placed new Makefile line > > Placed new ip_conntrack.h line > > Placed new ip_conntrack.h line > >Could not find place to slot in ip_conntrack.h line > >Could not find place to slot in ip_conntrack.h line > >Could not find place to slot in ip_conntrack.h line > >Could not find place to slot in ip_conntrack.h line > >Could not find place to slot in ip_conntrack.h line > >Could not find place to slot in ip_conntrack.h line > >TEST FAILED: patch NOT applied. > > > > > >anyone know whats wrong? > > You *are* applying this to a kernel with newnat support, aren't you ? > > Regards, > Filip > The z-newnet patch? I can't install that patch. BTW, this is the first time i am patching a kernel. /Rickard From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Sneppe Filip" Subject: RE: PPTP Date: Wed, 9 Oct 2002 20:51:41 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C26FC4.E7D57FAE" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Rickard Eriksson , netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C26FC4.E7D57FAE Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Rickard Eriksson [mailto:riceri@home.se] wrote: > >The z-newnet patch? I can't install that patch. > >BTW, this is the first time i am patching a kernel. > Hi Rickard, What kernel version are you working from ?=20 Basically, newnat is a new API for writing connection tracking/nat modules. The patch has been sitting in p-o-m for a long time now, and all the modules from recent iptables have been converted to work with newnat and don't apply on kernels witout newnat. Newnat has been included in the early 2.4.20-pre kernels, so from=20 2.4.20 (or the -pre releases if you don't mind running these) onwards, there will be no need to patch the kernel with newnat support anymore before adding conntrackers. Now, if you're working from a pre-2.4.20 kernel, you need to download iptables or check out CVS, then from the patch-o-matic directory run "./runme *" and apply the newnat patch before trying any=20 conntrackers. That sould do the trick. You may need to apply some additional stuff. IIRC, the pptp patch also needs an "unregister" fix of some kind that's probably in p-o-m/pending or /submitted. Good luck, Filip ------_=_NextPart_001_01C26FC4.E7D57FAE Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable RE: PPTP

Rickard Eriksson [mailto:riceri@home.se] wrote:
>
>The z-newnet patch? I can't install that patch.
>
>BTW, this is the first time i am patching a kernel.
>

Hi Rickard,

What kernel version are you working from ?
Basically, newnat is a new API for writing connection tracking/nat
modules.

The patch has been sitting in p-o-m for a long time now, and all the
modules from recent iptables have been converted to work with newnat
and don't apply on kernels witout newnat.

Newnat has been included in the early 2.4.20-pre kernels, so from
2.4.20 (or the -pre releases if you don't mind running these) = onwards,
there will be no need to patch the kernel with newnat support = anymore
before adding conntrackers.

Now, if you're working from a pre-2.4.20 kernel, you need to = download
iptables or check out CVS, then from the patch-o-matic directory
run "./runme *" and apply the newnat patch before trying = any
conntrackers. That sould do the trick. You may need to apply some
additional stuff. IIRC, the pptp patch also needs an = "unregister"
fix of some kind that's probably in p-o-m/pending or /submitted.

Good luck,
Filip

------_=_NextPart_001_01C26FC4.E7D57FAE-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rickard Eriksson Subject: Re: PPTP Date: Wed, 09 Oct 2002 22:25:23 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3DA490B3.9050001@home.se> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Sneppe Filip Cc: netfilter@lists.netfilter.org Sneppe Filip wrote: > Rickard Eriksson [mailto:riceri@home.se] wrote: > > > >The z-newnet patch? I can't install that patch. > > > >BTW, this is the first time i am patching a kernel. > > > > Hi Rickard, > > What kernel version are you working from ? > Basically, newnat is a new API for writing connection tracking/nat > modules. > > The patch has been sitting in p-o-m for a long time now, and all the > modules from recent iptables have been converted to work with newnat > and don't apply on kernels witout newnat. > > Newnat has been included in the early 2.4.20-pre kernels, so from > 2.4.20 (or the -pre releases if you don't mind running these) onwards, > there will be no need to patch the kernel with newnat support anymore > before adding conntrackers. > > Now, if you're working from a pre-2.4.20 kernel, you need to download > iptables or check out CVS, then from the patch-o-matic directory > run "./runme *" and apply the newnat patch before trying any > conntrackers. That sould do the trick. You may need to apply some > additional stuff. IIRC, the pptp patch also needs an "unregister" > fix of some kind that's probably in p-o-m/pending or /submitted. > > Good luck, > Filip > > > Well i want to install 2.4.19. I have installed conntrack+nat-helper-unregister and then i could install znewnat-16 and then i could install pptp conntrack module. I hope it will work when i have build the kernel. Thanks for all your help!!! / Rickard From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rickard Eriksson Subject: Re: PPTP Date: Thu, 10 Oct 2002 18:20:27 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3DA5A8CB.1090408@home.se> References: <3DA490B3.9050001@home.se> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Cc: Sneppe Filip Rickard Eriksson wrote: > Sneppe Filip wrote: > >> Rickard Eriksson [mailto:riceri@home.se] wrote: >> > >> >The z-newnet patch? I can't install that patch. >> > >> >BTW, this is the first time i am patching a kernel. >> > >> >> Hi Rickard, >> >> What kernel version are you working from ? >> Basically, newnat is a new API for writing connection tracking/nat >> modules. >> >> The patch has been sitting in p-o-m for a long time now, and all the >> modules from recent iptables have been converted to work with newnat >> and don't apply on kernels witout newnat. >> >> Newnat has been included in the early 2.4.20-pre kernels, so from >> 2.4.20 (or the -pre releases if you don't mind running these) onwards, >> there will be no need to patch the kernel with newnat support anymore >> before adding conntrackers. >> >> Now, if you're working from a pre-2.4.20 kernel, you need to download >> iptables or check out CVS, then from the patch-o-matic directory >> run "./runme *" and apply the newnat patch before trying any >> conntrackers. That sould do the trick. You may need to apply some >> additional stuff. IIRC, the pptp patch also needs an "unregister" >> fix of some kind that's probably in p-o-m/pending or /submitted. >> >> Good luck, >> Filip >> >> >> > > Well i want to install 2.4.19. > > I have installed conntrack+nat-helper-unregister and then i could > install znewnat-16 and then i could install pptp conntrack module. > > I hope it will work when i have build the kernel. > > Thanks for all your help!!! > > / Rickard > > > > Do i need newest iptables to get the modules to work? From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Sneppe Filip" Subject: RE: PPTP Date: Thu, 10 Oct 2002 23:20:37 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C270A2.E0AFBB83" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Rickard Eriksson , netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C270A2.E0AFBB83 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Rickard Eriksson [mailto:riceri@home.se] wrote: > > >Do i need newest iptables to get the modules to work? > Hi, No, not with these types of modules (conntrack/nat helpers). We're only talking kernel code here. You need to run the correct iptables if you are adding match and target extensions. Regards, Filip ------_=_NextPart_001_01C270A2.E0AFBB83 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable RE: PPTP

Rickard Eriksson [mailto:riceri@home.se] wrote:
>
>
>Do i need newest iptables to get the modules to work?
>

Hi,

No, not with these types of modules (conntrack/nat helpers).
We're only talking kernel code here. You need to run the
correct iptables if you are adding match and target extensions.

Regards,
Filip

------_=_NextPart_001_01C270A2.E0AFBB83-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rickard Eriksson Subject: Re: PPTP Date: Fri, 11 Oct 2002 11:27:55 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3DA6999B.80609@home.se> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Sneppe Filip Cc: netfilter@lists.netfilter.org Sneppe Filip wrote: > Rickard Eriksson [mailto:riceri@home.se] wrote: > > > > > >Do i need newest iptables to get the modules to work? > > > > Hi, > > No, not with these types of modules (conntrack/nat helpers). > We're only talking kernel code here. You need to run the > correct iptables if you are adding match and target extensions. > > Regards, > Filip > > > > When i try to restart and load the modules i get a error, i didn't copy it but it was something about "unresolved ... helper" And i can't find any setting in "make config" so that it shall make the helper in any way. Do you know what i am talking about :) /Rickard From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Sneppe Filip" Subject: RE: PPTP Date: Fri, 11 Oct 2002 19:23:18 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2714A.E4111F2A" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Rickard Eriksson Cc: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C2714A.E4111F2A Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hi, Rickard Eriksson [mailto:riceri@home.se] wrote: > >When i try to restart and load the modules i get a error, i didn't copy = >it but it was something about "unresolved ... helper" >And i can't find any setting in "make config" so that it shall make the = >helper in any way. > >Do you know what i am talking about :) > Vaguely :-) Are you loading the modules with "insmod" or with "modprobe" ? After a correct kernel compile you shouldn't get unresolved symbols with modprobe. Although, iirc, there is a dependency thingie with the pptp conntracker (modprobe ip_?_pptp doesn't trigger the loading of ip_?_proto_gre, I think). Can you try the following for pptp and load any other modules with modprobe instead of insmod and report any problems: modprobe ip_conntrack_proto_gre modprobe ip_nat_proto_gre modprobe ip_conntrack_pptp modprobe ip_nat_pptp This shouldn't give problems. Regards, Filip ------_=_NextPart_001_01C2714A.E4111F2A Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable RE: PPTP

Hi,

Rickard Eriksson [mailto:riceri@home.se] wrote:
>
>When i try to restart and load the modules i get a error, i didn't = copy
>it but it was something about "unresolved ... helper"
>And i can't find any setting in "make config" so that it = shall make the
>helper in any way.
>
>Do you know what i am talking about :)
>

Vaguely :-)

Are you loading the modules with "insmod" or with = "modprobe" ?
After a correct kernel compile you shouldn't get unresolved
symbols with modprobe. Although, iirc, there is a dependency
thingie with the pptp conntracker (modprobe ip_?_pptp doesn't
trigger the loading of ip_?_proto_gre, I think).

Can you try the following for pptp and load any other modules
with modprobe instead of insmod and report any problems:

modprobe ip_conntrack_proto_gre
modprobe ip_nat_proto_gre
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp

This shouldn't give problems.

Regards,
Filip

------_=_NextPart_001_01C2714A.E4111F2A-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Harald Welte Subject: Re: PPTP Date: Mon, 7 Apr 2003 23:08:37 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <20030407210837.GE14333@naboo.towersoft.de> References: <000901c2fd21$3475f910$0205a8c0@maxima> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tMbDGjvJuJijemkf" Return-path: Content-Disposition: inline In-Reply-To: <000901c2fd21$3475f910$0205a8c0@maxima> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Benny Butler Cc: Netfilter Mailinglist --tMbDGjvJuJijemkf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 07, 2003 at 11:17:36AM -0500, Benny Butler wrote: > Harald, >=20 > Please forgive me for my lack of knowledge, I'm not much of an > iptables person. I have a client that I had to set up an iptables > firewall. They have a PPTP server on their internal network that I can > get to, but only one client at a time can hook to it. I see your patch > listed at : > http://netfilter.kfki.hu/documentation/pomlist/pom-extra.html#pptp-connt > rack-nat and am wondering if this would allow multiple connections to > the server? Is that it's intended function? yes, exactly. Please use the patch-o-matic system to apply this patch and then load the modules 'ip_conntrack_proto_gre, ip_conntrack_pptp, ip_nat_proto_gre and ip_nat_pptp'. Please refer to the netfilter mailinglist(s) for further assistance. > Thanks, Benny --=20 - Harald Welte http://www.gnumonks.org/ =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D Programming is like sex: One mistake and you have to support it your lifeti= me --tMbDGjvJuJijemkf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+kejVXaXGVTD0i/8RAgSMAKCIWvYAOxD8wPpVm/ypVtQQaS8A4gCbBadq b3HCCL+fgA4qYe0MrQJXHS0= =n3pi -----END PGP SIGNATURE----- --tMbDGjvJuJijemkf-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ralf Braga Subject: PPTP Date: Tue, 28 Oct 2003 14:36:49 -0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3F9E9B21.9020801@4linux.com.br> Reply-To: ralf@4linux.com.br Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: netfilter@lists.netfilter.org Hi Friends, A have a Gateway Gnu/Linux, Debian 3.0 rc1 with kernel 2.4.22, iptables=20 1.2.8-8 and freeswan 2.02 in S=E3o Paulo and i have another Linux in=20 Rio-de-Janeiro with Red-Hat 6.2, ipchains and the path-pptp. Clients in=20 S=E3o Paulo have to conect in Rio-de-Janeiro throught PPTP and the problem = its that the Server in Rio accepts only one connection. In my Firewall here in S=E3o Paulo i'm put only one rule just to do the tes= ts: iptables -t nat -A POSTROUTING -j MASQUERADE The chains in my FIREWALL are ACCEPT Have I enable any rule or patch in kernel ? I would like to know whats going on, cause the server in RIO just ACCEPT=20 one connection. There is something that should i do? ... rules... path=20 in my kernel..... Thank you very much From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Daniel Chemko" Subject: RE: PPTP Date: Tue, 28 Oct 2003 09:00:00 -0800 Sender: netfilter-admin@lists.netfilter.org Message-ID: <7C9884991ADAE0479C14F10C858BCDF5122E89@alderaan.smgtec.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: ralf@4linux.com.br, netfilter@lists.netfilter.org I don't remember FreeSwan having PPTP, but if it does then great. Are = you sure it isn't L2TP that the clients are connecting with? Anyways, you will have to modify your kernel with Patch-O-Matic from the = Netfilter CVS repository, and grab the userspace tools just in case you = need to use those ones with your newly created kernel. The support for = PPTP is still rather experimental. I haven't had problems with their = latest code though. Apply any patches in Patch-O-Matic that apply to pptp and GRE. Recompile kernel Build Userspace tools from CVS Reboot # depmod # modprobe ip_conntrack_proto_gre # modprobe ip_conntrack_pptp # modprobe ip_nat_proto_gre # modprobe ip_nat_pptp Ideally, this should allow for multiple PPTP clients through your = firewall at the same time. -----Original Message----- From: Ralf Braga [mailto:ralf@4linux.com.br]=20 Sent: Tuesday, October 28, 2003 8:37 AM To: netfilter@lists.netfilter.org Subject: PPTP Hi Friends, A have a Gateway Gnu/Linux, Debian 3.0 rc1 with kernel 2.4.22, iptables = 1.2.8-8 and freeswan 2.02 in S=E3o Paulo and i have another Linux in=20 Rio-de-Janeiro with Red-Hat 6.2, ipchains and the path-pptp. Clients in=20 S=E3o Paulo have to conect in Rio-de-Janeiro throught PPTP and the = problem=20 its that the Server in Rio accepts only one connection. In my Firewall here in S=E3o Paulo i'm put only one rule just to do the = tests: iptables -t nat -A POSTROUTING -j MASQUERADE The chains in my FIREWALL are ACCEPT Have I enable any rule or patch in kernel ? I would like to know whats going on, cause the server in RIO just ACCEPT = one connection. There is something that should i do? ... rules... path=20 in my kernel..... Thank you very much From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ralf Braga Subject: Re: PPTP Date: Tue, 28 Oct 2003 15:08:39 -0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3F9EA297.6010800@4linux.com.br> References: <7C9884991ADAE0479C14F10C858BCDF5122E89@alderaan.smgtec.com> Reply-To: ralf@4linux.com.br Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: Daniel Chemko Cc: netfilter@lists.netfilter.org Thanks. Ralf Braga Daniel Chemko wrote: >I don't remember FreeSwan having PPTP, but if it does then great. Are you = sure it isn't L2TP that the clients are connecting with? > >Anyways, you will have to modify your kernel with Patch-O-Matic from the N= etfilter CVS repository, and grab the userspace tools just in case you need= to use those ones with your newly created kernel. The support for PPTP is = still rather experimental. I haven't had problems with their latest code th= ough. > >Apply any patches in Patch-O-Matic that apply to pptp and GRE. >Recompile kernel >Build Userspace tools from CVS >Reboot ># depmod ># modprobe ip_conntrack_proto_gre ># modprobe ip_conntrack_pptp ># modprobe ip_nat_proto_gre ># modprobe ip_nat_pptp > > >Ideally, this should allow for multiple PPTP clients through your firewall= at the same time. > > >-----Original Message----- >From: Ralf Braga [mailto:ralf@4linux.com.br]=20 >Sent: Tuesday, October 28, 2003 8:37 AM >To: netfilter@lists.netfilter.org >Subject: PPTP > >Hi Friends, > >A have a Gateway Gnu/Linux, Debian 3.0 rc1 with kernel 2.4.22, iptables=20 >1.2.8-8 and freeswan 2.02 in S=E3o Paulo and i have another Linux in=20 >Rio-de-Janeiro with Red-Hat 6.2, ipchains and the path-pptp. Clients in=20 >S=E3o Paulo have to conect in Rio-de-Janeiro throught PPTP and the problem= =20 >its that the Server in Rio accepts only one connection. > >In my Firewall here in S=E3o Paulo i'm put only one rule just to do the te= sts: > >iptables -t nat -A POSTROUTING -j MASQUERADE > >The chains in my FIREWALL are ACCEPT > >Have I enable any rule or patch in kernel ? > >I would like to know whats going on, cause the server in RIO just ACCEPT=20 >one connection. There is something that should i do? ... rules... path=20 >in my kernel..... > > > >Thank you very much > > > > > > > =20 > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Opperisano Subject: Re: pptp Date: Fri, 15 Oct 2004 10:10:36 -0400 Sender: netfilter-bounces@lists.netfilter.org Message-ID: <20041015141036.GA6848@bender.817west.com> References: <20041015063914.GA23147@plain.ev1servers.net> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: <20041015063914.GA23147@plain.ev1servers.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org On Fri, Oct 15, 2004 at 01:39:14AM -0500, K. Shantanu wrote: > Hi, > I have just installed Mandrake Linux 10.0 (Official). Kernel Used is 2.6.3-7mdksmp. > I want to connect to my client's PPTP server from a windows based pptp client. > Are there any gotchas for the same? Or do I just need to open port 47 and 1723, > protocol tcp for it? yes--if your are performing SNAT/MASQ for your entire internal network on your gateway, it won't work. there is a PPTP conntrack and nat module in POM for this situation, but it will only compile against a 2.4 kernel. one option would be to give the PPTP client a dedicated public IP and perform a one-to-one SNAT/DNAT for that client and allow TCP 1723 and IP protocol 47 outbound from that client and IP protocol 47 inbound to that client from the PPTP server. -j -- Jason Opperisano From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Opperisano Subject: Re: pptp Date: Fri, 15 Oct 2004 15:19:00 -0400 Sender: netfilter-bounces@lists.netfilter.org Message-ID: <20041015191900.GA7776@bender.817west.com> References: <20041015063914.GA23147@plain.ev1servers.net> <20041015141036.GA6848@bender.817west.com> <20041015162541.GA23125@plain.ev1servers.net> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: <20041015162541.GA23125@plain.ev1servers.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org On Fri, Oct 15, 2004 at 11:25:41AM -0500, K. Shantanu wrote: > * Jason Opperisano [041015 11:15]: > > yes--if your are performing SNAT/MASQ for your entire internal network > > on your gateway, it won't work. there is a PPTP conntrack and nat module > > in POM for this situation, but it will only compile against a 2.4 kernel. > > Yes, I am performing MASQ for entire network. Is there no way I can get > it to work against 2.6 series? I will have a lot of troble downgrading > the kernel. It is a live server. i wasn't necessarily recommending that you downgrade to a 2.4 kernel--just pointing out that there's a "fancy" option available, but it is 2.4-specific. i am unaware of any successful ports of the PPTP modules from POM to the 2.6 kernel. > > one option would be to give the PPTP client a dedicated public IP and > > perform a one-to-one SNAT/DNAT for that client and allow TCP 1723 and > > IP protocol 47 outbound from that client and IP protocol 47 inbound to > > that client from the PPTP server. > > Can you please give an example of this to be on safe side? Is this something > like, > * I add eth0:1 on Linux box and give it an public IP. > * redirect all traffic to that IP from ouside to the client having pptp > client? Will something like below help, > iptables -A PREROUTING -d -p tcp -m tcp --dport 47 -j DNAT --to-destination 192.168.10.99 i tried to point this out subtly in my first reply--but you are confusing "IP Protocol Number 47" with TCP Port 47. GRE is IP protocol number 47, analogous to TCP being IP protocol number 6 or UDP being IP protocol 17... iptables -A PREROUTING -d -p 47 \ -j DNAT --to-destination 192.168.10.99 > iptables -A PREROUTING -d -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.10.99 you don't need to forward TCP port 1723 to the client--but you do need SNAT rules as well...or rule. i would do it like this: # new public IP for one-to-one NAT for PPTP client ip address add $PUBIP dev $OUTSIDE_IF # DNAT for PPTP client iptables -A PREROUTING -i $OUTSIDE_IF -d $PUBIP -j DNAT --to-destination 192.168.10.99 # SNAT for PPTP client iptables -A POSTROUTING -o $OUTSIDE_IF -s 192.168.10.99 -j SNAT --to-source $PUBIP # outbound filter rules for PPTP client iptables -A FORWARD -s 192.168.10.99 -d $PPTP_SERVER \ -p tcp --dport 1723 -j ACCEPT iptables -A FORWARD -s 192.168.10.99 -d $PPTP_SERVER \ -p 47 -j ACCEPT # inbound filter rules for PPTP client iptables -A FORWARD -s $PPTP_SERVER -d 192.168.10.99 \ -p 47 -j ACCEPT and that should about cover it...unless i've some sort of heinous mistake that someone else would be so kind as to point out... -j -- Jason Opperisano From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Ammad Shah" Subject: pptp Date: Sat, 11 Aug 2007 12:59:19 +0500 (PKT) Message-ID: <33152.202.69.36.149.1186819159.squirrel@khimail.comsats.net.pk> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Dear all, i am using linux as firewall and proxy server, having some problem regarding Microsoft VPN, my network users connect Microsoft vpn server. the problem is only one user is able to connect vpn, while othere can't do this at same time. if i restart firewall, then any one can connect on First come first server. but only one. so i clear all rules, and default policy to ACCEPT, and used this rule iptables -t nat -A POSTROUTING -i eth1 -s 10.0.0.0/24 -j MASQUERADE iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT i try this on 2.6(rhel 5) and 2.4 (rhel3) From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Rodrigo Montoro (Sp0oKeR)" Subject: Re: pptp Date: Sun, 12 Aug 2007 18:41:03 -0300 Message-ID: <9255886c0708121441h3265684ep8699d7ee771f53c2@mail.gmail.com> References: <33152.202.69.36.149.1186819159.squirrel@khimail.comsats.net.pk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pj/oCgNSuuwBkDR26R1PduIy/FEFqUtwVqsn9FketadCz+JHleLSuPPfCr+2sA5ZEtpVan4qYUoDIHVzhNJ70O6Hp53s0d2VSWw6Il5cC3LYd/qbfY9gt6aMAJFXPycLZ0gDtY+m/Zl4ViJ84FgMBJAqcDxefpW6NZQ0EXS82wI= In-Reply-To: <33152.202.69.36.149.1186819159.squirrel@khimail.comsats.net.pk> Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: Ammad Shah Cc: netfilter@lists.netfilter.org you need ip_pptp_conntrack module enable. Look http://www.wlug.org.nz/PPTPConnectionTracking Regards, Sp0oKeR On 8/11/07, Ammad Shah wrote: > Dear all, > > i am using linux as firewall and proxy server, having some problem > regarding Microsoft VPN, > my network users connect Microsoft vpn server. the problem is only one > user is able to connect vpn, while othere can't do this at same time. > > if i restart firewall, then any one can connect on First come first > server. but only one. > so i clear all rules, and default policy to ACCEPT, and used this rule > > iptables -t nat -A POSTROUTING -i eth1 -s 10.0.0.0/24 -j MASQUERADE > iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT > > i try this on 2.6(rhel 5) and 2.4 (rhel3) > > -- ========================= Rodrigo Ribeiro Montoro BRConnection Development Team spooker@brc.com.br SnortCP / RHCE / LPIC-I ========================= From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pascal Hambourg Subject: Re: pptp Date: Mon, 13 Aug 2007 00:58:00 +0200 Message-ID: <46BF9078.7080007@plouf.fr.eu.org> References: <33152.202.69.36.149.1186819159.squirrel@khimail.comsats.net.pk> <9255886c0708121441h3265684ep8699d7ee771f53c2@mail.gmail.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <9255886c0708121441h3265684ep8699d7ee771f53c2@mail.gmail.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: netfilter@lists.netfilter.org Hello, Rodrigo Montoro (Sp0oKeR) a =E9crit : > you need ip_pptp_conntrack module enable. ip_conntrack_pptp, or nf_conntrack_pptp depending on the kernel version=20 and/or options. And probably ip_nat_pptp or nf_nat_pptp, as there seems to be some NAT.