Configuring netfilter for pptp connections

Configuring netfilter for pptp connections

[Harold Pritchett]

Sorry if this is a FAQ.  Searching the archives is very
difficult.

I have a small LAN, connected to the Internet via a Red
Hat Fedora Core 3 firewall running netfilter.  I would like
to run the Microsoft VPN software on a windows machine
on this network and connect to a VPN server located on
the Internet side of the firewall.  The windows server
uses NAT to connect to the Internet.

I configured the VPN client while it was directly on the
Internet, and it works fine.  When I try to connect from
behind the firewall it fails to connect.

Searching for help on the Internet has not been very
productive.  Everything I can find on the net is very old.
Linux kernels 2.2 and 2.4.  I'm currently running 2.6.12 with
iptables 1.2.11.


-- 
Harold Pritchett
harold@uga.edu                                +1.706.546.0692
pgp public key: http://www.arches.uga.edu/~harold/pgpkey.html

"The Internet is for porn.
  The Internet is for porn.
  Why you think the net was born?
  Porn! Porn! Porn!"
		Trekkie Monster
		Avenue Q

Re: Configuring netfilter for pptp connections

[Rob Sterenborg]

On Tue, May 23, 2006 01:30, Harold Pritchett wrote:
> Sorry if this is a FAQ.  Searching the archives is very
> difficult.
>
> I have a small LAN, connected to the Internet via a Red
> Hat Fedora Core 3 firewall running netfilter.  I would like
> to run the Microsoft VPN software on a windows machine on this network and
> connect to a VPN server located on the Internet side of the firewall.  The
> windows server uses NAT to connect to the Internet.
>
> I configured the VPN client while it was directly on the
> Internet, and it works fine.  When I try to connect from
> behind the firewall it fails to connect.
>
> Searching for help on the Internet has not been very
> productive.  Everything I can find on the net is very old. Linux kernels 2.2
> and 2.4.  I'm currently running 2.6.12 with iptables 1.2.11.

From this I take it that the PPTP server is not behind a NAT situation. You
need to allow both port 1723/tcp and the GRE protocol (proto 47). You also may
need to compile additional Netfilter PPTP modules if they are not included
with your FC3 kernel.


Gr,
Rob

RE: Configuring netfilter for pptp connections

[Sietse van Zanen]

PPTP modules are included in FC3. You just need to load them.
 
Do realize however, that PPTP/GRE connections are NOT considered safe. So it might be better to implement IPSEC, which only uses a single UDP port, but is a lot harder to set up in windows.
 
For PPTP/GRE to work you need to add two rules:
1 for the PPTP connection (TCP Port 1723) and 1 for the GRE Protocol (IP proto 47).
 
If you want your machine to connect to a PPTP server on the Internet, allow PPTP OUTBOUND towards that server and GRE INBOUND from that server.
If you want a client on the Internet connect to your PPTP server, allow both PPTP and GRE INBOUND to your server.
 
When you search the Internet better include GRE in your search.
 
 
-Sietse

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of Rob Sterenborg
Sent: Tue 23-May-06 10:24
To: netfilter@lists.netfilter.org
Subject: Re: Configuring netfilter for pptp connections



On Tue, May 23, 2006 01:30, Harold Pritchett wrote:
> Sorry if this is a FAQ.  Searching the archives is very
> difficult.
>
> I have a small LAN, connected to the Internet via a Red
> Hat Fedora Core 3 firewall running netfilter.  I would like
> to run the Microsoft VPN software on a windows machine on this network and
> connect to a VPN server located on the Internet side of the firewall.  The
> windows server uses NAT to connect to the Internet.
>
> I configured the VPN client while it was directly on the
> Internet, and it works fine.  When I try to connect from
> behind the firewall it fails to connect.
>
> Searching for help on the Internet has not been very
> productive.  Everything I can find on the net is very old. Linux kernels 2.2
> and 2.4.  I'm currently running 2.6.12 with iptables 1.2.11.

From this I take it that the PPTP server is not behind a NAT situation. You
need to allow both port 1723/tcp and the GRE protocol (proto 47). You also may
need to compile additional Netfilter PPTP modules if they are not included
with your FC3 kernel.


Gr,
Rob

Re: Configuring netfilter for pptp connections

[Pascal Hambourg]

Hello,

Sietse van Zanen a écrit :
> For PPTP/GRE to work you need to add two rules:
> 1 for the PPTP connection (TCP Port 1723) and 1 for the GRE Protocol (IP proto 47).
>  
> If you want your machine to connect to a PPTP server on the Internet,
> allow PPTP OUTBOUND towards that server and GRE INBOUND from that server.
> If you want a client on the Internet connect to your PPTP server,
> allow both PPTP and GRE INBOUND to your server.

According to this, neither the client or the server are allowed to 
establish an outbound GRE connection. How can this work ?