RE: PPTP

RE: PPTP

[Daniel Chemko]

I don't remember FreeSwan having PPTP, but if it does then great. Are you sure it isn't L2TP that the clients are connecting with?

Anyways, you will have to modify your kernel with Patch-O-Matic from the Netfilter CVS repository, and grab the userspace tools just in case you need to use those ones with your newly created kernel. The support for PPTP is still rather experimental. I haven't had problems with their latest code though.

Apply any patches in Patch-O-Matic that apply to pptp and GRE.
Recompile kernel
Build Userspace tools from CVS
Reboot
# depmod
# modprobe ip_conntrack_proto_gre
# modprobe ip_conntrack_pptp
# modprobe ip_nat_proto_gre
# modprobe ip_nat_pptp


Ideally, this should allow for multiple PPTP clients through your firewall at the same time.


-----Original Message-----
From: Ralf Braga [mailto:ralf@4linux.com.br] 
Sent: Tuesday, October 28, 2003 8:37 AM
To: netfilter@lists.netfilter.org
Subject: PPTP

Hi Friends,

A have a Gateway Gnu/Linux, Debian 3.0 rc1  with kernel 2.4.22, iptables 
1.2.8-8 and freeswan 2.02 in São Paulo and i have another Linux in 
Rio-de-Janeiro with Red-Hat 6.2, ipchains and the path-pptp. Clients in 
São Paulo have to conect in Rio-de-Janeiro throught PPTP and the problem 
its that the Server in Rio accepts only one connection.

In my Firewall here in São Paulo i'm put only one rule just to do the tests:

iptables -t nat -A POSTROUTING -j MASQUERADE

The chains in my FIREWALL are ACCEPT

Have I enable any rule or patch in kernel ?

I would like to know whats going on, cause the server in RIO just ACCEPT 
one connection. There is something that should i do? ... rules... path 
in my kernel.....



Thank you very much

Re: PPTP

[Ralf Braga]

Thanks.

Ralf Braga

Daniel Chemko wrote:

>I don't remember FreeSwan having PPTP, but if it does then great. Are you sure it isn't L2TP that the clients are connecting with?
>
>Anyways, you will have to modify your kernel with Patch-O-Matic from the Netfilter CVS repository, and grab the userspace tools just in case you need to use those ones with your newly created kernel. The support for PPTP is still rather experimental. I haven't had problems with their latest code though.
>
>Apply any patches in Patch-O-Matic that apply to pptp and GRE.
>Recompile kernel
>Build Userspace tools from CVS
>Reboot
># depmod
># modprobe ip_conntrack_proto_gre
># modprobe ip_conntrack_pptp
># modprobe ip_nat_proto_gre
># modprobe ip_nat_pptp
>
>
>Ideally, this should allow for multiple PPTP clients through your firewall at the same time.
>
>
>-----Original Message-----
>From: Ralf Braga [mailto:ralf@4linux.com.br] 
>Sent: Tuesday, October 28, 2003 8:37 AM
>To: netfilter@lists.netfilter.org
>Subject: PPTP
>
>Hi Friends,
>
>A have a Gateway Gnu/Linux, Debian 3.0 rc1  with kernel 2.4.22, iptables 
>1.2.8-8 and freeswan 2.02 in São Paulo and i have another Linux in 
>Rio-de-Janeiro with Red-Hat 6.2, ipchains and the path-pptp. Clients in 
>São Paulo have to conect in Rio-de-Janeiro throught PPTP and the problem 
>its that the Server in Rio accepts only one connection.
>
>In my Firewall here in São Paulo i'm put only one rule just to do the tests:
>
>iptables -t nat -A POSTROUTING -j MASQUERADE
>
>The chains in my FIREWALL are ACCEPT
>
>Have I enable any rule or patch in kernel ?
>
>I would like to know whats going on, cause the server in RIO just ACCEPT 
>one connection. There is something that should i do? ... rules... path 
>in my kernel.....
>
>
>
>Thank you very much
>
>
>
>
>
>
>  
>

pptp

[Ammad Shah]

Dear all,

i am using linux as firewall and proxy server, having some problem
regarding Microsoft VPN,
my network users connect Microsoft vpn server. the problem is only one
user is able to connect vpn, while othere can't do this at same time.

if i restart firewall, then any one can connect on First come first
server. but only one.
so i clear all rules, and default policy to ACCEPT, and used this rule

iptables -t nat -A POSTROUTING -i eth1 -s 10.0.0.0/24 -j MASQUERADE
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

i try this on 2.6(rhel 5) and 2.4 (rhel3)

Re: pptp

[Rodrigo Montoro (Sp0oKeR)]

   you need ip_pptp_conntrack module enable.
   Look http://www.wlug.org.nz/PPTPConnectionTracking

Regards,

Sp0oKeR

On 8/11/07, Ammad Shah <ammads@khi.comsats.net.pk> wrote:
> Dear all,
>
> i am using linux as firewall and proxy server, having some problem
> regarding Microsoft VPN,
> my network users connect Microsoft vpn server. the problem is only one
> user is able to connect vpn, while othere can't do this at same time.
>
> if i restart firewall, then any one can connect on First come first
> server. but only one.
> so i clear all rules, and default policy to ACCEPT, and used this rule
>
> iptables -t nat -A POSTROUTING -i eth1 -s 10.0.0.0/24 -j MASQUERADE
> iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
>
> i try this on 2.6(rhel 5) and 2.4 (rhel3)
>
>


-- 
=========================
     Rodrigo Ribeiro Montoro
BRConnection Development Team
       spooker@brc.com.br
    SnortCP / RHCE / LPIC-I
=========================

Re: pptp

[Pascal Hambourg]

Hello,

Rodrigo Montoro (Sp0oKeR) a écrit :
>    you need ip_pptp_conntrack module enable.

ip_conntrack_pptp, or nf_conntrack_pptp depending on the kernel version 
and/or options.
And probably ip_nat_pptp or nf_nat_pptp, as there seems to be some NAT.

Re: pptp

[Jason Opperisano]

On Fri, Oct 15, 2004 at 01:39:14AM -0500, K. Shantanu  wrote:
> Hi,
> I have just installed Mandrake Linux 10.0 (Official). Kernel Used is  2.6.3-7mdksmp.
> I want to connect to my client's PPTP server from a windows based pptp client.
> Are there any gotchas for the same? Or do I just need to open port 47 and 1723, 
> protocol tcp for it?

yes--if your are performing SNAT/MASQ for your entire internal network
on your gateway, it won't work.  there is a PPTP conntrack and nat module
in POM for this situation, but it will only compile against a 2.4 kernel.

one option would be to give the PPTP client a dedicated public IP and
perform a one-to-one SNAT/DNAT for that client and allow TCP 1723 and
IP protocol 47 outbound from that client and IP protocol 47 inbound to
that client from the PPTP server.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: pptp

[Jason Opperisano]

On Fri, Oct 15, 2004 at 11:25:41AM -0500, K. Shantanu  wrote:
> * Jason Opperisano <opie@817west.com> [041015 11:15]:
> > yes--if your are performing SNAT/MASQ for your entire internal network
> > on your gateway, it won't work.  there is a PPTP conntrack and nat module
> > in POM for this situation, but it will only compile against a 2.4 kernel.
> 
> Yes, I am performing MASQ for entire network. Is there no way I can get
> it to work against 2.6 series? I will have a lot of troble downgrading
> the kernel. It is a live server.

i wasn't necessarily recommending that you downgrade to a 2.4
kernel--just pointing out that there's a "fancy" option available, but
it is 2.4-specific.  i am unaware of any successful ports of the PPTP
modules from POM to the 2.6 kernel.

> > one option would be to give the PPTP client a dedicated public IP and
> > perform a one-to-one SNAT/DNAT for that client and allow TCP 1723 and
> > IP protocol 47 outbound from that client and IP protocol 47 inbound to
> > that client from the PPTP server.
> 
> Can you please give an example of this to be on safe side?  Is this something 
> like,
> * I add eth0:1 on Linux box and give it an public IP.
> * redirect all traffic to that IP from ouside to the client having pptp 
> client? Will something like below help,
> iptables -A PREROUTING -d <ext ip> -p tcp -m tcp --dport 47 -j DNAT --to-destination 192.168.10.99

i tried to point this out subtly in my first reply--but you are
confusing "IP Protocol Number 47" with TCP Port 47.  GRE is IP protocol
number 47, analogous to TCP being IP protocol number 6 or UDP being IP
protocol 17...

  iptables -A PREROUTING -d <ext ip> -p 47 \
    -j DNAT --to-destination 192.168.10.99

> iptables -A PREROUTING -d <ext ip> -p tcp -m tcp --dport 1723 -j DNAT --to-destination 192.168.10.99

you don't need to forward TCP port 1723 to the client--but you do need
SNAT rules as well...or rule.  i would do it like this:

  # new public IP for one-to-one NAT for PPTP client
  ip address add $PUBIP dev $OUTSIDE_IF

  # DNAT for PPTP client
  iptables -A PREROUTING -i $OUTSIDE_IF -d $PUBIP
    -j DNAT --to-destination 192.168.10.99

  # SNAT for PPTP client
  iptables -A POSTROUTING -o $OUTSIDE_IF -s 192.168.10.99
    -j SNAT --to-source $PUBIP

  # outbound filter rules for PPTP client
  iptables -A FORWARD -s 192.168.10.99 -d $PPTP_SERVER \
    -p tcp --dport 1723 -j ACCEPT

  iptables -A FORWARD -s 192.168.10.99 -d $PPTP_SERVER \
    -p 47 -j ACCEPT
 
  # inbound filter rules for PPTP client
  iptables -A FORWARD -s $PPTP_SERVER -d 192.168.10.99 \
    -p 47 -j ACCEPT

and that should about cover it...unless i've some sort of heinous
mistake that someone else would be so kind as to point out...

-j
 
-- 
Jason Opperisano <opie@817west.com>

PPTP

[Ralf Braga]

Hi Friends,

A have a Gateway Gnu/Linux, Debian 3.0 rc1  with kernel 2.4.22, iptables 
1.2.8-8 and freeswan 2.02 in São Paulo and i have another Linux in 
Rio-de-Janeiro with Red-Hat 6.2, ipchains and the path-pptp. Clients in 
São Paulo have to conect in Rio-de-Janeiro throught PPTP and the problem 
its that the Server in Rio accepts only one connection.

In my Firewall here in São Paulo i'm put only one rule just to do the tests:

iptables -t nat -A POSTROUTING -j MASQUERADE

The chains in my FIREWALL are ACCEPT

Have I enable any rule or patch in kernel ?

I would like to know whats going on, cause the server in RIO just ACCEPT 
one connection. There is something that should i do? ... rules... path 
in my kernel.....



Thank you very much

Re: PPTP

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1093 bytes --]

On Mon, Apr 07, 2003 at 11:17:36AM -0500, Benny Butler wrote:
> Harald,
> 
>     Please forgive me for  my lack of knowledge, I'm not much of an
> iptables person.  I have a client that I had to set up an iptables
> firewall.  They have a PPTP server on their internal network that I can
> get to, but only one client at a time can hook to it.  I see your patch
> listed at :
> http://netfilter.kfki.hu/documentation/pomlist/pom-extra.html#pptp-connt
> rack-nat and am wondering if this would allow multiple connections to
> the server? Is that it's intended function?

yes, exactly.  Please use the patch-o-matic system to apply this patch
and then load the modules 'ip_conntrack_proto_gre, ip_conntrack_pptp,
ip_nat_proto_gre and ip_nat_pptp'.  Please refer to the netfilter
mailinglist(s) for further assistance.

> Thanks, Benny

-- 
- Harald Welte <laforge@gnumonks.org>               http://www.gnumonks.org/
============================================================================
Programming is like sex: One mistake and you have to support it your lifetime

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

RE: PPTP

[Sneppe Filip]

[-- Attachment #1: Type: text/plain, Size: 952 bytes --]

Hi,

Rickard Eriksson [mailto:riceri@home.se] wrote:
>
>When i try to restart and load the modules i get a error, i didn't copy 
>it but it was something about "unresolved ... helper"
>And i can't find any setting in "make config" so that it shall make the 
>helper in any way.
>
>Do you know what i am talking  about :)
>

Vaguely :-)

Are you loading the modules with "insmod" or with "modprobe" ?
After a correct kernel compile you shouldn't get unresolved
symbols with modprobe. Although, iirc, there is a dependency
thingie with the pptp conntracker (modprobe ip_?_pptp doesn't
trigger the loading of ip_?_proto_gre, I think).

Can you try the following for pptp and load any other modules
with modprobe instead of insmod and report any problems:

modprobe ip_conntrack_proto_gre
modprobe ip_nat_proto_gre
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp

This shouldn't give problems.

Regards,
Filip








[-- Attachment #2: Type: text/html, Size: 1557 bytes --]

RE: PPTP

[Sneppe Filip]

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

Rickard Eriksson [mailto:riceri@home.se] wrote:
>
>
>Do i need newest iptables to get the modules to work?
>

Hi,

No, not with these types of modules (conntrack/nat helpers).
We're only talking kernel code here. You need to run the
correct iptables if you are adding match and target extensions.

Regards,
Filip






[-- Attachment #2: Type: text/html, Size: 807 bytes --]

Re: PPTP

[Rickard Eriksson]

Sneppe Filip wrote:

> Rickard Eriksson [mailto:riceri@home.se] wrote:
> >
> >
> >Do i need newest iptables to get the modules to work?
> >
>
> Hi,
>
> No, not with these types of modules (conntrack/nat helpers).
> We're only talking kernel code here. You need to run the
> correct iptables if you are adding match and target extensions.
>
> Regards,
> Filip
>
>
>
>
When i try to restart and load the modules i get a error, i didn't copy 
it but it was something about "unresolved ... helper"
And i can't find any setting in "make config" so that it shall make the 
helper in any way.

Do you know what i am talking  about :)

/Rickard

RE: PPTP

[Sneppe Filip]

[-- Attachment #1: Type: text/plain, Size: 1160 bytes --]

Rickard Eriksson [mailto:riceri@home.se] wrote:
>
>The z-newnet patch? I can't install that patch.
>
>BTW, this is the first time i am patching a kernel.
>

Hi Rickard,

What kernel version are you working from ? 
Basically, newnat is a new API for writing connection tracking/nat
modules.

The patch has been sitting in p-o-m for a long time now, and all the
modules from recent iptables have been converted to work with newnat
and don't apply on kernels witout newnat.

Newnat has been included in the early 2.4.20-pre kernels, so from 
2.4.20 (or the -pre releases if you don't mind running these) onwards,
there will be no need to patch the kernel with newnat support anymore
before adding conntrackers.

Now, if you're working from a pre-2.4.20 kernel, you need to download
iptables or check out CVS, then from the patch-o-matic directory
run "./runme *" and apply the newnat patch before trying any 
conntrackers. That sould do the trick. You may need to apply some
additional stuff. IIRC, the pptp patch also needs an "unregister"
fix of some kind that's probably in p-o-m/pending or /submitted.

Good luck,
Filip





[-- Attachment #2: Type: text/html, Size: 1714 bytes --]

Re: PPTP

[Rickard Eriksson]

Sneppe Filip wrote:

> Rickard Eriksson [mailto:riceri@home.se] wrote:
> >
> >The z-newnet patch? I can't install that patch.
> >
> >BTW, this is the first time i am patching a kernel.
> >
>
> Hi Rickard,
>
> What kernel version are you working from ?
> Basically, newnat is a new API for writing connection tracking/nat
> modules.
>
> The patch has been sitting in p-o-m for a long time now, and all the
> modules from recent iptables have been converted to work with newnat
> and don't apply on kernels witout newnat.
>
> Newnat has been included in the early 2.4.20-pre kernels, so from
> 2.4.20 (or the -pre releases if you don't mind running these) onwards,
> there will be no need to patch the kernel with newnat support anymore
> before adding conntrackers.
>
> Now, if you're working from a pre-2.4.20 kernel, you need to download
> iptables or check out CVS, then from the patch-o-matic directory
> run "./runme *" and apply the newnat patch before trying any
> conntrackers. That sould do the trick. You may need to apply some
> additional stuff. IIRC, the pptp patch also needs an "unregister"
> fix of some kind that's probably in p-o-m/pending or /submitted.
>
> Good luck,
> Filip
>
>
>

Well i want to install 2.4.19.

I have installed conntrack+nat-helper-unregister and then i could
install znewnat-16 and then i could install pptp conntrack module.

I hope it will work when i have build the kernel.

Thanks for all your help!!!

/ Rickard

Re: PPTP

[Rickard Eriksson]

Rickard Eriksson wrote:

> Sneppe Filip wrote:
>
>> Rickard Eriksson [mailto:riceri@home.se] wrote:
>> >
>> >The z-newnet patch? I can't install that patch.
>> >
>> >BTW, this is the first time i am patching a kernel.
>> >
>>
>> Hi Rickard,
>>
>> What kernel version are you working from ?
>> Basically, newnat is a new API for writing connection tracking/nat
>> modules.
>>
>> The patch has been sitting in p-o-m for a long time now, and all the
>> modules from recent iptables have been converted to work with newnat
>> and don't apply on kernels witout newnat.
>>
>> Newnat has been included in the early 2.4.20-pre kernels, so from
>> 2.4.20 (or the -pre releases if you don't mind running these) onwards,
>> there will be no need to patch the kernel with newnat support anymore
>> before adding conntrackers.
>>
>> Now, if you're working from a pre-2.4.20 kernel, you need to download
>> iptables or check out CVS, then from the patch-o-matic directory
>> run "./runme *" and apply the newnat patch before trying any
>> conntrackers. That sould do the trick. You may need to apply some
>> additional stuff. IIRC, the pptp patch also needs an "unregister"
>> fix of some kind that's probably in p-o-m/pending or /submitted.
>>
>> Good luck,
>> Filip
>>
>>
>>
>
> Well i want to install 2.4.19.
>
> I have installed conntrack+nat-helper-unregister and then i could
> install znewnat-16 and then i could install pptp conntrack module.
>
> I hope it will work when i have build the kernel.
>
> Thanks for all your help!!!
>
> / Rickard
>
>
>
>
Do i need newest iptables to get the modules to work?

RE: PPTP

[Sneppe Filip]

[-- Attachment #1: Type: text/plain, Size: 826 bytes --]

Rickard,

>When i try to install the pptp-conntrack module i get this error:
>
>Testing patch extra/pptp-conntrack-nat.patch...
>    Placed new Config.in line
>    Placed new Configure.help entry
>    Placed new Makefile line
>    Placed new Makefile line
>    Placed new ip_conntrack.h line
>    Placed new ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>Could not find place to slot in ip_conntrack.h line
>TEST FAILED: patch NOT applied.
>
>
>anyone know whats wrong?

You *are* applying this to a kernel with newnat support, aren't you ?

Regards,
Filip



[-- Attachment #2: Type: text/html, Size: 1431 bytes --]

Re: PPTP

[Rickard Eriksson]

Sneppe Filip wrote:

> Rickard,
>
> >When i try to install the pptp-conntrack module i get this error:
> >
> >Testing patch extra/pptp-conntrack-nat.patch...
> >    Placed new Config.in line
> >    Placed new Configure.help entry
> >    Placed new Makefile line
> >    Placed new Makefile line
> >    Placed new ip_conntrack.h line
> >    Placed new ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >Could not find place to slot in ip_conntrack.h line
> >TEST FAILED: patch NOT applied.
> >
> >
> >anyone know whats wrong?
>
> You *are* applying this to a kernel with newnat support, aren't you ?
>
> Regards,
> Filip
>
The z-newnet patch? I can't install that patch.

BTW, this is the first time i am patching a kernel.

/Rickard

PPTP

[Rickard Eriksson]

When i try to install the pptp-conntrack module i get this error:

Testing patch extra/pptp-conntrack-nat.patch...
    Placed new Config.in line
    Placed new Configure.help entry
    Placed new Makefile line
    Placed new Makefile line
    Placed new ip_conntrack.h line
    Placed new ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
Could not find place to slot in ip_conntrack.h line
TEST FAILED: patch NOT applied.



anyone know whats wrong?